PowerCLI

 View Only

 assigning VM folder permissions at scale

Jump to  Best Answer
jonebgood_157's profile image
jonebgood_157 posted Oct 17, 2024 10:34 AM

Trying to use code capture, but not sure how to expand this to numerous VM folders. Basically have a separate folder in over 100 clusters with the same name (appliances is the folder name).  #1 I need to add a new permission with an AD group with an existing role (VM.Manager) to every folder with that name and then #2 remove an existing permission on those same folders.

Code capture got this, but I see each folder has a group ID? How can I capture all the group ID(all folders) into a .csv and then import those into the script and apply #1 and then #2.

#----------------- Start of code capture -----------------

#---------------SetEntityPermissions---------------
$entity = New-Object VMware.Vim.ManagedObjectReference
$entity.Type = 'Folder'
$entity.Value = 'group-v11541'
$permission = New-Object VMware.Vim.Permission[] (1)
$permission[0] = New-Object VMware.Vim.Permission
$permission[0].Principal = 'lab.domain\vm-admins'
$permission[0].RoleId = -609557684
$permission[0].Propagate = $true
$permission[0].Group = $true
$_this = Get-View -Id 'AuthorizationManager-AuthorizationManager'
$_this.SetEntityPermissions($entity, $permission)

#---------------RemoveEntityPermission---------------
$entity = New-Object VMware.Vim.ManagedObjectReference
$entity.Type = 'Folder'
$entity.Value = 'group-v11541'
$user = 'lab.domain\vm-testers'
$isGroup = $true
$_this = Get-View -Id 'AuthorizationManager-AuthorizationManager'
$_this.RemoveEntityPermission($entity, $user, $isGroup)


#----------------- End of code capture -----------------

LucD's profile image
LucD  Best Answer

Try something like this.
It assumes that you have a CSV with all the clusternames in a column named ClusterName, and that the Datacenter has the same name as the Cluster and only contains 1 Cluster.

Import-Csv -Path .\clusters.csv -Pipeline row |
Foreach-Object -Process {
   $folder = Get-Datacenter -Name $row.ClusterName | Get-Folder -Name 'Appliances'
   New-VIPermission -Entity $folder -Principal 'domain\user' -Role 'VM.Manager' -Confirm:$false
   Get-VIPermission -Entity $folder -Principal 'domain\obsoleteuser' | Remove-VIPermission -Confirm:$false
} 
LucD's profile image
LucD

Are all these folders at the first level, not nested?
So like cluster/folder, and not cluster/folder1/folder2, where folder2 is the target.

jonebgood_157's profile image
jonebgood_157

@LucD The folder is at the parent level so not a subfolder.

LucD's profile image
LucD

Can you give some more details about the folders?
I assume these are VMs & Templates folders?
They are defined on the level of a Datacenter, not a Cluster.
Does that mean there is a Datacenter per Cluster?

jonebgood_157's profile image
jonebgood_157

That is correct; each datacenter has a cluster under it and these folders are at the VM and Templates view

jonebgood_157's profile image
jonebgood_157

Once I got my csv correct, that is working. thanks for the assist!