«

»

Jun 17

PowerCLI: Create vCenter Role and Assign User Permissions

Enjoyed SimpliVity SA new hire training over the last week and a half. Enjoyed the time with the SimpliVity team, still a lot to learn. Great company, cool tech, awesome folks.

With out going too deep, part of a SimpliVity deployment is preparing the VMware environment. Preparing the VMware environment includes creating a Role including the necessary Privileges and setting up the required permission in vCenter for a SimpliVity user. This is easy enough, but I created a PowerCLI script which creates a Role, applies the required Privileges to the Role, and applies the Role to a user as a permission in vCenter.

Even though I created this script specifically around the SimpliVity user requirements, with a few simple adjustments it could be used to automate the creation of any Role and Permission.

The PowerCLI script takes three parameters, -vCenter -Username -Domain, for the vCenter Server FQDN or IP Address, the Username, and the Domain of the user to assign the role to. All of these are required.

Usage:
Create_SimpliVity_Role.ps1 -vCenter vCenterFQDNorIP -Username Username -Domain AuthenticationDomain

For example:
Create_SimpliVity_Role.ps1 -vCenter vcenter.homelab.local -Username svtuser -Domain homelab


The script can be found below and it can also be found here GitHub – PowerCLI-Scripts – SVT.

There is a variable $SimpliVity_Role which is set to SimpliVity, this is a SimpliVity best practice. If you are using the script for a different purpose and want to change the Role name, just update this value. The variable $SimpliVity_Privileges contains the privileges specifically required for the SimpliVity user. Again if you are using this for a different purpose and you need to add, or remove, privileges just do that here.

Walking through the script, first it gets the parameters passed from the command line and checks to make sure they were all provided. The script does not create the user so the user passed to the script must exist in the domain, which is also passed to the script.

The script then connects to vCenter. There will be a prompt for a username and password. This will need to be a user who has the proper permissions to add a role and create a permission.

The $SimpliVity_Role is then created with the $SimpliVity_Privileges. Then a permission is created on the vCenter object for the $SimpliVity_User, which was formed from the $Username and $Domain passed as a command line parameter, with the $SimpliVity_Role.

Finally, the script disconnects from the vCenter server.

#
# PowerCLI script to create SimpliVity Role which includes required permissions
# and assign Simplivity Service Account to Role
# Usage Create_SimpliVity_Role.ps1 -vCenter vCenterFQDNorIP -Username ServiceAccountName -Domain AuthenticationDomain

# Get Commandline Parameters - All are required
param(
 [string]$vCenter,
 [string]$Username,
 [string]$Domain
)

clear-host

$usage = "Create_SimpliVity_Role.ps1 -vCenter vCenterFQDNorIP -Username SimpliVityServiceAccountName -Domain AuthenticationDomain"
$example = 'Create_SimpliVity_Role.ps1 -vCenter "vcenter.acme.local" -Username svtuser -Domain acme' 

Write-Host "PowerCLI script to create SimpliVity Role which includes required privileges and assigns the Simplivity Service Account to Role" -ForeGroundColor Cyan 

if ( !$vCenter -or !$Username -or !$Domain ) {
  write-host `n `n"Missing Required Parameter - vCenter, Username, and Domain are required." `n -ForeGroundColor Red
  write-host "Usage: $usage" `n
  write-host "Example: $example" `n
  exit
}
 
$vCenterFQDN = $vCenter

# SimpliVity Service Account User
#The SimpliVity User account is a non-login, privileged, vCenter Server account that you specify during deployment. OmniCube uses this account to execute privileged tasks. 
$SimpliVity_User = "$Domain\$Username"

# SimpliVity Role Name
$SimpliVity_Role = "SimpliVity"

#Privileges to assign to role
#See the SimpliVity OmniCube Administrators Guide for Required Permissions
$SimpliVity_Privileges = @(
'Alarm.Create',
'Alarm.DisableActions',
'Alarm.Edit',
'Alarm.SetStatus',
'Alarm.Delete',
'Extension.Register',
'Extension.Update',
'Extension.Unregister',
'Global.Health',
'Global.LogEvent',
'Global.ManageCustomFields',
'Global.SetCustomField',
'Global.Diagnostics',
'Host.Cim.CimInteraction',
'Task.Create',
'Task.Update',
'VApp.AssignVApp',
'VApp.Unregister',
'VApp.ApplicationConfig',
'VirtualMachine.Config.ManagedBy',
'VirtualMachine.Config.Settings',
'VirtualMachine.State.RemoveSnapshot',
'VirtualMachine.State.CreateSnapshot')

Write-Host "Connecting to vCenter at $vCenterFQDN"`n -ForeGroundColor Cyan
Connect-VIServer $vCenterFQDN | Out-Null

Write-Host "Create New $SimpliVity_Role Role"`n -ForeGroundColor Cyan 
New-VIRole -Name $SimpliVity_Role -Privilege (Get-VIPrivilege -id $SimpliVity_Privileges) | Out-Null

Write-Host "Set Permissions for $SimpliVity_User using the new $SimpliVity_Role Role"`n -ForeGroundColor Cyan
#Get the Root Folder
$rootFolder = Get-Folder -NoRecursion
#Create the Permission
New-VIPermission -Entity $rootFolder -Principal $SimpliVity_User -Role "SimpliVity" -Propagate:$true | Out-Null

#Disconnect from the vCenter Server
Write-Host "Disconnecting from vCenter at $vCenterFQDN"`n -ForeGroundColor Cyan
Disconnect-VIServer $vCenterFQDN -Confirm:$false

#End

Like I mentioned the purpose of the script is to create the Role and Permission required for a SimpliVity deployment, but it could be easily adapted for any role and permission required.

Find the script here GitHub – PowerCLI-Scripts – SVT.

Hope you find this useful. Comments and questions always welcome.

About the author

vHersey

Hersey Cartwright is an IT professional with extensive experience designing, implementing, managing, and supporting technologies that improve business processes. Hersey is Solutions Architect for SimpliVity covering Virginia, Washington DC, and Maryland. He holds the VMware Certified Design Expert (VCDX-DV #128) certification. Hersey actively participates in the VMware community and was awarded the VMware vExpert title in 2016, 2015, 2014, 2013, and 2012. He enjoys working with, teaching, and writing about virtualization and other data center technologies. Follow Hersey on Twitter @herseyc

2 comments

  1. Mathieu Buisson

    Regarding the handling of the required parameters, there is an important rule in scripting :
    Don’t try to do yourself what Powershell can do for you.

    And Powershell can do so much for you…

    To make a parameter mandatory, just add : [Parameter(Mandatory=$true)] just before the parameter declaration.

    To display a message explaining how to use the mandatory parameter , you can add a HelpMessage attribute to your parameter, for example :

    param(
    [Parameter(Mandatory=$true, HelpMessage=”Name or IP address of the vCenter”)]
    [string]$vCenter,
    [Parameter(Mandatory=$true, HelpMessage=”Name of the Simplivity service account)]
    [string]$Username,
    [Parameter(Mandatory=$true, HelpMessage=”Domain of the Simplivity service account)]
    [string]$Domain
    )

    1. vHersey

      Mathieu,

      Nice, thanks for the tip!

      Hersey

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

two + six =