PowerCLI

 View Only

  • 1.  Standard vswitch port group permission management with PowerCLI

    Posted Nov 28, 2013 03:22 PM

    Hello All,

    I have many port groups on standard and also on distributed switches on ESX 5.0.

    I'd like to know if there is a way to manipulate permissions on those port groups with PowerCLI.

    Is there a way or can you help me automate this work?

    Thank you!



  • 2.  RE: Standard vswitch port group permission management with PowerCLI
    Best Answer

    Posted Nov 28, 2013 07:12 PM

    The easy ones are the portgroups on dvSwitches.

    As an example

    $user = Get-VIAccount -Name "domain\lucd"
    $role = Get-VIRole -Name NetworkAdmin
    $dvPg = Get-VDPortgroup -Name "dvPortgroup"
    New-VIPermission -Principal $user -Role $role -Entity $dvPg

    The regular portgroups require the use of the API.

    For example

    $pgName = "VM Network"
    $pg = Get-VirtualPortGroup -Name "VM Network" | Select -First 1
    $net = Get-View (Get-View $pg.VMHostId).Network | where {$_.Name -eq $pgName}   
    $authMgr = Get-View AuthorizationManager
    $perm = New-Object VMware.Vim.Permission
    $perm.Principal = "domain\lucd"
    $perm.RoleId = $role.Id
    $perm.Propagate = $true
    $perm.Group = $false
    $authMgr.SetEntityPermissions($net.moref,$perm)

    Since the Get-VirtualPortgroup cmdlet doesn't give you direct access to the corresponding Network object, you will have to find it via the ESXi network property.



  • 3.  RE: Standard vswitch port group permission management with PowerCLI

    Posted Nov 29, 2013 09:09 AM

    Thank you very much for the excellent answer!

    However when I set it up to read port groups from a file and add permissions to a group rather than to a user it gives an error message like this:

    Exception calling "SetEntityPermissions" with "2" argument(s): "The user or group named 'DOMAIN\VM-Admins' does not exist."

    This group definitely exists as this command gives it back:

    PowerCLI C:\Users\Desktop> Get-VIAccount -Group "DOMAIN\vm-admins"

    Id                             Domain               Description

    --                             ------               -----------

    VM-Admins              DOMAIN

    I found out trial by error that I need to set $perm.Group = $false to true and now everything is fine. I have to dive deeper into this :smileyhappy:

    Thank you again for the answer!



  • 4.  RE: Standard vswitch port group permission management with PowerCLI

    Posted Nov 29, 2013 09:11 AM

    Sorry about that, I should have included an example with a group.

    But I'm glad you found the solution :smileyhappy: