Set up roles for common applications to access vCenter
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
Legacy
Roles
Import-VIRole.ps1
LICENSE.md
README.md

README.md

vCenter-roles

Import pre-defined roles for common applications to access vCenter. The privileges for each role are stored in a JSON-format file as a list of privilege Ids (Get-VIPrivilege | Select Id).

Import-VIRole -Name AdminRole -Permission C:\vcenter-roles\Roles\Administrator.json -vCenter vcenter.example.com

Some pre-defined privilege sets are provided in this repo's \Roles directory, but the cmdlet accepts any valid JSON file as an argument.

If necessary, roles can be removed with Remove-VIRole when connected to the appropriate vCenter server.

Included Roles:

View the Roles directory for a list of provided roles.

Contributing:

If you have a role you would like to see added to this repo, please open an issue or pull request with the necessary details. You will need a number of items to describe the role:

  1. Product Description: Name of the product or use case the role is designed to be used with.
  2. Product Version: Version number of the product, or "N/A" if describing a use case.
  3. Reference URL: Link to documentation of the product or use case and its required privileges.
  4. Vendor: Name of the vendor, or "N/A" if based on a common use case.
  5. vCenter Release: Major and Minor Version of vCenter the privileges support. (e.g '6.0' or '5.5')
  6. Privileges: A list of all the VIPrivileges, by ID, not by Name.

If you do not have a list of privileges by ID, you can obtain the privilege IDs in a few ways. Launch PowerShell and connect to your vCenter server with Connect-VIServer, then use one or more of these methods:

  • Get a list of all privileges and choose the correct ones: Get-VIPrivilege | Select Name, Id
  • Manually create a user with the correct privileges in vCenter and enumerate the privilege IDs: Get-VIRole View | Get-VIPrivilege | select Name, Id
  • Obtain a list of privilege names from documentation and look up the ID: Get-VIPrivilege -Name Host | Select Name, Id

Create a new JSON file with an array of these IDs, titled after the application/use case of the role. For instance, the View role's permissions (System.Anonymous and System.View) would go in a file called Roles/View.json that looks like this:

{
	"product_description": "Sample View-only role",
	"product_version": "N/A"
	"reference_url": "https://example.com/sample_view-only_role.html",
	"vendor": "N/A",
	"vcenter_schema": "6.0",
	"privileges": [
		"System.Anonymous",
		"System.View"
	]
}

You can validate your json with one of the many online tools, such as JSONLint.