PowerCLI

 View Only

 Help with vcenter Roles

jonebgood_157's profile image
jonebgood_157 posted Apr 02, 2025 10:18 AM

I've got this half figured out but can't quite the "count" part.  I need a list of all the roles in vCenter, including local Vsphere roles, and the count of accounts in each role. For example, Administrator | 5, Read Only | 3, etc. I can do the simple and get all the roles exported to csv, but having issues with the foreach loop for counting the number of accounts associated

ITSavant's profile image
ITSavant posted Apr 02, 2025 03:17 PM

Most of the time you can wrap a variable in paranthesis like this ($Roles).count
If you have sample code of what you are working on, it would help to include it with your question

jonebgood_157's profile image
jonebgood_157 posted Apr 03, 2025 09:26 AM

@ITSavant  Here is what I had so far

# CSV output file path
$csvFilePath = "C:\temp\Roles_with_Account_Count.csv"

# Connect to vCenter
$vcenterServer = Read-Host "Enter vCenter Server name or IP address"
$username = Read-Host "Enter vCenter username"
$password = Read-Host -AsSecureString "Enter vCenter password"

try {
    Connect-VIServer -Server $vcenterServer -Credential (New-Object System.Management.Automation.PSCredential ($username, $password))
    Write-Host "Successfully connected to vCenter $($vcenterServer)." -ForegroundColor Green
}
catch {
    Write-Host "Error connecting to vCenter: $($_.Exception.Message)" -ForegroundColor Red
    exit
}

# Get all roles
$roles = Get-ViewRole -ViewType "Role"

# Create an array to store the role data
$roleData = @()

# Iterate through the roles and get the count of accounts in each role
foreach ($role in $roles) {
    $roleName = $role.Name
    $roleCount = Get-ViewPermission -ViewType "Permission" -Role $roleName | Measure-Object | Select-Object -Expand Count

    # Create a custom object for each role
    $roleObject = [PSCustomObject]@{
        RoleName = $roleName
        AccountCount = $roleCount
    }

    # Add the object to the array
    $roleData += $roleObject
}

# Disconnect from vCenter
Disconnect-VIServer -Confirm:$false
Write-Host "Disconnected from vCenter." -ForegroundColor Gray

# Export the data to a CSV file
$roleData | Export-Csv -Path $csvFilePath -NoTypeInformation


Write-Host "Exporting Role Complete from $vcenterServer. Results saved to: $csvFilePath" -ForegroundColor Yellow

ITSavant's profile image
ITSavant posted Apr 03, 2025 12:37 PM
First, you have to understand how vCenter Perms work
They start with a Privileges, very granular checkboxes, like "power On Vm" type activities
Then you roll a bunch of those Privileges together into a PrivilegeList and call that a role
Next you Need 2 more things; an account(called a Principal) and a vCenter object (VIObject) like a VM or cluster, or whatever, and you grant a Permission by creating an association of the Role, the Account, and the VIObject.
So a Permission is really more of a query for the association.
 
I hope this helps to understand why your script is, in part, approaching this incorrectly. Accounts are not a sub of a role, they are an association with a role.
Secondly, you are trying to call cmdlets or functions, I don't think exist, like "Get-ViewRole" & "Get-ViewPermission"
You have to use cmdlets and/or functions that exist and are available to PowerShell.


# CSV output file path
$csvFilePath = "C:\temp\Roles_with_Account_Count.csv"
 
# Connect to vCenter
$vcenterServer = Read-Host "Enter vCenter Server name or IP address"
$username = Read-Host "Enter vCenter username"
$password = Read-Host -AsSecureString "Enter vCenter password"
 
try {
    Connect-VIServer -Server $vcenterServer -Credential (New-Object System.Management.Automation.PSCredential ($username, $password))
    Write-Host "Successfully connected to vCenter $($vcenterServer)." -ForegroundColor Green
}
catch {
    Write-Host "Error connecting to vCenter: $($_.Exception.Message)" -ForegroundColor Red
    exit
}


$VIPermissions = Get-VIPermission -Server $vcenterServer
$VIRoles = Get-VIRole -Server $vcenterServer | Sort Name
 
# Create an array to store the role data
$roleData = @()

ForEach($VIRole in $VIRoles){
    $roleData += [PSCustomObject]@{
        Role = $VIRole.Name
        AccountCount = $(($VIPermissions | Where{$_.Role -eq $VIRole.Name}).Count)
    }
}


# Disconnect from vCenter
Disconnect-VIServer -Confirm:$false
Write-Host "Disconnected from vCenter." -ForegroundColor Gray
 
# Export the data to a CSV file
$roleData | Export-Csv -Path $csvFilePath -NoTypeInformation
 
 
Write-Host "Exporting Role Complete from $vcenterServer. Results saved to: $csvFilePath" -ForegroundColor Yellow