WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple

Quick Tip - Audit vCenter Server Role & Permission Usage

02.26.2025 by William Lam // 2 Comments

vCenter Server ships out of the box a number of system and custom roles, which can be used or users can create their own custom roles containing the required privileges. If you wanted to understand which roles are actively being used, the following PowerCLI snippet can help provide insights to roles that have been assigned. Furthermore, the script will also output to a file, that contains all he privileges defined for the vCenter Roles that are in active use.

$roles = Get-VIRole
$permissions = Get-VIPermission

$results = @{}
foreach ($permission in $permissions) {
    $role = $permission.Role
    if($results.ContainsKey($role)) {
        $results[$role]+=1
    } else {
        $results[$role]=1
    }
}

Write-Host "`nTotal Roles: $($roles.count)"
Write-Host "Total Roles Used: $($results.count)"
Write-Host "Role Usage:"

$results.GetEnumerator() | Sort-Object -Property Value -Descending

$outfile = "used-roles.txt"
foreach ($key in $results.keys) {
    $role = Get-VIRole $key
    if(!$role.IsSystem) {
        $key | Out-File -Append -LiteralPath $outfile
        "=========================================================" | Out-File -Append -FilePath $outfile
        $role.ExtensionData.Privilege | Out-File -Append -LiteralPath $outfile
        "" | Out-File -Append -LiteralPath $outfile
    }
}

Here is an example output of running the script:


Here is an example output from used-roles.txt file that is generated, which contains the list of privileges for each role that is in use:

Categories // Automation, PowerCLI, vSphere Tags // permission, vCenter Server

Exploring the new vSphere Privilege Recorder in vSphere 8.0 Update 1

09.13.2023 by William Lam // 3 Comments

Determining the minimum vSphere privileges that is required to perform a given vSphere operation (UI/API) has been a huge customer challenge to say the least. Strategies have included guessing along with trial and error by creating a custom vSphere Role and slowly removing privileges until you have identified the minimum required privileges. If you are familiar with the vSphere API and know exactly which API methods and properties are consumed, then you can use the vSphere API Reference since every method and property includes the specific privilege required in the documentation, but this method is pretty tedious and time consuming.

If only we had a way to record all the vSphere privilege that was used for a specific set of operation(s) in vCenter Server ... 🤔

Apparently I missed the initial news, but this was actually one of the new features that was introduced in vSphere 8.0 Update 1 called the vSphere Privilege Recorder! 😆

UPDATE (07/25/24) - Looks like the PowerCLI team has productized this capability with a new cmdlet introduced in PowerCLI 13.3 called Get-VIPrivilegeReport

[Read more...]

Categories // Automation, PowerCLI, vSphere 8.0 Tags // permission, PowerCLI, privilege, vSphere 8.0 Update 1

Monitoring vSphere account password & permission changes 

11.01.2021 by William Lam // Leave a Comment

If it is not clear by now, I REALLY love the power of vSphere Events and all the use cases it can enable, especially when used with our VMware Event Broker Appliance (VEBA) solution to enable easy Event-Driven Automation.

Over the past month or so, I have noticed a series of questions from our field and customers across a number of topics pertaining to vSphere accounts including vSphere Single Sign-On (SSO) users. My response to each of these questions all point back to a leveraging specific vSphere Events and I thought I share some of use cases in which vSphere Events can help

  • When was the last time a vSphere SSO user (e.g. *protected email*) password was changed?
  • How much time left (expiry) before the vSphere SSO user password must be changed?
  • Audit of all password changes for an vSphere SSO user (e.g. *protected email*)?
  • Who recently updated the password for a vSphere SSO user (e.g. *protected email*)?
  • When was the last time a vSphere SSO user (e.g. *protected email*) password was reseted?
  • Who recently added new permission to a vSphere user?
  • Who recently removed a permission from a vSphere user?
  • Who recently updated vSphere Role with additional permissions?
  • Who recently updated vSphere Role and removed permissions?

[Read more...]

Categories // Automation, vSphere Tags // global permission, password, permission, VMware Event Broker Appliance

  • 1
  • 2
  • 3
  • Next Page »

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025
  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...