Automation

 View Only
  • 1.  Updating privileges on existing roles

    Posted Sep 02, 2022 01:43 PM
    I'm running the following script to add a few new vSphere 7 privileges to our existing roles. 
     

    Set-VIRole -Role "vCenter - VM Deployment" -AddPrivilege (
    Get-VIPrivilege -Id @(
    "ContentLibrary.CheckInTemplate",
    "ContentLibrary.CheckOutTemplate",
    "ContentLibrary.AddCertToTrustStore",
    "ContentLibrary.DeleteCertFromTrustStore",
    "ContentLibrary.ManageClusterRegistryResource",
    "ContentLibrary.ManageRegistry",
    "ContentLibrary.ManageRegistryProject",
    "InventoryService.Tagging.ObjectAttachable",
    "VirtualMachine.Interact.SuspendToMemory",
    "VirtualMachineClasses.Manage"
    )
    )

    The script executes but only returns a False value and does not update the role. 

    Name               IsSystem
    ----                    --------
    vCenter - VM... False

    After hours of online searching I thought I'd post here, hopefully for suggestions on what I may be missing. I'd update these values manually but need to update 10+ roles on over 70 vCenters. 

    Thanks! 



  • 2.  RE: Updating privileges on existing roles

    Posted Sep 02, 2022 02:07 PM

    Are you sure the account you use to run that code has the privilege to modify Roles and their Privileges.
    It is the Permissions/Modify Privilege privilege.

    When that is not the case, the cmdlet completes with the same output, but nothing will be changed

    Update: when I run that code with a user that has the required privilege, the privileges of the role are changed.



  • 3.  RE: Updating privileges on existing roles

    Posted Sep 05, 2022 03:51 AM

    I have double checked the account in use and also tried executing the script with the local administrator account. So, the script worked for you? I thought it should but still no luck for me. I've updated PowerCLI to the latest build. vCenter I'm testing on is vCenter Server 7.0 Update 3g (7.0.3.00800). These same accounts are able to modify the listed privileges manually via the vCenter GUI. 

    Thank you for the reply. I'll continue my testing after the Holiday. 



  • 4.  RE: Updating privileges on existing roles

    Posted Sep 06, 2022 03:23 PM

    I've tested again using both my admin account and the vCenter local admin and the code is still unsuccessful. The same results are returned when using either privilege ID or Name. 

    PS C:\Scripts\VMware\vCenterRoles> Set-VIRole -Role "vCenter - Level 2 - Backup" -AddPrivilege (
    Get-VIPrivilege -Name @(
    "Disable or enable alarm on entity"
    )
    )

    Name IsSystem
    ---- --------
    vCenter - Level 2 - Ba... False

     

    PS C:\Scripts\VMware\vCenterRoles> Set-VIRole -Role "vCenter - Level 2 - Backup" -AddPrivilege (
    Get-VIPrivilege -Id @(
    "Alarm.ToggleEnableOnEntity"
    )
    )

    Name IsSystem
    ---- --------
    vCenter - Level 2 - Ba... False



  • 5.  RE: Updating privileges on existing roles

    Posted Sep 06, 2022 03:43 PM

    As an additional test can you create a new Role, with no privileges?
    And then run your code against that Role.



  • 6.  RE: Updating privileges on existing roles

    Posted Sep 06, 2022 05:25 PM

    Was worth a try but still seeing the same results. 

    PS C:\Scripts\VMware\vCenterRoles> Set-VIRole -Role 'Test' -AddPrivilege (
    Get-VIPrivilege -Id @(
    'Alarm.ToggleEnableOnEntity'
    )
    )

    Name IsSystem
    ---- --------
    Test False

    I've opened a support case. Maybe there is a PowerCLI conflict. I'll post any resolution. 



  • 7.  RE: Updating privileges on existing roles
    Best Answer

    Posted Sep 06, 2022 05:44 PM

    You mentioned earlier that you receive a False on the Set-VIRole cmdlet.
    If mean the $false in the output of the cmdlet, that is just an indication that the Role is not a System Role.
    In fact those System Roles are predefined and you can't change them.

    Did you check the actual privileges after the Set-VIRole cmdlet?

    Get-VIRole -Name Test |
    Select -ExpandProperty PrivilegeList


  • 8.  RE: Updating privileges on existing roles

    Posted Sep 07, 2022 03:16 AM

    Thanks, you successfully interrupted my ignorance . The False output had me thrown. Turns out the script, as originally written, works correctly. The vCenter v7 GUI does not update the privilege list until you fully logout and back into the vCenter. Refreshing the role, even refreshing the browser does not update the GUI. Thanks for the second pair of eyes!