Documenting vCenter Privileges with PowerCLI

A customer that I'm working with at present asked this week if the minimum privileges required for vRA to access a vSphere Endpoint could be documented. As someone who isn't a fan of unnecessary wheel re-invention, my initial response was to direct them to the relevant VMware documentation (vRA 7.3 vSphere Agent Requirements).

Then they explained why that wouldn't quite cover their requirement. I won't explain exactly why, but they wanted a matrix that showed exactly what privileges each of the vRealize products (and associated management packs) needed in vCenter to provide to their security team. Somewhere in the dark and dusty reaches of my mind, a lightbulb flicked on…


Wait, I've done this before!

Like a number of other bloggers in my industry, I started this as a place to record some of things that I was doing in the hope that they might be useful to someone else, or even useful for myself in the future.

The domain name may have changed over time, but all of my older articles are still here, whether they're relevant still or not. The aforementioned lightbulb related to a post on documenting vCenter permissions┬áthat I wrote back in 2010. That fancy bit of PowerCLI was very useful indeed at the time. Curiously, I've not used it since. However, it would be a pretty pointless article if I just linked back to that and said “job done”. The only place that I have Excel installed at present is on my Mac, and I couldn't be bothered to either install it on a Windows machine or work out if the same level of orchestration was possible with Office on OSX. Also, all I really wanted was a list of all of the privileges available in vCenter.

Five simple lines of PowerShell

What I needed then boiled down to a fairly simple for loop executed in PowerShell against the vCenter in my lab:

foreach ($privilege in Get-VIPrivilege | sort Id) {
   $level = [regex]::matches($privilege.Id,"\.").count
   $output = ("," * $level) + $privilege.Name
   Write-Host $output


  • The regex on line 2 simply counts the number of full stops (or periods, if you speak American English) in the ID of the privilege returned.
  • On line 3, an equivalent number of commas is inserted before the privilege name.

The result, when executed with an active connection to vCenter, should look like this:

Results of executing the PowerShell code showing some of the vCenter privileges

All I had to do then was save the output in to a CSV file and open it in Excel. After a little formatting, I could quickly transpose the required privileges from the product documentation in to a format that the customer wanted.

A snippet from the Excel workbook produced showing vCenter privileges

With about 390 privileges listed, something onerous turned in to something fairly simple. Got to love PowerCLI…