Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1160 lines (1006 sloc) 47.7 KB
##########################################################################################
# Name: Module-vCloud-RightsManagement.psm1
# Date: 26/03/2018 (v0.6)
# Author: Adrian Begg (adrian.begg@ehloworld.com.au)
#
# Purpose: PowerShell modules to extend the PowerCLI for vCloud to expose
# additional methods for management Organisation Rights which are currently not exposed
# via the vCloud GUI/PowerCLI cmdlets
#
# Ref: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf
################################################################################################################
# Change Log
# v0.1 - 6/05/2017 - Created module and tested on vCloud Director 8.20 and NSX 6.3
# v0.2 - 13/05/2017 - Added cmdlets for Adding and Removing single rights and amended API call behaviour
# v0.3 - 23/05/2017 - Rewriting the REST API base functions to leverage the existing $global:DefaultCIServers variable for connections rather then generating a session everytime and some error checking
# v0.4 - 12/07/2017 - Updating how the Org is obtained to use Get-Org to handle a ( and other reserverd char in a queries
# v0.5 - 16/09/2017:
# - Added cmdlets to expose hide/show OrgVDC for specific Org Users
# - Cleaned up some error checking
# - Updated cmdlet documentation
# v0.51 - 08/11/2017:
# - Moved the API Support Modules
# v0.6 - 26/03/2018:
# - Major Update for use with vCloud Director 9.1 (API Version 30); fixed Org Rights matching behaviour to match on URN not URL/RightsReference
##################################################################################################################
#region: API_Support_Functions
function Test-vCloudEnvironment(){
<#
.SYNOPSIS
Performs some basic checks against the currently connected vCloud Director environment to determine if the current version is
greater than the required version by a cmdlet and that there is a current connection active.
.DESCRIPTION
Performs some basic checks against the currently connected vCloud Director environment to determine if the current version is
greater than the required version by a cmdlet and that there is a current connection active.
Returns true if the test passes
.PARAMETER Version
The Minimum Version required by the cmdlet.
.EXAMPLE
Test-vCloudEnvironment -Version 8.20
Will return true if connected to a vCloud Server with a version greater then "8.20"
.EXAMPLE
Test-vCloudEnvironment
Will return true if connected to a vCloud Server (any version).
.NOTES
NAME: Add-OrgVdcAccessRights
AUTHOR: Adrian Begg
LASTEDIT: 2017-09-16
REFERENCE: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf p.197
#>
Param(
[Parameter(Mandatory=$False)]
[ValidateNotNullorEmpty()] [double] $Version
)
if(!$global:DefaultCIServers.IsConnected){
throw "You are not currently connected to any servers. Please connect first using a Connect-CIServer cmdlet."
$false
Break
} elseif((!([string]::IsNullOrEmpty($Version))) -and (!($global:DefaultCIServers.Version -gt $Version))){
throw "The executing cmdlet requires the vCloud Director environment to be greater then $Version. The version of the connected server is $($global:DefaultCIServers.Version)"
$false
Break
} else {
$true
}
}
function Get-vCloudAPIResponse(){
<#
.SYNOPSIS
Wrapper function which returns the XML response from a vCloud Director API Call
.DESCRIPTION
Wrapper function which returns the XML response from a vCloud Director API Call
.PARAMETER URI
The URI of the vCloud API object to perform the GET request against
.PARAMETER ContentType
The Content-Type to pass to vCloud in the headers
.EXAMPLE
Get-vCloudAPIResponse -URI "https://vcd.pigeonnuggets.com/api/vApp/vm-f13ad1ca-3151-455c-aa84-935a2669da96/virtualHardwareSection/disks" -ContentType "application/vnd.vmware.vcloud.rasditemslist+xml"
Returns the XML response from a HTTP GET to the API /virtualHardwareSection/disks section for object vm-f13ad1ca-3151-455c-aa84-935a2669da96 using the Session Key from the current connection and sets the content type to application/vnd.vmware.vcloud.rasditemslist+xml
.NOTES
NAME: Get-vCloudAPIResponse
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
KEYWORDS: vmware get vcloud director
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $URI,
[Parameter(Mandatory=$True)] [string] $ContentType
)
if(!(Test-vCloudEnvironment)){
Break
}
# Setup Web Request for the API call to retireve the data from vCloud
$webclient = New-Object system.net.webclient
$webclient.Headers.Add("x-vcloud-authorization",$global:DefaultCIServers.SessionSecret)
$webclient.Headers.Add("Accept","application/*+xml;version=30.0")
$webclient.Headers.Add("Content-Type", $ContentType)
$webclient.Headers.Add("Accept-Language: en")
try{
[xml]$xmlResponse = $webclient.DownloadString($URI)
} catch {
throw "An error occured attempting to make HTTP GET against $URI"
}
$xmlResponse
}
function Publish-vCloudAPICall(){
<#
.SYNOPSIS
Wrapper function which performs a PUT of XML to the vCloud Director API
.DESCRIPTION
Wrapper function which performs a PUT of XML to the vCloud Director API
.PARAMETER URI
The URI of the vCloud API object to perform the PUT request against
.PARAMETER ContentType
The Content-Type to pass to vCloud in the headers
.PARAMETER Data
The payload to PUT to the API
.EXAMPLE
Publish-vCloudAPICall -URI "https://vcd.pigeonnuggets.com/api/vApp/vm-f13ad1ca-3151-455c-aa84-935a2669da96/virtualHardwareSection/disks" -ContentType "application/vnd.vmware.vcloud.rasditemslist+xml" -Data $XMLOrgVDCSPConfig
Peforms a HTTP PUT against vCloud Director URI https://vcd.pigeonnuggets.com/api/vApp/vm-f13ad1ca-3151-455c-aa84-935a2669da96/virtualHardwareSection/disks with the payload provided in the input variable $XMLOrgVDCSPConfig
.NOTES
NAME: Publish-vCloudAPICall
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
KEYWORDS: vmware publish vcloud director
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $URI,
[Parameter(Mandatory=$True)] [string] $ContentType,
[Parameter(Mandatory=$True)] [xml] $Data
)
# Check if the server is connected
if(!(Test-vCloudEnvironment)){
Break
}
# Setup Web Request
$webclient = New-Object system.net.webclient
$webclient.Headers.Add("x-vcloud-authorization",$global:DefaultCIServers.SessionSecret)
$webclient.Headers.Add("Accept","application/*+xml;version=30.0")
$webclient.Headers.Add("Content-Type", $ContentType)
$webclient.Headers.Add("Accept-Language: en")
# Convert the new configuration to byte array for upload
[string] $strUploadData = $Data.OuterXml
[byte[]]$byteArray = [System.Text.Encoding]::ASCII.GetBytes($strUploadData)
# "To the cloud !"
try{
$UploadData = $webclient.UploadData($URI, "PUT", $bytearray)
} catch {
throw "An error occured attempting to make HTTP PUT against $URI"
}
}
function Update-vCloudAPICall(){
<#
.SYNOPSIS
Wrapper function which performs a POST of XML to the vCloud Director API
.DESCRIPTION
Wrapper function which performs a POST of XML to the vCloud Director API
.PARAMETER URI
The URI of the vCloud API object to perform the POST request against
.PARAMETER ContentType
The Content-Type to pass to vCloud in the headers
.PARAMETER Data
The payload to POST to the API
.EXAMPLE
Publish-vCloudAPICall -URI "https://vcd.pigeonnuggets.com/api/vApp/vm-f13ad1ca-3151-455c-aa84-935a2669da96/virtualHardwareSection/disks" -ContentType "application/vnd.vmware.vcloud.rasditemslist+xml" -Data $XMLOrgVDCSPConfig
Peforms a HTTP POST against vCloud Director URI https://vcd.pigeonnuggets.com/api/vApp/vm-f13ad1ca-3151-455c-aa84-935a2669da96/virtualHardwareSection/disks with the payload provided in the input variable $XMLOrgVDCSPConfig
.NOTES
NAME: Publish-vCloudAPICall
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
KEYWORDS: vmware publish vcloud director
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $URI,
[Parameter(Mandatory=$True)] [string] $ContentType,
[Parameter(Mandatory=$True)] [xml] $Data
)
# Check if the server is connected
if(!(Test-vCloudEnvironment)){
Break
}
# Setup Web Request
$webclient = New-Object system.net.webclient
$webclient.Headers.Add("x-vcloud-authorization",$global:DefaultCIServers.SessionSecret)
$webclient.Headers.Add("Accept","application/*+xml;version=30.0")
$webclient.Headers.Add("Content-Type", $ContentType)
$webclient.Headers.Add("Accept-Language: en")
# Convert the new configuration to byte array for upload
[string] $strUploadData = $Data.OuterXml
[byte[]]$byteArray = [System.Text.Encoding]::ASCII.GetBytes($strUploadData)
# "To the cloud !"
try{
$UploadData = $webclient.UploadData($URI, "POST", $bytearray)
} catch {
throw "An error occured attempting to make HTTP POST against $URI"
}
}
#endregion
#region: XML Methods - Base methods for retreival and manipulation of XML from API
function Get-CIOrgRightsXML(){
<#
.SYNOPSIS
Returns the base XML returend by the vCloud Director API for use by other methods for an Org
.DESCRIPTION
Returns the Org rights in vCloud for a provided orgnaisation
.PARAMETER OrgName
The Name of the vCloud Organisation
.EXAMPLE
Get-CIOrgRightsXML -OrgName "PigeonNuggets"
Returns XML rights for the Org "PigeonNuggets"
.NOTES
NAME: Get-CIOrgRightsXML
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
KEYWORDS: vmware get vcloud director
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $OrgName
)
# Check if the server is connected and version is greater then 8.20
if(!(Test-vCloudEnvironment -Version 8.20)){
Break
}
# Retireve the Org object for the Organisation
try{
$Org = Get-Org -Name $OrgName | Get-CIView
} catch {
throw "Unable to find an Organisation $OrgName"
Break
}
# Make the API call to get the Rights assigned
[string] $URI = ($Org.Href + "/rights")
[xml]$xmlOrgRights = Get-vCloudAPIResponse -URI $URI -ContentType "application/vnd.vmware.admin.org.rights+xml;version=30.0"
# Return a the XML
$xmlOrgRights
}
function Add-CIOrgRightXML(){
<#
.SYNOPSIS
Adds a vCloud Right to the provided Organisation Org Right XML Document
.DESCRIPTION
Adds a single right to a vCloud Organisation and returns the XML to post back to the API. This can then be posted back to the API
or more manipulation performed.
.PARAMETER RightsXML
The Rights for an Organisation in XML format
.PARAMETER RightId
The URN for the vCloud Right to be added
.EXAMPLE
Add-CIOrgRightXML -RightsXML $xmlReference -RightId "urn:vcloud:right:c53990c7-3932-3926-8247-45639243d734"
.NOTES
NAME: Add-vCloudOrgRightXML
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
KEYWORDS: vmware get vcloud director
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [xml] $RightsXML,
[Parameter(Mandatory=$True)] [string] $RightId
)
# Create the RightReference URI for the provided Right
try{
$objRight = Get-CIView -Id $RightId
$strRightId = $objRight.Id.Substring($objRight.Id.LastIndexOf(":")+1)
$strNewRightReference = $RightsXML.OrgRights.href + "/" + $strRightId
} catch {
throw "Unable to resolve the right with the URN $RightId"
Break
}
# First check if the right already exists
if ($strNewRightReference -in $RightsXML.OrgRights.RightReference.Href){
Write-Warning "The right with the URN $($RightId) is already assigned for this orgnaisation; no changes will be made."
$RightsXML
} else {
# Load the XML and add the new element into the RightReference section
[xml]$xmlRightsDoc = New-Object system.Xml.XmlDocument
$xmlRightsDoc.LoadXml($RightsXML.OuterXml)
$newRoleRight = $xmlRightsDoc.CreateElement("RightReference")
$newRoleRight.SetAttribute("href",$strNewRightReference)
$newRoleRight.SetAttribute("name",$objRight.Name)
$newRoleRight.SetAttribute("type",$objRight.Type)
$xmlRightsDoc.OrgRights.AppendChild($newRoleRight) > $nul
# Get rid of the unwanted namespace element added by .NET and return to the caller
$xmlRightsDoc = [xml] $xmlRightsDoc.OuterXml.Replace(" xmlns=`"`"", "")
$xmlRightsDoc
}
}
#endregion
#region: Public User Methods
function Get-CIRights(){
<#
.SYNOPSIS
Returns a collection of the avaialble rights in the Global cloud infrastructure.
.DESCRIPTION
Returns a collection of the Global rights for the connected Cloud Infrastructure
.NOTES
NAME: Get-CIOrgRights
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
KEYWORDS: vmware get vcloud director
#Requires -Version 2.0
#>
# Check if the server is connected and version is greater then 8.20
if(!(Test-vCloudEnvironment -Version 8.20)){
Break
}
[string] $vCloudURI = $global:DefaultCIServers.ServiceUri.AbsoluteURI + "admin"
$cloudRights = (Get-vCloudAPIResponse -URI $vCloudURI -ContentType "application/vnd.vmware.admin.vcloud+xml;version=30.0").VCloud.RightReferences.RightReference
$colSystemRights = New-Object -TypeName System.Collections.ArrayList
foreach($SystemRight in $cloudRights){
$apiSystemRight = Get-vCloudAPIResponse $SystemRight.href -ContentType $SystemRight.type
$objSystemRight = New-Object System.Management.Automation.PSObject
$objSystemRight | Add-Member Note* Id $apiSystemRight.Right.id
$objSystemRight | Add-Member Note* Name $apiSystemRight.Right.name
$objSystemRight | Add-Member Note* Description $apiSystemRight.Right.Description
$objSystemRight | Add-Member Note* href $apiSystemRight.Right.href
$objSystemRight | Add-Member Note* Category $apiSystemRight.Right.Category
$objSystemRight | Add-Member Note* Type $apiSystemRight.Right.type
$colSystemRights.Add($objSystemRight) > $null
}
$colSystemRights
}
function Get-CIOrgRights(){
<#
.SYNOPSIS
Returns a collection of the avaialble rights in the cloud and if they are enabled for the provided Org
.DESCRIPTION
Returns the Org rights in vCloud including any rights to vCloud Director Tenant Portal, and also from a new vCloud Director API for NSX which are not exposed through the GUI
The collection returned will include all rights available with a property "Enabled"; if they are available to the Org this property will be true
.PARAMETER OrgName
The Name of the vCloud Organisation.
.EXAMPLE
Get-CIOrgRights -OrgName "PigeonNuggets"
Returns a collection of rights for the Org "PigeonNuggets" and if they are enabled
.NOTES
NAME: Get-CIOrgRights
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
KEYWORDS: vmware get vcloud director
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $OrgName
)
# Check if the server is connected and version is greater then 8.20
if(!(Test-vCloudEnvironment -Version 8.20)){
Break
}
# Make the API call to get the Rights assigned
try{
[xml]$xmlOrgRights = Get-CIOrgRightsXML $OrgName
# Next create a collection with the URNs (Id's) for each of the rights for reliable comparison
$colOrgRights = New-Object -TypeName System.Collections.ArrayList
foreach($xmlOrgRight in $xmlOrgRights.OrgRights.RightReference){
$apiOrgRight = Get-vCloudAPIResponse $xmlOrgRight.href -ContentType $xmlOrgRights.OrgRights.type
$objOrgRight = New-Object System.Management.Automation.PSObject
$objOrgRight | Add-Member Note* Id $apiOrgRight.Right.id
$objOrgRight | Add-Member Note* Name $apiOrgRight.Right.name
$objOrgRight | Add-Member Note* Description $apiOrgRight.Right.Description
$objOrgRight | Add-Member Note* href $apiOrgRight.Right.href
$objOrgRight | Add-Member Note* Category $apiOrgRight.Right.Category
$objOrgRight | Add-Member Note* Type $apiOrgRight.Right.type
$colOrgRights.Add($objOrgRight) > $null
}
} catch {
throw "Unable to get the Organisation Rights for $OrgName"
Break
}
# Next we need to make a call to the API to resolve the Rights that are avaialble for the Cloud
$cloudRights = Get-CIRights
# Now build a collection of the rights available vs the rights enabled for the Organisation
$colRights = New-Object -TypeName System.Collections.ArrayList
foreach($objRight in $cloudRights){
$objRightAssignment = New-Object System.Management.Automation.PSObject
$objRightAssignment | Add-Member Note* Id $objRight.id
$objRightAssignment | Add-Member Note* Name $objRight.name
$objRightAssignment | Add-Member Note* Description $objRight.Description
$objRightAssignment | Add-Member Note* Category $objRight.Category
$objRightAssignment | Add-Member Note* Enabled ($objRight.id -in $colOrgRights.id)
$colRights.Add($objRightAssignment) > $null
}
# Return a collection of rights
$colRights
}
function Export-CIOrgRights(){
<#
.SYNOPSIS
Exports the Org Rights for a provided vCloud Org to a CSV for manipulation externally
.DESCRIPTION
Outputs the rights assigned to an Org to a CSV file for all vCloud Rights assigned to the Org. This can then be manipulated and imported back into vCloud with new rights assignemtns using the Import-vCloudOrgRights cmdlet
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER OutputFilePath
A fully qualified path to for the file to output the generated CSV
.EXAMPLE
Export-CIOrgRights -OrgName "PigeonNuggets" -OutputFilePath "C:\_admin\Output.csv"
Will write a CSV to C:\_admin\Output.csv containing a list of rights and for the vCloud tenancy and if they are enabled or not
.NOTES
NAME: Export-CIOrgRights
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $OrgName,
[Parameter(Mandatory=$True)] [string] $OutputFilePath
)
# Check if the server is connected and version is greater then 8.20
if(!(Test-vCloudEnvironment -Version 8.20)){
Break
}
# Check the Org Exists
try{
$Org = Get-Org -Name $OrgName | Get-CIView
} catch {
throw "Unable to find an Organisation $OrgName"
Break
}
Get-CIOrgRights -OrgName $OrgName | Export-CSV $OutputFilePath -NoTypeInformation
}
function Import-CIOrgRights(){
<#
.SYNOPSIS
Imports a set of vCloud Director Rights from a provided CSV
.DESCRIPTION
Will replace the Org rights enabled on a vCloud Organisation with those from a CSV containing the roles in the format name,enabled (role name, true/false)
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER InputCSVFile
A fully qualified path to for the input CSV file which will be applied to the Organisation
.EXAMPLE
Import-CIOrgRights -OrgName "PigeonNuggets" -InputCSVFile "C:\Temp\Rules.csv"
Will overwrite the OrgRights assigned to the Org PigeonNuggets with the ones defined as enabled in the CSV "C:\Temp\Rules.csv"
.NOTES
NAME: Import-CIOrgRights
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $OrgName,
[Parameter(Mandatory=$True)] [string] $InputCSVFile
)
# Check if the server is connected and version is greater then 8.20
if(!(Test-vCloudEnvironment -Version 8.20)){
Break
}
# Check if the CSV provided exists
if(!(Test-Path $InputCSVFile)){
throw "The file $InputCSVFile does not exist. Please check the path and try again."
Break
}
try{
$Org = Get-Org -Name $OrgName | Get-CIView
} catch {
throw "Unable to find an Organisation $OrgName"
Break
}
# Import the rules from the CSV and get a list of valid rights for the Org
$colRightsCSV = Import-CSV -Path $InputCSVFile
$colEnabledRights = $colRightsCSV | ?{$_.enabled.ToLower() -eq "true"}
# Get the existing Org Rights XML
[xml] $xmlOrgRights = Get-CIOrgRightsXML $OrgName
# First clean the existing configuration of all OrgRights
[xml]$xmlRightsDoc = New-Object system.Xml.XmlDocument
$xmlRightsDoc.LoadXml($xmlOrgRights.OuterXml)
foreach($OrgRight in $xmlRightsDoc.OrgRights.RightReference){
$xmlRightsDoc.OrgRights.RemoveChild($OrgRight) > $nul
}
# Get the rights for the current vCloud instance
$cloudRights = Get-CIRights
$newOrgRights = $cloudRights | ?{$_.id -in $colEnabledRights.id}
# Add the rights from the CSV into the configuration file stripped of the existing rights
foreach($appliedRight in $newOrgRights){
$xmlRightsDoc = Add-CIOrgRightXML -RightsXML $xmlRightsDoc -RightId $appliedRight.id
}
# Retireve the Org object for the Organisation
try{
$Org = Get-Org -Name $OrgName | Get-CIView
# Make the API call to POST the Rights assigned
[string] $URI = ($Org.Href + "/rights")
Publish-vCloudAPICall -URI $URI -ContentType "application/vnd.vmware.admin.org.rights+xml;version=30.0" -Data $xmlRightsDoc
} catch {
throw "An error occured applying the imported rights to the Org $OrgName."
}
}
function Remove-CIOrgRight(){
<#
.SYNOPSIS
Removes a single vCloud Director right from an Organisation
.DESCRIPTION
Removes a single vCloud Director right from an Organisation
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER Right
The name of the vCloud Director right to remove from the Organisation
.EXAMPLE
Remove-CIOrgRight -OrgName "PigeonNuggets" -Right "vApp Template / Media: Edit"
Removes the right "vApp Template / Media: Edit" to the Organisation PigeonNuggets if it is enabled
.NOTES
NAME: Remove-CIOrgRight
AUTHOR: Adrian Begg
LASTEDIT: 2018-03-26
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $OrgName,
[Parameter(Mandatory=$True)] [string] $Right
)
# Check if the server is connected and version is greater then 8.20
if(!(Test-vCloudEnvironment -Version 8.20)){
Break
}
# Check if the OrgRight is currently enabled for the Org
$colOrgRights = (Get-CIOrgRights $OrgName) | ?{$_.enabled -eq $true}
if (($colOrgRights | ?{$_.name -in $Right}) -eq $null){
Write-Warning "The Org Right $Right is not currently enabled on Org $OrgName no changes have been made."
} else {
# Get the current rights and remove the right from the configuration
[xml]$xmlOrgRights = Get-CIOrgRightsXML $OrgName
[xml]$xmlRightsDoc = New-Object system.Xml.XmlDocument
$xmlRightsDoc.LoadXml($xmlOrgRights.OuterXml)
# Now iterate through and find the Org Right
foreach($OrgRight in $xmlRightsDoc.OrgRights.RightReference){
if($OrgRight.Name -eq $Right){
$xmlRightsDoc.OrgRights.RemoveChild($OrgRight) > $nul
}
}
# Make the API call to POST the Rights assigned
try{
# Retireve the Org object for the Organisation
$Org = Get-Org -Name $OrgName | Get-CIView
[string] $URI = ($Org.Href + "/rights")
Publish-vCloudAPICall -URI $URI -ContentType "application/vnd.vmware.admin.org.rights+xml;version=30.0" -Data $xmlRightsDoc
} catch {
throw "An error occured removing the right $Right from Org $OrgName."
}
}
}
function Add-CIOrgRight(){
<#
.SYNOPSIS
Adds a single vCloud Director right to an Organisation
.DESCRIPTION
Adds the provided vCloud Director right to the specfied Organisation
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER Right
The name of the vCloud Director right to assign
.EXAMPLE
Add-CIOrgRight -OrgName "PigeonNuggets" -Right "vApp Template / Media: Edit"
Adds the right "vApp Template / Media: Edit" to the Organisation PigeonNuggets if not already enabled
.NOTES
NAME: Add-CIOrgRight
AUTHOR: Adrian Begg
LASTEDIT: 2017-05-24
#Requires -Version 2.0
#>
Param(
[Parameter(Mandatory=$True)] [string] $OrgName,
[Parameter(Mandatory=$True)] [string] $Right
)
# Check if the server is connected and version is greater then 8.20
if(!(Test-vCloudEnvironment -Version 8.20)){
Break
}
# Check if the OrgRight is currently enabled for the Org
$colOrgRights = (Get-CIOrgRights $OrgName) | ?{$_.enabled -eq $true}
if (!(($colOrgRights | ?{$_.name -in $Right}) -eq $null)){
Write-Warning "The Org Right $Right already exists for Org $OrgName no changes have been made."
} else {
# Get the current rights and add the new right to the configuration
[xml]$xmlOrgRights = Get-CIOrgRightsXML $OrgName
# Match the Rights Reference from the Global Rights list
$cloudRights = Get-CIRights
$newOrgRight = $cloudRights | ?{$_.name -in $Right}
if($newOrgRight -ne $null){
$xmlNewRightsDoc = Add-CIOrgRightXML -RightsXML $xmlOrgRights -RightId $newOrgRight.id
} else {
throw "Unable to find a right with the name $Right to add to the Organisation. Please verify the right name and try again."
}
# Make the API call to POST the newly added Right
try{
$Org = Get-Org -Name $OrgName | Get-CIView
[string] $URI = ($Org.Href + "/rights")
Publish-vCloudAPICall -URI $URI -ContentType "application/vnd.vmware.admin.org.rights+xml;version=30.0" -Data $xmlNewRightsDoc
} catch {
throw "An error occured adding the new right $Right to the Org $OrgName."
}
}
}
#endregion
#region: Org VDC View Rights
function Get-OrgVdcAccessRightsXML(){
<#
.SYNOPSIS
Support function which returns the Access Controls for a provided Organisation Virtual Datacenter object in XML from the vCloud API.
.DESCRIPTION
Returns the XML returned by an API call to vCloud for a OrgVDC with the Provided ID.
.PARAMETER OrgVDCId
The vCloud Object Id for the Org VDC to query
.EXAMPLE
Get-OrgVdcAccessRightsXML -OrgVDCId "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8"
Returns the AccessControl details in XML format for the Org VDC with the Id urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8
.NOTES
NAME: Get-OrgVdcAccessRightsXML
AUTHOR: Adrian Begg
LASTEDIT: 2017-09-13
REFERENCE: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf p.197
#>
Param(
[Parameter(Mandatory=$True)]
[ValidateNotNullorEmpty()] [string] $OrgVDCId
)
# The controlAccess is not exposed in the AdminView of object (the deafult reutnred from Get-OrgVDC) need to get the User View Level
$objOrgVDCUserView = Get-CIView -Id $OrgVDCId -ViewLevel User
[string] $OrgVDCURI = $objOrgVDCUserView.Href
[xml]$XMLOrgVDCResponse = (Get-vCloudAPIResponse -URI $OrgVDCURI -ContentType "application/vnd.vmware.vcloud.vdc+xml")
# Next retireve the Access Control information currently set for the OrgVDC; get the URI for the current AccessControl
[string] $AccessControlURI = ($XMLOrgVDCResponse.Vdc.Link | ?{(($_.rel -eq "down") -and ($_.type -eq "application/vnd.vmware.vcloud.controlAccess+xml"))}).href
[xml]$XMLOrgVDCAccessRights = (Get-vCloudAPIResponse -URI $AccessControlURI -ContentType "application/vnd.vmware.vcloud.controlAccess+xml")
# Return to the caller
$XMLOrgVDCAccessRights
}
function Update-OrgVDCAccessRightsXML(){
<#
.SYNOPSIS
Support function which performs a PUT against a provided Organisation Virtual Datacenter to update the Access Controls elements via the vCloud API.
.DESCRIPTION
Support function which performs a HTTP PUT of the provided XML against vCloud for a OrgVDC with the Provided ID to update the Access Controls elements.
.PARAMETER OrgVDCId
The vCloud Object Id for the Org VDC to query
.PARAMETER AccessControlData
Well formed XML to post against the /action/controlAccess/ of the OrgVDC
.EXAMPLE
Update-OrgVdcAccessRightsXML -OrgVDCId "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8" -AccessControlData $xmlObject
Makes a HTTP PUT against the controlAccess link of the Org VDC Id urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8 with the data payload of $xmlObject.
.NOTES
NAME: Update-OrgVdcAccessRightsXML
AUTHOR: Adrian Begg
LASTEDIT: 2017-09-14
REFERENCE: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf p.197
#>
Param(
[Parameter(Mandatory=$True)]
[ValidateNotNullorEmpty()] [string] $OrgVDCId,
[Parameter(Mandatory=$True)]
[ValidateNotNullorEmpty()] [xml] $AccessControlData
)
# The controlAccess is not exposed in the AdminView of object (the deafult reutnred from Get-OrgVDC) need to get the User View Level
$objOrgVDCUserView = Get-CIView -Id $OrgVDCId -ViewLevel User
[string] $OrgVDCURI = $objOrgVDCUserView.Href
[xml]$XMLOrgVDCResponse = (Get-vCloudAPIResponse -URI $OrgVDCURI -ContentType "application/vnd.vmware.vcloud.vdc+xml")
# Next retireve the Access Control URI to update for the OrgVDC
[string] $AccessControlURI = ($XMLOrgVDCResponse.Vdc.Link | ?{(($_.rel -eq "controlAccess") -and ($_.type -eq "application/vnd.vmware.vcloud.controlAccess+xml"))}).href
# Make the call against the API to update the object
try{
Publish-vCloudAPICall -URI $AccessControlURI -ContentType "application/vnd.vmware.vcloud.controlAccess+xml" -Data $AccessControlData
} catch {
throw "An error occured updating the Access Control data for the Organisation."
}
}
function Get-OrgVdcAccessRights(){
<#
.SYNOPSIS
Returns the Access Controls for a provided Organisation Virtual Datacenter object.
.DESCRIPTION
Returns the Access Controls for a provided Organisation Virtual Datacenter object. Upon creation, an organization VDC grants full access to all members of the containing organization however an administrator can use an access control mechanism to restrict access to specific users.
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER OrgVDC
The name of the Organization Virtual Datacenter to query
.PARAMETER OrgVDCId
The vCloud Object Id for the Org VDC
.EXAMPLE
Get-OrgVdcAccessRights -OrgName "PigeonNuggets"
Returns a collection of objects containing the Access Controls currently applied to all VDC's in the Organisation "PigeonNuggets"
.EXAMPLE
Get-OrgVdcAccessRights -OrgName "PigeonNuggets" -OrgVDC "Production"
Returns an object containing the Access Controls currently applied to the Org VDC "Production" in the Organisation "PigeonNuggets"
.EXAMPLE
Get-OrgVdcAccessRights -OrgVDCId "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8"
Returns the AccessControl details for the Org VDC with the Id urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8
.NOTES
NAME: Get-OrgVdcAccessRights
AUTHOR: Adrian Begg
LASTEDIT: 2017-09-12
REFERENCE: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf p.197
#>
Param(
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgName,
[Parameter(Mandatory=$False,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgVDC,
[Parameter(Mandatory=$True,ParameterSetName = "ById")]
[ValidateNotNullorEmpty()] [string] $OrgVDCId
)
# TODO: Add Support for External User objects (No SSO in the Lab at the moment further testing required)
# Check if the server is connected and version is greater then 8.10
if(!(Test-vCloudEnvironment -Version 8.10)){
Break
}
# Check if OrgVDC paramter has been provided and query to return the collection of OrgVdc Objects
try{
if(!([string]::IsNullOrEmpty($OrgVDCId))){
$colOrgVDC = (Get-OrgVDC -Id $OrgVDCId)
} elseif(!([string]::IsNullOrEmpty($OrgVDC))){
$colOrgVDC = (Get-OrgVdc -Name $OrgVDC -Org $OrgName)
} else {
$colOrgVDC = (Get-OrgVdc -Org $OrgName)
}
} catch {
throw "Unable to find an Org VDC matching the provided criteria; please check the provided values and try again."
}
# A collection of the OrgVDC Access Rights Objects
$colOrgVDCRights = New-Object -TypeName System.Collections.ArrayList
foreach($objOrgVDC in $colOrgVDC){
# Retreive the Access Control information set for the OrgVDC
[xml]$OrgVDCAccessRights = Get-OrgVdcAccessRightsXML -OrgVDCId $objOrgVDC.Id
# Create a PSObject with the properties
$objVDCAccessRight = New-Object System.Management.Automation.PSObject
$objVDCAccessRight | Add-Member Note* Organization $objOrgVDC.Org
$objVDCAccessRight | Add-Member Note* OrgVDC $objOrgVDC
$objVDCAccessRight | Add-Member Note* IsSharedToEveryone $OrgVDCAccessRights.ControlAccessParams.IsSharedToEveryone
if(!([string]::IsNullOrEmpty($OrgVDCAccessRights.ControlAccessParams.EveryoneAccessLevel))){
$objVDCAccessRight | Add-Member Note* EveryoneAccessLevel $OrgVDCAccessRights.ControlAccessParams.EveryoneAccessLevel
} else {
$objVDCAccessRight | Add-Member Note* EveryoneAccessLevel "NoAccess"
}
# A collection of Access Settings
$colVDCAccessSettings = New-Object -TypeName System.Collections.ArrayList
foreach($AccessSetting in $OrgVDCAccessRights.ControlAccessParams.AccessSettings.AccessSetting){
$objVDCAccessSetting = New-Object System.Management.Automation.PSObject
# Get the Local VDC User and retireve the CIUser Object for the user
if($AccessSetting.Subject -ne $null){
$CIUserObj = Get-CIUser -Id ((Get-vCloudAPIResponse -URI $AccessSetting.Subject.href -ContentType $AccessSetting.Subject.Type).User.Id)
$objVDCAccessSetting | Add-Member Note* CIUser $CIUserObj
$objVDCAccessSetting | Add-Member Note* AccessLevel $AccessSetting.AccessLevel
$colVDCAccessSettings.Add($objVDCAccessSetting) > $null
}
}
$objVDCAccessRight | Add-Member Note* AccessSettings $colVDCAccessSettings
$colOrgVDCRights.Add($objVDCAccessRight) > $null
}
# Return a collection of Access Rights for the targetted VDC's
$colOrgVDCRights
}
function Set-OrgVdcAccessRightSharedToEveryone(){
<#
.SYNOPSIS
Set or reset the flag for the provided Organisation Virtual Datacenter object to be visible to all users.
.DESCRIPTION
This cmdlet sets an Organisation Virtual Datacenter as visible or hidden for all users who have rights to the organisation. By default an Org VDC is visible to all members of the containing organization; if the -Visible:$false is provided the org VDC will be hidden from all users by default. If -Visible:$true is set it will be visible to all users by default.
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER OrgVDC
The name of the Organization Virtual Datacenter to query
.PARAMETER OrgVDCId
The vCloud Object Id for the Org VDC
.PARAMETER Visible
Default: True
If set to $True will reset the Org VDC to visible to all users, if $False the OrgVDC will be hidden for all users
.EXAMPLE
Set-OrgVdcAccessRightSharedToEveryone -OrgName "PigeonNuggets" -OrgVDC "Production" -Visible $false
Sets the Access Control applied to the Org VDC "Production" in the Organisation "PigeonNuggets" to hidden by default.
The Org VDC will only be visible to users that have been added using Add-OrgVdcAccessRights cmdlet.
.EXAMPLE
Set-OrgVdcAccessRightSharedToEveryone -OrgVDCId "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8" -Visible $false
Sets the Access Control applied to the Org VDC with the vCloud Object Id "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8"
to hidden by default. The Org VDC will only be visible to users that have been added using Add-OrgVdcAccessRights cmdlet.
.EXAMPLE
Set-OrgVdcAccessRightSharedToEveryone -OrgVDCId "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8" -Visible $true
Resets the Access Control applied to the Org VDC with the vCloud Object Id "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8"
to make the object visible by default.
.EXAMPLE
Set-OrgVdcAccessRightSharedToEveryone -OrgName "PigeonNuggets" -OrgVDC "Production" -Visible $true
Resets the default Access Control applied to the Org VDC "Production" in the Organisation "PigeonNuggets" to visible by default.
The Org VDC will be visible to all users.
.NOTES
NAME: Set-OrgVdcAccessRightSharedToEveryone
AUTHOR: Adrian Begg
LASTEDIT: 2017-09-12
REFERENCE: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf p.197
#>
Param(
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgName,
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgVDC,
[Parameter(Mandatory=$True,ParameterSetName = "ById")]
[ValidateNotNullorEmpty()] [string] $OrgVDCId,
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[Parameter(Mandatory=$True,ParameterSetName = "ById")]
[bool] $Visible = $true
)
# Check if the server is connected and version is greater then 8.10
if(!(Test-vCloudEnvironment -Version 8.10)){
Break
}
# Check if OrgVDCId paramter has been provided or the Orgname and get the current specification
if(!([string]::IsNullOrEmpty($OrgVDCId))){
$objOrgVDCAccessControl = Get-OrgVdcAccessRights -OrgVDCId $OrgVDCId
} else {
$objOrgVDCAccessControl = Get-OrgVdcAccessRights -OrgName $OrgName -OrgVDC $OrgVDC
}
# Check the current status of the default AccessControl on the OrgVDC
if($Visible -and ($objOrgVDCAccessControl.IsSharedToEveryone -eq $true)){
Write-Warning "The OrgVDC provided is already set to be visible to all users by default. No changes have been made."
Break
} elseif(!$Visible -and ($objOrgVDCAccessControl.IsSharedToEveryone -eq $false)){
Write-Warning "The OrgVDC provided is already set to be hidden to all users by default. No changes have been made."
Break
} else {
# Load the current XML configuration for update
[xml]$xmlOrgVDCAccessRights = Get-OrgVdcAccessRightsXML -OrgVDCId $objOrgVDCAccessControl.OrgVDC.Id
# Update the IsSharedToEveryone attribute; has to be in lowercase or 400 Bad Request is thrown
$xmlOrgVDCAccessRights.ControlAccessParams.IsSharedToEveryone = ($Visible.ToString()).ToLower()
# Add/Update the EveryoneAccessLevel element if visible has been set
if($Visible){
# Check if the EveryoneAccessLevel element is present/exists
if([string]::IsNullOrEmpty($xmlOrgVDCAccessRights.ControlAccessParams.EveryoneAccessLevel)){
[Xml.XmlNode] $xmlEveryOneAccessLevel = $xmlOrgVDCAccessRights.CreateNode("element","EveryoneAccessLevel","");
$xmlEveryOneAccessLevel.InnerText = "ReadOnly"
# The Node needs to be ordered immediately after the IsSharedToEveryone Element
$xmlNodeSharedEveryone = $xmlOrgVDCAccessRights.ControlAccessParams.GetElementsByTagName("IsSharedToEveryone")[0]
$xmlOrgVDCAccessRights.ControlAccessParams.InsertAfter($xmlEveryOneAccessLevel,$xmlNodeSharedEveryone) > $nul
# Get rid of the unwanted namespace element added by .NET and return to the caller
$xmlOrgVDCAccessRights = [xml] $xmlOrgVDCAccessRights.OuterXml.Replace(" xmlns=`"`"", "")
} else {
# If it already exists update the value
$xmlOrgVDCAccessRights.ControlAccessParams.EveryoneAccessLevel = "ReadOnly" > $nul
}
}
# Make the update via an API call
Update-OrgVdcAccessRightsXML -OrgVDCId $objOrgVDCAccessControl.OrgVDC.Id -AccessControlData $xmlOrgVDCAccessRights
}
}
function Remove-OrgVdcAccessRights(){
<#
.SYNOPSIS
Revokes a vCloud User Rights to Read an Organisation Virtual Datacenter object which has been hidden from users by default.
.DESCRIPTION
This cmdlet removes a CIUser from the Access Control List for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users removed using this cmdlet will no longer have rights to access/view the Organisational VDC. By default an Org VDC is visible to all members of the containing organization.
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER OrgVDC
The name of the Organization Virtual Datacenter to query
.PARAMETER OrgVDCId
The vCloud Object Id for the Org VDC
.PARAMETER User
A CIUser object to remove/revoke rights to View the VDC if hidden
.EXAMPLE
Remove-OrgVdcAccessRights -OrgName "PigeonNuggets" -OrgVDC "Production" -User $CIUser
Sets the Access Control applied to the Org VDC "Production" in the Organisation "PigeonNuggets" to deny user $CIUser access it if it is hidden by the Set-OrgVdcAccessRightSharedToEveryone cmdlet.
.EXAMPLE
Remove-OrgVdcAccessRights -OrgVDCId "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8" -User $CIUser
Sets the Access Control applied to the Org VDC with the vCloud Object Id "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8" to deny user $CIUser access it if it is hidden by the Set-OrgVdcAccessRightSharedToEveryone cmdlet.
.NOTES
NAME: Remove-OrgVdcAccessRights
AUTHOR: Adrian Begg
LASTEDIT: 2017-09-14
REFERENCE: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf p.197
#>
Param(
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgName,
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgVDC,
[Parameter(Mandatory=$True,ParameterSetName = "ById")]
[ValidateNotNullorEmpty()] [string] $OrgVDCId,
[Parameter(Mandatory=$True,ParameterSetName = "ByName",ValueFromPipeline=$True)]
[Parameter(Mandatory=$True,ParameterSetName = "ById",ValueFromPipeline=$True)]
[ValidateNotNullorEmpty()] [PSObject] $User
)
# Check if the server is connected and version is greater then 8.10
if(!(Test-vCloudEnvironment -Version 8.10)){
Break
}
# Check if OrgVDCId paramter has been provided or the Orgname and get the current specification
if(!([string]::IsNullOrEmpty($OrgVDCId))){
$objOrgVDCAccessControl = Get-OrgVdcAccessRights -OrgVDCId $OrgVDCId
} else {
$objOrgVDCAccessControl = Get-OrgVdcAccessRights -OrgName $OrgName -OrgVDC $OrgVDC
}
# Check if the user object provided has an access right present in the OrgVDC
if(($objOrgVDCAccessControl.AccessSettings.CIUser | ?{$_ -eq $User}) -eq $null){
Write-Warning "The User $($User.Name) currently does not have explicit rights defined on the OrgVDC $($objOrgVDCAccessControl.OrgVDC.Name); no changes have been made."
Break
} else {
# Load the current XML configuration for update
[xml]$xmlOrgVDCAccessRights = Get-OrgVdcAccessRightsXML -OrgVDCId $objOrgVDCAccessControl.OrgVDC.Id
# Find the node and remove it from the XML
[Xml.XmlElement] $xmlUserToRemove = $XMLOrgVDCAccessRights.ControlAccessParams.AccessSettings.AccessSetting | ?{$_.Subject.href -eq $User.href}
$xmlOrgVDCAccessRights.ControlAccessParams.AccessSettings.RemoveChild($xmlUserToRemove) > $nul
# Check if this is the last user in the AccessSettings ACL and remove the node if required
if($XMLOrgVDCAccessRights.ControlAccessParams.AccessSettings.AccessSetting -eq $null){
$XMLOrgVDCAccessRights.ControlAccessParams.RemoveChild($XMLOrgVDCAccessRights.ControlAccessParams.GetElementsByTagName("AccessSettings")[0]) > $nul
# If the IsSharedEveryone is set to $false; for the last user removed the "EveryoneAccessLevel" element must be provided in the API PUT
if($xmlOrgVDCAccessRights.ControlAccessParams.IsSharedToEveryone -eq "false"){
if([string]::IsNullOrEmpty($xmlOrgVDCAccessRights.ControlAccessParams.EveryoneAccessLevel)){
[Xml.XmlNode] $xmlEveryOneAccessLevel = $xmlOrgVDCAccessRights.CreateNode("element","EveryoneAccessLevel","");
$xmlEveryOneAccessLevel.InnerText = "ReadOnly"
# The Node needs to be ordered immediately after the IsSharedToEveryone Element
$xmlNodeSharedEveryone = $xmlOrgVDCAccessRights.ControlAccessParams.GetElementsByTagName("IsSharedToEveryone")[0]
$xmlOrgVDCAccessRights.ControlAccessParams.InsertAfter($xmlEveryOneAccessLevel,$xmlNodeSharedEveryone) > $nul
# Get rid of the unwanted namespace element added by .NET and return to the caller
$xmlOrgVDCAccessRights = [xml] $xmlOrgVDCAccessRights.OuterXml.Replace(" xmlns=`"`"", "")
}
}
}
# Make the update to the OrgVDC via an API call
Update-OrgVdcAccessRightsXML -OrgVDCId $objOrgVDCAccessControl.OrgVDC.Id -AccessControlData $xmlOrgVDCAccessRights
}
}
function Add-OrgVdcAccessRights(){
<#
.SYNOPSIS
Grants a vCloud User Rights to Read an Organisation Virtual Datacenter object which has been hidden from users by default.
.DESCRIPTION
This cmdlet adds a CIUser to the Access Control for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users added using this cmdlet can access/view the Organisational VDC. By default an Org VDC is visible to all members of the containing organization.
.PARAMETER OrgName
The Name of the vCloud Organisation.
.PARAMETER OrgVDC
The name of the Organization Virtual Datacenter to query
.PARAMETER OrgVDCId
The vCloud Object Id for the Org VDC
.PARAMETER User
A CIUser object to add to Grant rights to View the VDC if hidden
.EXAMPLE
Add-OrgVdcAccessRights -OrgName "PigeonNuggets" -OrgVDC "Production" -User $CIUser
Sets the Access Control applied to the Org VDC "Production" in the Organisation "PigeonNuggets" to allow user $CIUser access it if it is hidden by the Set-OrgVdcAccessRightSharedToEveryone cmdlet.
.EXAMPLE
Add-OrgVdcAccessRights -OrgVDCId "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8" -User $CIUser
Sets the Access Control applied to the Org VDC with the vCloud Object Id "urn:vcloud:vdc:0a91d569-7653-40ed-8258-c90f12ec05c8" to allow user $CIUser access it if it is hidden by the Set-OrgVdcAccessRightSharedToEveryone cmdlet.
.NOTES
NAME: Add-OrgVdcAccessRights
AUTHOR: Adrian Begg
LASTEDIT: 2017-09-14
REFERENCE: http://pubs.vmware.com/vcd-820/topic/com.vmware.ICbase/PDF/vcloud_sp_api_guide_27_0.pdf p.197
#>
Param(
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgName,
[Parameter(Mandatory=$True,ParameterSetName = "ByName")]
[ValidateNotNullorEmpty()] [string] $OrgVDC,
[Parameter(Mandatory=$True,ParameterSetName = "ById")]
[ValidateNotNullorEmpty()] [string] $OrgVDCId,
[Parameter(Mandatory=$True,ParameterSetName = "ByName",ValueFromPipeline=$True)]
[Parameter(Mandatory=$True,ParameterSetName = "ById",ValueFromPipeline=$True)]
[ValidateNotNullorEmpty()] [PSObject] $User
)
# TO DO: Add support for External User Types
# Check if the server is connected and version is greater then 8.10
if(!(Test-vCloudEnvironment -Version 8.10)){
Break
}
# Check if OrgVDCId paramter has been provided or the Orgname and get the current specification
if(!([string]::IsNullOrEmpty($OrgVDCId))){
$objOrgVDCAccessControl = Get-OrgVdcAccessRights -OrgVDCId $OrgVDCId
} else {
$objOrgVDCAccessControl = Get-OrgVdcAccessRights -OrgName $OrgName -OrgVDC $OrgVDC
}
# Check the current status of the default AccessControl on the OrgVDC
if($objOrgVDCAccessControl.IsSharedToEveryone -eq $true){
Write-Warning "The OrgVDC provided is currently set to be visible to all users by default. The Access Rights have been changed however have no effect until the Set-OrgVdcAccessRightSharedToEveryone is run to hide the Org VDC."
}
# Check if the user currently already has rights; do nothing if they do
if(($objOrgVDCAccessControl.AccessSettings | ?{$_.CIUser -eq $User}) -ne $null){
Write-Warning "The User $User.Name currently already has been granted rights to the OrgVDC; no changes will be made."
} else {
# Load the current XML configuration for update
[xml]$xmlOrgVDCAccessRights = Get-OrgVdcAccessRightsXML -OrgVDCId $objOrgVDCAccessControl.OrgVDC.Id
# Next add a new AccessSetting node with the properties for the CIUser object under "AccessSettings"
$CIUserView = $User | Get-CIView
# Construct a new AccessSetting Node for the user object
[Xml.XmlNode] $xmlUserAccessSettingNode = $xmlOrgVDCAccessRights.CreateNode("element","AccessSetting","")
# Create the Subject of the Access Right
[Xml.XmlElement] $newAccessRightUser = $xmlOrgVDCAccessRights.CreateElement("Subject")
$newAccessRightUser.SetAttribute("href",$CIUserView.href) > $nul
$newAccessRightUser.SetAttribute("name",$CIUserView.Name) > $nul
$newAccessRightUser.SetAttribute("type",$CIUserView.Type) > $nul
# Add the Access Level to the Access Right
[Xml.XmlNode] $xmlAccessLevel = $xmlOrgVDCAccessRights.CreateNode("element","AccessLevel","");
$xmlAccessLevel.InnerText = "ReadOnly"
$xmlUserAccessSettingNode.AppendChild($newAccessRightUser) > $nul
$xmlUserAccessSettingNode.AppendChild($xmlAccessLevel) > $nul
# Now insert the AccessSetting into the AccessSettings Node; if it doesnt exist create it
if($xmlOrgVDCAccessRights.ControlAccessParams.AccessSettings -eq $null){
# Create the node "AccountSettings "and add the new user element an commit it to XML
[Xml.XmlNode] $xmlAccessSettingsNode = $xmlOrgVDCAccessRights.CreateNode("element","AccessSettings","")
$xmlAccessSettingsNode.AppendChild($xmlUserAccessSettingNode) > $nul
$xmlOrgVDCAccessRights.ControlAccessParams.AppendChild($xmlAccessSettingsNode) > $nul
} else {
# Add the node to the existing user list at the tail
$xmlOrgVDCAccessRights.ControlAccessParams.AccessSettings.AppendChild($xmlUserAccessSettingNode) > $nul
}
# Get rid of the unwanted namespace element added by .NET and return to the caller
$xmlOrgVDCAccessRights = [xml] $xmlOrgVDCAccessRights.OuterXml.Replace(" xmlns=`"`"", "")
# Make the update via an API call
Update-OrgVdcAccessRightsXML -OrgVDCId $objOrgVDCAccessControl.OrgVDC.Id -AccessControlData $xmlOrgVDCAccessRights
}
}
#endregion