Automation

 View Only
  • 1.  Block or Restricting execution of PowerCLI commands or Scripts

    Posted Jul 07, 2015 02:47 AM

    Hi All,

    I can't seem to find a way of doing this and it may turn out not to be possible. But I have some ops guys with vSphere client access to our vSphere 5.5 environment and some of them like to tinker with PowerCLI which we would like to restrict.


    Reason being they have the ability to cause some serious damage if the wrong script is executed, I do trust my guys but it not a matter of trust its a matter of defined access control. They do need the level of access they have now to administer the environment but the ability to make mass changes via a script need to go through an approval process. We just had a script run to unmount all ISO/CDROMS for all VM's and due to the nature of how Linux OS locks the media it crashed the server.


    So what I'm asking is there anyway to allow vSphere access but deny or restrict access to run commands via any other means like PowerCLI ?



  • 2.  RE: Block or Restricting execution of PowerCLI commands or Scripts

    Posted Jul 07, 2015 05:02 AM

    If I understand this correctly, you want a user to have different roles, depending on the type of access (web client/PowerCLI) ?



  • 3.  RE: Block or Restricting execution of PowerCLI commands or Scripts

    Posted Jul 07, 2015 05:15 AM

    Hi Luc,

    Yes, just because a user has permissions to vSphere via the Windows client or web client doesn't me they should be able to run commands via PowerCLI. Is there anyway to lock down PowerCLI access to specific users?



  • 4.  RE: Block or Restricting execution of PowerCLI commands or Scripts

    Posted Jul 07, 2015 06:01 AM

    I'm afraid that there is no way to limit (afaik) the vCenter access based on the application used to access it (web client/PowerCLI...).

    All these use the same vSphere API under the covers.



  • 5.  RE: Block or Restricting execution of PowerCLI commands or Scripts

    Posted Jul 07, 2015 06:30 AM

    Hi Luc,

    Thanks for the info, so I figured this would be the case. Let me ask you this then, is there anyway to audit how tasks were preformed, i.e is it possible to know if it was done via vSphere client or PowerCLI? In this case we already suspected PowerCLI was used as the tasks were 5 seconds apart by the same user which would be extremely difficult done via the client.



  • 6.  RE: Block or Restricting execution of PowerCLI commands or Scripts

    Posted Jul 07, 2015 06:50 AM

    Not at the moment afaik, but in the PowerShell v5 preview some new features were introduced that will allow tracking (see for example More New Stuff in PowerShell V5: Extra PowerShell Auditing).