Adding users + roles with powershell

So you can easily add users with useradd command we talked about. But there’s still a problem, you can’t add user-roles to the user you’re creating. You still need the VirtualCenter client to do that. My colleague Horst Mundt read my post and was so kind to email me a powershell script he created that can add roles to specific users or groups for you:

$VCimpl = Get-VIServer -Server 192.168.116.201 -User root -Password <...>
# Note: Server is an ESX host, not VC
# Force load
[Reflection.Assembly]::LoadWithPartialName("vmware.vim")

# Edit hostname below
$hostname = "esx302.hm.local" 

# The name of the role to be assigned
$roleLabel="Read-Only"
#$roleLabel="Administrator"

#The name of the principal (user or group) that the role is assigned to
$principal="GroupX"

# set to false if principal is a user , not a group
$principalIsGroup = $true

$propagateToSubEntities = $true

$svcRef = new-object VMware.Vim.ManagedObjectReference 
$svcRef.Type = "ServiceInstance" 
$svcRef.Value = "ServiceInstance" 
$serviceInstance = get-view $svcRef

$authMgr = Get-View $serviceInstance.Content.AuthorizationManager
$hahost = Get-View (Get-VMhost -Name $hostname).ID
$compResource = $hahost.Parent
$oldperms = $authMgr.retrieveEntityPermissions($hahost.MoRef, $true)
$roles = $authMgr.roleList
$roleid = 0
$found = $false
for ($i = 0 ; $i -lt $roles.Length ; $i++)
{
      $role=$roles[$i]
      if ($role.Info.Label -eq $roleLabel)
      {
            $roleid = $role.RoleId
            $found = $true
      }
}
if ( $found -eq $false )
{
      echo ("Role not found: " + $roleLabel )
      exit 1
}

$permission = New-Object Vmware.Vim.Permission
$permission.group = $principalIsGroup
$permission.principal = $principal
$permission.propagate = $propagateToSubEntities
$permission.roleID = $roleid
$authmgr.SetEntityPermissions($compResource, @($permission))

The script has been tested on ESX 3.0.2. I did not have the opportunity to test it myself by the way… So if anyone can test it against ESX 3.5 and let’s us know what the results are!

Comments

LucD says

7 November, 2008 at 23:29

A bit more than a month ago there was a thread on this subject in the VMware VI Toolkit community. See http://communities-origin.vmware.com/message/1052259#1052259.

In the thread several aspects of the “roles” and “permissions” are discussed.
The scripts I posted there were all tested on VC 2.5/ESX 3.5.
Alexander Grümmer says

7 March, 2013 at 14:46

To get the RoleID you can use this code:

$roleName = “Admin”
$roleid = ($AuthMgr.RoleList | where {$_.Name -eq $roleName}).RoleId

That cleans the code up 😉

Related

Reader Interactions

Comments