vCenter 6 creating global roles with PowerCLI
While middle in the migration from a vCenter 5.1 environment to a vCenter 6.x environment I wanted to use the Global Roles so I don’t have to set them per vCenter anymore.
So how do I create those global roles?
Well the important thing is to connect to your vCenter (Connect-VIServer) using the administrator@vsphere.local user (or your SSO user if you configured a different one)
Because you login with the SSO user you can create the global roles by just using the New-VIRole command.
Example:
So in with the function below I tried to create a simple function with parameters -From and -To to simply recreate the roles from vCenter1 to vCenter2.
I make use of the logwrite function I posted earlier to spam some messages on screen and to a text file
Before:
– I expect you to be connected to both vCenters using the Connect-VIServer cmdlet.
function Migrate-VIrole{ <# .SYNOPSIS Migrates the VCenter roles from one vCenter to another .DESCRIPTION A detailed description of the function. .PARAMETER $From This is the vCenter to read from .PARAMETER $To This is the vCenter to build the datacenter on .EXAMPLE PS C:\> Migrate-VIRole -From vCenter1 -To vCenter2 .INPUTS System.String .OUTPUTS System.String #> [CmdletBinding()] [OutputType([System.String])] param( [Parameter(Position=1, Mandatory=$true)] [ValidateNotNull()] [System.String] $From, [Parameter(Position=2, Mandatory=$true)] [ValidateNotNull()] [System.String] $To ) try{ #Grabbing roles from an to in array $ArrRolesFrom = Get-VIRole -Server $From |?{$_.IsSystem -eq $False} $ArrRolesTo = Get-VIRole -Server $To |?{$_.IsSystem -eq $False} #Checking for existing roles foreach ($Role in $ArrRolesFrom){ if($ArrRolesTo|where{$_.Name -like $role}) { Logwrite -Error "$Role already exists on $To" logwrite -Info "Checking permissions for $role" [string[]]$PrivsRoleFrom = Get-VIPrivilege -Role (Get-VIRole -Name $Role -Server $From) |%{$_.id} [string[]]$PrivsRoleTo = Get-VIPrivilege -Role (Get-VIRole -Name $Role -Server $To) |%{$_.id} foreach ($Privilege in $PrivsRoleFrom){ if ($PrivsRoleTo | where {$_ -Like $Privilege}) { Logwrite -Error "$Privilege already exists on $role" } else { #Setting privileges Set-VIRole -Role (Get-VIRole -Name $Role -Server $To) -AddPrivilege (Get-VIPrivilege -Id $PrivsRoleFrom -Server $To)|Out-Null Logwrite -Success "Setting $privilege on $role" } } } else { #Creating new empty role New-VIrole -Name $Role -Server $To|Out-Null Logwrite -Success "Creating $Role on $To" Logwrite -Info "Checking permissions for $role" [string[]]$PrivsRoleFrom = Get-VIPrivilege -Role (Get-VIRole -Name $Role -Server $From) |%{$_.id} [string[]]$PrivsRoleTo = Get-VIPrivilege -Role (Get-VIRole -Name $Role -Server $To) |%{$_.id} foreach ($Privilege in $PrivsRoleFrom) { if ($PrivsRoleTo|where {$_ -Like $Privilege}) { Logwrite -Error "$Privilege already exists on $role" } else { #Setting privileges Set-VIRole -role (get-virole -Name $Role -Server $To) -AddPrivilege (get-viprivilege -id $PrivsRoleFrom -server $To)|Out-Null logwrite -success "Setting $privilege on $role" } } } } } catch { throw } }