PowerCLI: Documenting vCenter Permissions (Part 1)
It's a nice feeling being asked to do something challenging and new. There I was writing lots of lovely documentation and I was asked if I could document the permissions in vCenter. I said “Ok” without really thinking about it. Do you know how many different privileges there are in vCenter? Quite a few, I realised a few seconds later.
After consulting the PowerCLI cmdlets reference I found out exactly how many there were.
[ps](get-VIPrivilege).count[/ps]
Only 249. Multiply that by 14 default roles and you get 3486 permissions to document. It's not quite that bad really. You only need to document permissions that have been assigned so that cuts the number down considerably. Still, there must be an easier way.
I've all but hit you over the head with the solution. Let's take the default “Admin” role as an example. The following shows exactly which permissions it has:
[ps]get-VIPrivilege -role Admin[/ps]
The output isn't pretty but it gets the job done. Suppose you want the privileges for all roles. To borrow Apple's catch-phrase, there's a cmdlet for that.
[ps]get-VIRole[/ps]
This is all well and good but we need to combine these cmdlets, their output and present it in some sort of meaningful way. PowerShell has a number of builtin cmdlets for formatting and / or exporting data. What I wanted was something that didn't require me to do any extra formatting afterwards and that I can use again. Given the nature of the data we're trying to extract, one of the best ways of presenting it is in an Excel spreadsheet. For this we could use the export-csv cmdlet but to avoid any extra formatting I decided to experiment with Excel interaction. That is the part that took most of the time and has made the script below such an ungainly beast. Thanks though to the magic of Google and inspiration from one of Alan Renouf's scripts, I cobbled together the following:
[ps]####################################################################
# List-Privileges.ps1 #
# #
# Author: Michael Poore (www.wekabyte.co.uk) #
# Version: 0.1 #
# Date: 12/02/2010 #
# #
# Change History: #
# – 0.1 – First working version #
# #
####################################################################
$vcserver = "myvcserver"
$startrow = 3
$date = get-date -format F
# Connect to VC Server
Connect-VIServer $vcserver
# Get a list of all privileges from the VC Server
$privs = @()
foreach ($priv in Get-VIPrivilege | sort Id)
{
$objecta = "" | select-Object ID,Description
$objecta.ID = $priv.Id
$objecta.Description = $priv.Description
$privs += $objecta
}
# Get a list of all roles from the VC Server and determine which privileges they hold
$roles = @()
foreach ($role in Get-VIRole)
{
$objectb = "" | select-Object Name,System,Description,Privileges
$objectb.Name = $role.Name
$objectb.System = $role.IsSystem
$objectb.Description = $role.Description
$myprivs = @()
$roleprivs = $role.PrivilegeList | Sort
$roleprivs
foreach ($priv in $privs)
{
$myprivs += $roleprivs -contains $priv.ID
}
$objectb.Privileges = $myprivs
$roles += $objectb
}
# Create new Excel object
$Excel = New-Object -Com Excel.Application
$Excel.visible = $True
$Excel = $Excel.Workbooks.Add(1)
$Sheet = $Excel.WorkSheets.Item(1)
# Write Worksheet title
$Sheet.Cells.Item(1,1) = "Roles and Privileges Report for $vcserver – $date"
$Sheet.Cells.Item(1,1).font.bold = $true
$Sheet.Cells.Item(1,1).font.underline = $true
$Sheet.Cells.Item(1,1).font.size = 18
# Write worksheet column headers
$row = $startrow
$Sheet.Cells.Item($row,3) = "ROLE:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$row++
$Sheet.Cells.Item($row,3) = "DESCRIPTION:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$row++
$Sheet.Cells.Item($row,3) = "SYSTEM:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$Sheet.Rows.Item($row).Borders.Item(9).LineStyle = 1
$Sheet.Rows.Item($row).Borders.Item(9).Weight = 4
$row++
$sheet.columns.item(1).columnwidth = 5
$sheet.columns.item(2).columnwidth = 5
$sheet.columns.item(3).columnwidth = 30
$sheet.columns.item(4).columnwidth = 2
foreach ($priv in $privs)
{
$level = [regex]::matches($priv.ID,".").count
switch ($level)
{
0 {$col = 1}
1 {$col = 2}
default {$col = 3}
}
$Sheet.Cells.Item($row,$col) = $priv.Description
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
#$Sheet.Cells.Item($row,3).WrapText = $true
$Sheet.Cells.Item($row,4) = " "
$row++
}
$col = 5
foreach ($role in $roles)
{
$row = $startrow
$Sheet.Cells.Item($row,$col).Orientation = 90
$Sheet.Cells.Item($row++,$col) = $role.Name
$Sheet.Cells.Item($row,$col).HorizontalAlignment = 3
$Sheet.Cells.Item($row++,$col) = $role.System
$Sheet.Cells.Item($row,$col).HorizontalAlignment = 5
$Sheet.Cells.Item($row++,$col) = $role.Description
foreach ($priv in $role.Privileges)
{
if ($priv)
{
$Sheet.Cells.Item($row,$col).HorizontalAlignment = 3
$Sheet.Cells.Item($row,$col) = "Yes"
}
$row++
}
$sheet.columns.item($col).columnwidth = 6
$col++
}
Clear[/ps]
It's a little slow to run but fairly easy to read the output. These are the default roles in vCenter 4.0.
So that's part 1. The next step is already underway – tidying the script and adding to it to try and give some indication of which AD users and groups map to which roles.