View Only
  • 1.  Get-VIPermissions only on current item

    Posted Jun 28, 2017 02:19 AM

    I am working on a larger script that includes a function to pull permissions from a datacenter. At present I am using this:


    #Get all DataCenter level Permissions

        Get-VIPermission -Entity $sDC |

            Export-Clixml $sDir\DC_Permissions.xml


    This works, but it pulls all permissions, including those set at the parent. I then have to do some massaging when I import this datacenter into another vCenter to cut those propogated items out, or do a SilentlyContinue. Just curious if there is an easy way to tell it to grab from the Datacenter only those permissions that are defined on that object. I have been reading through the Get-VIPermission documentation and Googling, but haven't stumbled across a way yet.

  • 2.  RE: Get-VIPermissions only on current item

    Posted Jun 28, 2017 04:42 AM

    The Get-VIPermission cmdlet always returns the inherited permissions as well.

    You'll have to revert to the API RetrieveEntityPermissions method to avoid getting the inherited permissions.

    Something like this for example

    $dcName = 'MyDC'

    $authMgr = Get-View AuthorizationManager

    $dc = Get-Datacenter -Name $dcName

    $inherited = $false


  • 3.  RE: Get-VIPermissions only on current item

    Posted Jun 28, 2017 08:39 PM

    Thanks for the suggestion, I was unaware of that method. This is what I am trying then:

    $dcName = 'DPI'

    Connect-VIServer -Server "myserver" -User "Administrator@LC.Local" -Password "MyPW"

    $authMgr = Get-View AuthorizationManager

    $dc = Get-Datacenter -Name $dcName

    $inherited = $false


    Disconnect-VIServer -Server "myserver" -Confirm:$false

    And am getting this error. It appears like it is looking for another parameter:

    Exception calling "RetrieveEntityPermissions" with "2" argument(s): "

    Required parameter entity is missing

    while parsing call information for method RetrieveEntityPermissions

    at line 1, column 171

    while parsing SOAP body

    at line 1, column 64

    while parsing SOAP envelope

    at line 1, column 0

    while parsing HTTP request for method retrieveEntityPermissions

    on object of type vim.AuthorizationManager

    at line 1, column 0"

    At line:10 char:1

    + $authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited)

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

        + FullyQualifiedErrorId : VimException

  • 4.  RE: Get-VIPermissions only on current item
    Best Answer

    Posted Jun 28, 2017 08:42 PM

    You will have to change line 7.

    The first parameter is the MoRef for the entity for which you want to retrieve the permissions.

    That should be


  • 5.  RE: Get-VIPermissions only on current item

    Posted Jun 29, 2017 12:52 AM

    You are awesome as usual, thanks for the help!

  • 6.  RE: Get-VIPermissions only on current item

    Posted Jun 29, 2017 12:31 PM

    Ok, so I lied. I thought I had the structure down, it works for both the datacenter and cluster level. But I cannot seem to get it to work for folder level. If I know the folder name it works, i.e.:

    ...vCenter connection

    $folder = Get-Folder MDC

    $authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited) |

            Export-Clixml C:\Users\Administrator\Desktop\Output.xml


    But I haven't found an elegant way to grab all the folders from the cluster, get the object-level permissions and then output to a single xml. After mucking about for a while, I came up with this:

    $folders = $dc | Get-Folder

        foreach ($item in $folders) {

            $name = Get-Folder $item.Name

            $authMgr.RetrieveEntityPermissions($name.ExtensionData.MoRef,$inherited) |

                Export-Clixml C:\Users\Administrator\Desktop\$name.xml


    It works, outputs the xml files, but I know it is horribly redundant with the double call to Get-Folder. It also produces an error for each folder, even though I get the output I desire:

    Cannot convert argument "entity", with value: "System.Object[]", for "RetrieveEntityPermissions" to type "VMware.Vim.ManagedObjectReference": "Cannot convert the

    "System.Object[]" value of type "System.Object[]" to type "VMware.Vim.ManagedObjectReference"."

    At line:20 char:9

    +         $authMgr.RetrieveEntityPermissions($name.ExtensionData.MoRef,$inherited) ...

    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (:) [], MethodException

        + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument

  • 7.  RE: Get-VIPermissions only on current item

    Posted Jun 29, 2017 12:59 PM

    Try like this

    $dcName = 'MDC'

    Connect-VIServer -Server "myserver" -User "Administrator@LC.Local" -Password "MyPW" 


    $authMgr = Get-View AuthorizationManager 

    $dc = Get-Datacenter -Name $dcName 

    $inherited = $false 

    $report = foreach($folder in (Get-Folder -Location $dc)){

        $authMgr.RetrieveEntityPermissions($folder.ExtensionData.MoRef,$inherited) |

        Select @{N='Folder';E={$folder.Name}},



    $report | Export-Clixml C:\Users\Administrator\Desktop\Output.xml

    Disconnect-VIServer -Server "myserver" -Confirm:$false