Automation

 View Only

 How to create a new SSO Domain user (vsphere.local) account and grant it permissions

dbutch1976's profile image
dbutch1976 posted Nov 22, 2024 01:20 PM

Hello,

I have a great script which identifies all orphaned files within my environment (thanks LucD) and I want to run it on many vCenters using a minimal set of permissions. The script only requires read-only + datastore browse. I can't seem to find instructions on how to create a new user within the SSO domain (vsphere.local), everything I've found seems to create local user accounts on the vCenter appliance itself which is not what I'm trying to do. If I can get the user account created granting the account permissions I have already figured out:

#Step2
#Create a new role with only read-only and DS browse
New-VIRole -name RO+DSBrowse -Privilege "Browse datastore" -Server $viserver

#Step3
#Assign permissions to at the vcenter level and propogate 
New-VIPermission -Role RO+DSBrowse -Principal "ROReports" -Entity (Get-Folder "Datacenters" -Type Datacenter | Where { $_.ParentId -eq $null })

I'm only missing step#1, which would be creating an account called "ROReports" in the vsphere.local domain. Any help?

LucD's profile image
LucD

You can use the VMware.vSphere.SsoAdmin module.

Something like this

#requires -Modules 'VMware.vSphere.SsoAdmin'

# New SSO user details
$userName = 'ROReports'
$pswd = 'VMware1!'
$desc = 'Account'
$email = 'user@domain'

# SSO admin account & VCSA
$vcsa = 'vcsa.mydomain'
$ssoUser = 'administrator@vsphere.local'
$ssoPswd = 'VMware1!'

$ssoSrv = Connect-SsoAdminServer -Server $vcsa -User $ssoUser -Password $ssoPswd -SkipCertificateCheck

New-SsoPersonUser -UserName $userName -Password $pswd -Description $desc -EmailAddress $email

Disconnect-SsoAdminServer -Server $vcsa

 

dbutch1976's profile image
dbutch1976

That worked, thanks LucD:

#INSTALL ssoadmin (if not already installed)
#Find-Module -Name VMware.vSphere.SsoAdmin | Install-Module -Scope CurrentUser
#New SSO user details
$userName = 'ROReports'
$pswd = 'New4You@2024'
$desc = 'Report only plus DS browse for Reports'
$email = 'ROReports@vsphere.local'
# SSO admin account & VCSA
$vcsa = 'vcneo.lebrine.local'
($cred = Get-Credential)
#Create the local vsphere.local SSO account
Connect-SsoAdminServer -Server $vcsa -credential $cred -SkipCertificateCheck
New-SsoPersonUser -UserName $userName -Password $pswd -Description $desc -EmailAddress $email
Disconnect-SsoAdminServer -Server $vcsa
#Connect to the vCenter and apply
connect-viserver $vcsa -credential $cred
#Create the vcenter role
New-VIRole -name RO+DSBrowse -Privilege "Browse datastore" -Server $viserver
#Modify the existing role to add/remove privileges (if required)
#Set-VIRole -Role RO_DS_Browse -AddPrivilege (Get-VIPrivilege -name "Browse datastore") -Server $viserver
#Remove-VIRole -Role "ROReports+DSBrowse" -Force -Confirm:$false
#Assign permissions to at the vcenter level and propogate
New-VIPermission -Role RO+DSBrowse -Principal VSPHERE.LOCAL\$userName -Entity (Get-Folder "Datacenters" -Type Datacenter | Where { $_.ParentId -eq $null })
Disconnect-VIServer -Server $vcsa -Force -Confirm:$false