So you can easily add users with useradd command we talked about. But there’s still a problem, you can’t add user-roles to the user you’re creating. You still need the VirtualCenter client to do that. My colleague Horst Mundt read my post and was so kind to email me a powershell script he created that can add roles to specific users or groups for you:
$VCimpl = Get-VIServer -Server 192.168.116.201 -User root -Password <...> # Note: Server is an ESX host, not VC # Force load [Reflection.Assembly]::LoadWithPartialName("vmware.vim") # Edit hostname below $hostname = "esx302.hm.local" # The name of the role to be assigned $roleLabel="Read-Only" #$roleLabel="Administrator" #The name of the principal (user or group) that the role is assigned to $principal="GroupX" # set to false if principal is a user , not a group $principalIsGroup = $true $propagateToSubEntities = $true $svcRef = new-object VMware.Vim.ManagedObjectReference $svcRef.Type = "ServiceInstance" $svcRef.Value = "ServiceInstance" $serviceInstance = get-view $svcRef $authMgr = Get-View $serviceInstance.Content.AuthorizationManager $hahost = Get-View (Get-VMhost -Name $hostname).ID $compResource = $hahost.Parent $oldperms = $authMgr.retrieveEntityPermissions($hahost.MoRef, $true) $roles = $authMgr.roleList $roleid = 0 $found = $false for ($i = 0 ; $i -lt $roles.Length ; $i++) { $role=$roles[$i] if ($role.Info.Label -eq $roleLabel) { $roleid = $role.RoleId $found = $true } } if ( $found -eq $false ) { echo ("Role not found: " + $roleLabel ) exit 1 } $permission = New-Object Vmware.Vim.Permission $permission.group = $principalIsGroup $permission.principal = $principal $permission.propagate = $propagateToSubEntities $permission.roleID = $roleid $authmgr.SetEntityPermissions($compResource, @($permission))
The script has been tested on ESX 3.0.2. I did not have the opportunity to test it myself by the way… So if anyone can test it against ESX 3.5 and let’s us know what the results are!
LucD says
A bit more than a month ago there was a thread on this subject in the VMware VI Toolkit community. See http://communities-origin.vmware.com/message/1052259#1052259.
In the thread several aspects of the “roles” and “permissions” are discussed.
The scripts I posted there were all tested on VC 2.5/ESX 3.5.
Alexander Grümmer says
To get the RoleID you can use this code:
$roleName = “Admin”
$roleid = ($AuthMgr.RoleList | where {$_.Name -eq $roleName}).RoleId
That cleans the code up 😉