Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
46 lines (32 sloc) 2.61 KB


Import pre-defined roles for common applications to access vCenter. The privileges for each role are stored in a JSON-format file as a list of privilege Ids (Get-VIPrivilege | Select Id).

Import-VIRole -Name AdminRole -Permission C:\vcenter-roles\Roles\Administrator.json -vCenter

Some pre-defined privilege sets are provided in this repo's \Roles directory, but the cmdlet accepts any valid JSON file as an argument.

If necessary, roles can be removed with Remove-VIRole when connected to the appropriate vCenter server.

Included Roles:

View the Roles directory for a list of provided roles.


If you have a role you would like to see added to this repo, please open an issue or pull request with the necessary details. You will need a number of items to describe the role:

  1. Product Description: Name of the product or use case the role is designed to be used with.
  2. Product Version: Version number of the product, or "N/A" if describing a use case.
  3. Reference URL: Link to documentation of the product or use case and its required privileges.
  4. Vendor: Name of the vendor, or "N/A" if based on a common use case.
  5. vCenter Release: Major and Minor Version of vCenter the privileges support. (e.g '6.0' or '5.5')
  6. Privileges: A list of all the VIPrivileges, by ID, not by Name.

If you do not have a list of privileges by ID, you can obtain the privilege IDs in a few ways. Launch PowerShell and connect to your vCenter server with Connect-VIServer, then use one or more of these methods:

  • Get a list of all privileges and choose the correct ones: Get-VIPrivilege | Select Name, Id
  • Manually create a user with the correct privileges in vCenter and enumerate the privilege IDs: Get-VIRole View | Get-VIPrivilege | select Name, Id
  • Obtain a list of privilege names from documentation and look up the ID: Get-VIPrivilege -Name Host | Select Name, Id

Create a new JSON file with an array of these IDs, titled after the application/use case of the role. For instance, the View role's permissions (System.Anonymous and System.View) would go in a file called Roles/View.json that looks like this:

	"product_description": "Sample View-only role",
	"product_version": "N/A"
	"reference_url": "",
	"vendor": "N/A",
	"vcenter_schema": "6.0",
	"privileges": [

You can validate your json with one of the many online tools, such as JSONLint.