As part of our VMware 6.7 to 7.0 Upgrade we wanted to audit the existing vCenter server permission. We have a lot of contractors who come in to do work and users who have had permission assigned but these permission are not always removed.
We wanted to get a report that export each of the permission assigned in vCenter.
I could do this manually but this would take a while and is not that easily repeatable so I decided to create a quick script that will export the required information.
The script will be calling two command (Get-VIPermission to export permission and Get-VIRole to export the assigned privileges) and then formation the results.
The script also has some mandatory variables (one for the vCenter server and one for the export path) and there is some error handling incase there is no connection to vCenter server or the export folder doesn’t exist.
There are three type of object in VMware permissions.
- Privilege: Allow specific actions (create, delete, manage.. ) or rights to view specific properties
- Role : A set of privileges assigned to an object to allow assignment
- Permission: Is either a set of a users or groups that have been assigned to a role
If we run Get-ViPermission on we will see all permission returned.
We can select one specific permission by using -principal and expand using format-list. This gives a bit more information but we are missing the assigned privilege’s.
This is where we use Get-VIRole as this has a property that shows privileges that have been assigned to the role.
Below is an example of the script running.
.\VMware_Permissions_Audit.ps1 -VCServer lab-vc.thesleepyadmin.local -ReportExport .\
Once completed the csv file should be exported with the vCenter server name.
Below is what the csv export should look like.
Below is an example of the error handling when connection to vCenter.
The full script can be downloaded from the below link to my GitHub.