PowerCli Roles and Privilege

2018/05/28 | 7 minute read |

How to manage Roles and Permissions in vSphere 6.X environement.

In a VMware vSphere environment, you might want to give certain permissions to users or administrators, who are not a part of the vSphere administrator’s team, to perform specific tasks. For example, you might want to give the administrators of a server the permission to power on and off the server. You don’t want to give these administrators all of the privileges in your environment because then you will lose control over it. There are many privileges you can give to somebody, and you probably want to give only a few. If you assigned privileges to users directly, it would be hard to see who has which privileges.

To begin, you will need to open a PowerCLI and connect to a vCenter server. You will take our folder structure and assign groups of users from Active Directory to access these resources using predefined roles in VMware vsphere. This assumes that you have properly configured your VMware SSO to allow Active Directory authentication. You will take an Active Directory group called IT Admins and delegate access to the entire Primary datacenter. You will take the Developers group and delegate the operator access to them for the Developpement folder in vCenter.

1. Predefined Roles

1.1 List predefined roles

Get-VIRole | Select Name, Description
PS C:\Users\JM2K69> Get-VIRole | Select Name, Description

Name                                  Description
----                                  -----------
NoCryptoAdmin                         Full access without Cryptographic operations privileges
NoAccess                              Used for restricting granted access
Anonymous                             Not logged-in user (cannot be granted)
View                                  Visibility access (cannot be granted)
ReadOnly                              See details of objects, but not make changes
Admin                                 Full access rights
VirtualMachinePowerUser               Provides virtual machine interaction and configuration permissions
VirtualMachineUser                    Provides virtual machine interaction permissions
ResourcePoolAdministrator             Supports delegated resource management
VMwareConsolidatedBackupUser          Used by the Consolidated Backup utility
DatastoreConsumer                     Assigned to datastores to allow creating disks or snapshots
NetworkConsumer                       Assigned to networks to allow association of virtual machines or hosts with networks
VirtualMachineConsoleUser             Provides virtual machine console interaction permissions. This role is required for VMRC sessions. Exercise...
AutoUpdateUser                        AutoUpdateUser
InventoryService.Tagging.TaggingAdmin InventoryService.Tagging.TaggingAdmin
com.vmware.Content.Admin              Provides full access to Content Library service

This command list all predefined role in your VMware vSphere Infrastructure.

1.2 Assigned Role to an Active Directory Group

To do this, you will use the New-VIPermission cmdlet. This cmdlet requires an Entity where the permission will be applied, a Principal who represents the user or group and the desired role. For the first cmdlet, you will grant the `Admin role on the Root datacenter to our IT Admin group, which has the principal name JM2K69\IT Admin:

New-VIPermission -Entity (Get-Datacenter "Datacenter") -Principal
"JM2K69\IT Admins" -Role Admin

1.3 Assigned permission for Developpers Group

Using the same format for another New-VIPermission cmdlet, you can now grant our Developers group the operator status as VirtualMachineUser on the Developpement folder. You will use the Get-Folder cmdlet to set our entity (or location):

New-VIPermission -Entity (Get-Folder "Developpement") -Principal "JM2K69\Developers" -Role VirtualMachineUser

All permissions are grouped by roles. With PowerCli you can list permissions by group.

Get-VIPrivilege | select -Property ParentGroup -Unique

The output of the preceding command is too long

2 Create a custom role

In your vSphere web Client or Html5 web client you can create custom role in the view =>Administration=>Contrôles d’accès=>Rôles


Then you create a new role and you can add permission by Category and by object type.


For the Object type Virtual Machine you have multiple subcategory for the object how to find them with powercli in order to create your custom role.

2.1 Cmdlet Get-VIPrivilege

The Cmdlet Get-VIPrivilege offers the possibility to list them.

PS C:\Users\JM2K69> Get-VIPrivilege

Name                                Description                                        Server
----                                -----------                                        ------
Anonymous                           The only privilege held by sessions which have ...
View                                Visibility without read access to an entity. Th...
Read                                Grants read access to an entity          
Manage custom attributes            Add, remove, and rename custom attribute defini...
Set custom attribute                Set the value of a custom attribute on an object
Log event                           Log a user-defined event on an object    
Cancel task                         Cancel a running task                    
Licenses                            Manage licenses                          
Diagnostics                         Export diagnostic data                   
Settings                            Edit global settings                     
Act as vCenter Server               Act as the vCenter Server                
Capacity planning                   Discover and convert physical host to virtual m...
Script action                       Schedule an external script action       
Proxy                               Add or remove endpoints to or from the proxy
Disable methods                     Operations are disabled in vCenter       
Enable methods                      Operations are enabled in vCenter        
Service managers                    Access the directory service             
Health                              Access the health of vCenter group       
System tag                          Add or remove system tag                 
Global tag                          Add or remove global tag                 
Create folder                       Create folder                            
Delete folder                       Delete folder                            
Rename folder                       Rename folder                            
Move folder                         Move folder                              
Create datacenter                   Create a datacenter                      
Remove datacenter                   Remove a datacenter                      
Rename datacenter                   Rename a datacenter                      
Move datacenter                     Move a datacenter                        
Network protocol profile configu... Configure a network protocol profile on a datac...
Release IP allocation               Release IP allocation on a network protocol pro...
Query IP pool allocation            Query IP pool allocation on a network protocol ...
Reconfigure datacenter              Reconfigure a datacenter                 
Rename datastore                    Rename a datastore                       
Move datastore                      Move a datastore                         
Remove datastore                    Remove a datastore from the datacenter   

The outpout is too long we need to apply some filter, because with this Cmdlets we list all privileges.

2.1.1 List ParentGroupId

All authorizations are grouped, you can list them with this filter

PS C:\Users\JM2K69> Get-VIPrivilege | select -Property ParentGroupid -Unique


The outpout is too long so I cut it.

We can see tha for the Object VirtualMachine we have eight subcategories.

2.1.2 List Privilege by ParentGroupId

With the Cmdlets Get-Viprivilegewith the Parameter -Id VirtualMachine.Interact.*, you list all privilege for the interaction with a Virtual Machine .

PS C:\Users\JM2K69> Get-VIPrivilege -Id VirtualMachine.Interact.*

Name                                Description                                        Server
----                                -----------                                        ------
Power on                            Power on or resume a virtual machine     
Power off                           Power off a virtual machine              
Suspend                             Suspend a virtual machine                
Reset                               Reset (power cycle) a virtual machine    
Pause or Unpause                    Pause or unpause a virtual machine       
Answer question                     Answer a virtual machine run-time question
Console interaction                 Interact with the virtual machine console
Connect devices                     Connect/disconnect media and network devices
Configure CD media                  Configure a different media for virtual CD-ROMs
Configure floppy media              Configure a different media for virtual floppies
Install VMware Tools                Install VMware Tools (or mount/unmount the tool...
Guest operating system managemen... Perform management operations within the guest ...
Defragment all disks                Defragment all disks on the virtual machine
Turn on Fault Tolerance             Turn on Fault Tolerance for this virtual machine
Turn off Fault Tolerance            Turn off Fault Tolerance for this virtual machine
Test failover                       Make the Secondary VM the Primary VM     
Test restart Secondary VM           Terminate the Secondary VM               
Suspend Fault Tolerance             Suspend Fault Tolerance for this virtual machine
Resume Fault Tolerance              Resume Fault Tolerance for this virtual machine
Record session on virtual machine   Record session on a virtual machine      
Replay session on virtual machine   Replay session on a virtual machine      
Backup operation on virtual machine Backup operations on a virtual machine   
Create screenshot                   Create a screenshot                      
Inject USB HID scan codes           Inject a sequence of USB HID scan codes into th...
Perform wipe or shrink operations   Perform wipe or shrink operations on Flex-SE disks
Drag and drop                       Drag files between a virtual machine and a remo...

2.2 Create the role

For example, if you want to create custom role named JM2K69_Role with privileges to power on/off the virtual machine, add new disk, and configure advanced settings then the PowerCLI command used to create this custom vCenter Server role would look like this

New-VIRole -Name JM2K69_Role -Privilege (Get-VIPrivilege -Id VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.PowerOff,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AdvancedConfig)

The outpout will be

PS C:\Users\JM2K69> New-VIRole -Name JM2K69_Role -Privilege (Get-VIPrivilege -Id VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.PowerOff,Virtual

Name                      IsSystem
----                      --------
JM2K69_Role               False


And with PowerCLI …

PS C:\Users\JM2K69> Get-VIRole

Name                      IsSystem
----                      --------
NoCryptoAdmin             True
NoAccess                  True
Anonymous                 True
View                      True
ReadOnly                  True
Admin                     True
VirtualMachinePowerUser   False
VirtualMachineUser        False
ResourcePoolAdministrator False
VMwareConsolidatedBack... False
DatastoreConsumer         False
NetworkConsumer           False
VirtualMachineConsoleUser False
AutoUpdateUser            False
InventoryService.Taggi... False
JM2K69_Role               False
com.vmware.Content.Admin  False


With hundreds of privileges packaged with vCenter, it can be daunting to try and create custom roles. Some privileges that might not be obviously required can prevent a custom role from having the desired access. One suggestion is to take an existing or default role and then work from its privilege set to alter it for your uses. This can easily be done by retrieving an existing privilege set and storing them in a variable. Then you can pass this existing list of privileges into your new custom VIRole.

Written by Jérôme Bezet-Torres @JM2K69.