If you have more than one ESXi server, a vCenter Server will make your ESXi servers much easier to manage. A vCenter Server will also add a lot of additional features, such as HA and DRS clusters, to your vSphere environment. In this chapter, we will discuss some topics that will help you manage your vSphere environment.
The following topics are covered in this chapter:
In a VMware vSphere environment, you might want to give certain permissions to users or administrators, who are not a part of the vSphere administrator's team, to perform specific tasks. For example, you might want to give the administrators of a server the permission to power on and off the server. You don't want to give these administrators all the privileges in your environment because you will lose control over it. There are many privileges you can give to somebody, and you probably want to give only a few. If you assigned privileges to users directly, it would be hard to see who has which privileges.
VMware vSphere has a nice feature named roles. Roles are a collection of privileges that you will need to perform a certain task. You can create a role named Server administrator
and assign the Power On
and Power Off
privileges to this role. Every time you want to give an administrator the rights to power on and off a server, you can assign the Server administrator
role to the administrator.
Permissions can be granted for every object in your vSphere environment, such as the root of your vSphere environment, data centers, folders, clusters, and virtual machines. Permissions can be propagated to the child objects of the main object to which you added a permission.
In the preceding Server administrator
example, you might want to create a folder for all of the servers assigned to the administrator. You can grant the Server administrator
role to the administrator in the folder and propagate this permission to all of the child objects of the folder. This will give the administrator power on and off privileges for all of the servers in the folder.
At the time of writing this book, using vSphere 6.0, there are 310 different privilege items you can grant to somebody. These privileges are arranged in 50 privilege groups. To get a list of all of the privilege items or the privilege groups and their descriptions, you can use the Get-VIPrivilege
cmdlet. This cmdlet has the following syntax. The first parameter set is to retrieve privileges by server:
Get-VIPrivilege [-PrivilegeGroup] [-PrivilegeItem] [[-Name]
<String[]>] [-Id <String[]>] [-Server <VIServer[]>]
[<CommonParameters>]
The second parameter set is to retrieve privileges by role:
Get-VIPrivilege [[-Name] <String[]>] [-Role] <Role[]>
[-Id <String[]>] [<CommonParameters>]
The third parameter set is to retrieve privileges by group:
Get-VIPrivilege [[-Name] <String[]>] [-Group] <PrivilegeGroup[]>
[-Id <String[]>] [<CommonParameters>]
The -Role
and -Group
parameters are required. Using the Get-VIPrivilege
cmdlet without parameters will retrieve all of the privilege items and the privilege groups.
In the first example, we will retrieve all of the privilege items that have a name starting with Power
:
PowerCLI C:> Get-VIPrivilege -PrivilegeItem -Name Power*
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Power Power system operations 192.168.0.132 Power On Power On or resume a virtual machine 192.168.0.132 Power Off Power Off a virtual machine 192.168.0.132 Power On Power On a vApp 192.168.0.132 Power Off Power Off a vApp 192.168.0.132
In the second example, we will use the Get-VIPrivilege -Role
parameter to retrieve the privileges of the ReadOnly
role:
PowerCLI C:> Get-VIPrivilege -Role ReadOnly
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Anonymous The only privilege held by sessions which ... 192.168.0.132 View Visibility without read access to an entity.. 192.168.0.132 Read Grants read access to an entity 192.168.0.132
In the third example, we will retrieve a list of the privilege groups using the following command:
PowerCLI C:> Get-VIPrivilege -PrivilegeGroup
The output of the preceding command is too long to show in this book. Try the command yourself and see what it does.
In the fourth and last example of the Get-VIPrivilege
cmdlet, we will use the -Group
parameter to retrieve all of the privilege items of the Alarms
group:
PowerCLI C:> Get-VIPrivilege -Group Alarms
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Create alarm Create an alarm 192.168.0.132 Remove alarm Remove an alarm 192.168.0.132 Modify alarm Modify an alarm 192.168.0.132 Acknowledge alarm Acknowledge an alarm 192.168.0.132 Set alarm status Set status for an alarm 192.168.0.132 Disable alarm action Disable actions for an alarm 192.168.0.132
Now that you know how to retrieve the vSphere privilege items and groups, you can start using the predefined roles or creating custom roles.
You can use the New-VIRole
cmdlet to create a new role. The syntax of the New-VIRole
cmdlet is as follows:
New-VIRole [-Name] <String> [[-Privilege] <Privilege[]>]
[-Server <VIServer[]>] [-WhatIf] [-Confirm] [<CommonParameters>]
The -Name
parameter is required to create a new role.
In the following example, you will create the Server administrator
role with the Power on
and Power off
privileges:
PowerCLI C:> $Privileges = Get-VIPrivilege -Name 'Power On', 'Power Off' PowerCLI C:> New-VIRole -Name 'Server administrator' -Privilege $Privileges
The output of the preceding commands is as follows:
Name IsSystem ---- -------- Server administrator False
In the following screenshot of vSphere Web Client, you will see the privileges under the Server administrator role under Privileges after executing the preceding PowerCLI commands to create the role:
The Get-VIRole
cmdlet retrieves all of the roles on your server. The syntax of this cmdlet is as follows:
Get-VIRole [[-Name] <String[]>] [-Id <String[]>]
[-Server <VIServer[]>] [<CommonParameters>]
The Get-VIRole
cmdlet has no required parameters. The Get-VIRole
cmdlet without parameters retrieves all of the roles in your environment:
PowerCLI C:> Get-VIRole
The output of the preceding command is as follows:
Name IsSystem ---- -------- com.vmware.Content.Admin False NoCryptoAdmin True NoAccess True Anonymous True View True ReadOnly True Admin True VirtualMachinePowerUser False VirtualMachineUser False ResourcePoolAdministrator False VMwareConsolidatedBackupUser False DatastoreConsumer False NetworkConsumer False VirtualMachineConsoleUser False InventoryService.Tagging.TaggingAdmin False Server administrator False
You can also use the -Name
parameter to retrieve specific roles:
PowerCLI C:> Get-VIRole -Name "Server administrator"
The output of the preceding command is as follows:
Name IsSystem ---- -------- Server administrator False
If you combine the Get-VIRole
and Get-VIPrivilege
cmdlets, you will get the privileges of a role. If you look at the privileges of the Server administrator
role, you will see that it has not only the Power On
and Power Off
privileges, but also the Anonymous
, View
, and Read
privileges. These three privileges are added to all of the roles you create, and they cannot be removed from the created roles:
PowerCLI C:> Get-VIRole -Name 'Server administrator' | Get-VIPrivilege
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Anonymous The only privilege held by sessions which ... 192.168.0.132 View Visibility without read access to an entity.. 192.168.0.132 Read Grants read access to an entity 192.168.0.132 Power On Power On or resume a virtual machine 192.168.0.132 Power Off Power Off a virtual machine 192.168.0.132 Power On Power On a vApp 192.168.0.132 Power Off Power Off a vApp 192.168.0.132
You can use the Set-VIRole
cmdlet to give a new name to a role, add privileges to a role, or remove privileges from a role. The syntax of the Set-VIRole
cmdlet is as follows. The first parameter set is there to add privileges or privilege groups to a role:
Set-VIRole [-Role] <Role[]> [-Name <String>] [-AddPrivilege
<Privilege[]>] [-Server <VIServer[]>] [-WhatIf] [-Confirm]
[<CommonParameters>]
The second parameter set removes privileges or privilege groups from a role:
Set-VIRole [-Role] <Role[]> [-Name <String>] [-RemovePrivilege
<Privilege[]>] [-Server <VIServer[]>] [-WhatIf] [-Confirm]
[<CommonParameters>]
The -Role
parameter is required to modify a role:
In the following example, you will modify the Server administrator
role into an Alarm operator
role. The name will be changed, the power privileges will be removed, and the alarms privileges will be added using the following commands:
PowerCLI C:> Get-VIRole -Name 'Server administrator' | >> Set-VIRole -Name 'Alarm operator' -RemovePrivilege (Get-VIPrivilege -Name 'Power On','Power Off') | >> Set-VIRole -AddPrivilege (Get-VIPrivilege -Group Alarms)
The output of the preceding command is as follows:
Name IsSystem ---- -------- Alarm operator False
The Remove-VIRole
cmdlet can be used to remove roles. This cmdlet has the following syntax:
Remove-VIRole [-Role] <Role[]> [-Force] [-Server <VIServer[]>]
[-WhatIf] [-Confirm] [<CommonParameters>]
The -Role
parameter is required to remove a role. By default, you cannot remove a role that is associated with a permission. The -Force
parameter indicates that you want to remove the role even if it is associated with a permission.
In the following example, we will remove the Alarm operator
role:
PowerCLI C:> Remove-VIRole -Role 'Alarm operator' -Confirm:$false
The preceding command does not return any output.
Now that you know how to create and use roles in PowerCLI, you can start creating permissions. A vSphere permission grants the privileges in a role to users or groups of users on a vSphere inventory item.
The New-VIPermission
cmdlet creates new permissions. The New-VIPermission
cmdlet has the following syntax:
New-VIPermission [-Entity] <VIObject[]> [-Principal] <VIAccount[]>
[-Role] <Role> [-Propagate [<Boolean>]] [-Server <VIServer[]>]
[-WhatIf] [-Confirm] [<CommonParameters>]
The -Entity
, -Principal
, and -Role
parameters are required to create a new permission.
By default, new permissions are propagated to child objects in the vSphere inventory. If you just want to create a permission for an inventory item and not for its child objects, you have to use the -Propagate
parameter with the $false
value.
It is not possible to create new permissions for the following objects:
These objects always inherit the permissions of their parent.
VMware vCenter Single Sign-On (SSO) was first introduced in vSphere 5.1. In vSphere 5.5 and 6.0, the default Single Sign-On domain is named vsphere.local
, and the default Single Sign-On administrator account is [email protected]
. In vSphere 5.1, the default Single Sign-On domain is named System-Domain
, and the default Single Sign-On administrator account is admin@System-Domain
.
In the following example, the vCenter Single Sign-On account VSPHERE.LOCALAdministrator
is granted the Admin
role for the New York
data center:
PowerCLI C:> New-VIPermission -Entity (Get-Datacenter
-Name 'New York')
-Principal VSPHERE.LOCALAdministrator -Role Admin
The output of the preceding command is as follows:
Role Principal Propagate IsGroup ---- --------- --------- ------- Admin VSPHERE.LOCA... True False
In the following screenshot of the vSphere Web Client, you will see the permissions of the New York
data center under the Permissions tab after executing the preceding PowerCLI command to grant the Admininistrator role to the VSPHERE.LOCALAdministrator
account for the New York
data center:
The Get-VIPermission
cmdlet retrieves the permissions defined for inventory objects. The syntax of this cmdlet is as follows:
Get-VIPermission [[-Entity] <VIObject[]>] [-Principal <VIAccount[]>]
[-Server <VIServer[]>] [<CommonParameters>]
The Get-VIPermission
cmdlet has no required parameters. If you don't specify parameters, the cmdlet will retrieve all of the permissions in your environment. You can use the -Entity
parameter to retrieve only the permissions for the specified inventory objects. Use the -Principal
parameter to retrieve permissions for certain users or groups.
In the following example, we will retrieve all of the permissions of the New York
data center:
PowerCLI C:> Get-VIPermission -Entity (Get-Datacenter -Name
'New York') | Select-Object -Property Role,Principal
The output of the preceding command is as follows:
Role Principal ---- --------- Admin VSPHERE.LOCALAdministrator Admin VSPHERE.LOCALvpxd-905bbfa6-51c6-477e-b77b-8fed8fceb492 Admin VSPHERE.LOCALvsphere-webclient-905bbfa6-51c6-477e-b77b-8fed... Admin VSPHERE.LOCALvpxd-extension-905bbfa6-51c6-477e-b77b-8fed8fc... Admin VSPHERE.LOCALAdministrators
If you retrieve the permissions, the default output doesn't show you the vSphere object for the permission. You can add this object by piping the output to the Format-Table
cmdlet. Use the -Property
parameter and specify all of the properties you want to retrieve, as shown in the following command line. The vSphere object is in the Entity
property:
PowerCLI C:> Get-VIPermission | Format-Table -Property
Entity,Role,Propagate,IsGroup,Principal -AutoSize
The output of the preceding command is as follows:
Entity Role Propagate IsGroup Principal ------ ---- --------- ------- --------- New York Admin True False VSPHERE.LOCALAdministrator Datacenters Admin True False VSPHERE.LOCALvpxd-905bbfa6-51... Datacenters Admin True False VSPHERE.LOCALvsphere-webclien... Datacenters Admin True False VSPHERE.LOCALvpxd-extension-9... Datacenters Admin True False VSPHERE.LOCALAdministrator Datacenters Admin True True VSPHERE.LOCALAdministrators
You can use the Set-VIPermission
cmdlet to change the role of a permission or to modify a permission if it propagates to child objects or vice versa. The Set-VIPermission
cmdlet has the following syntax:
Set-VIPermission [-Permission] <Permission[]> [-Role <Role>]
[-Propagate [<Boolean>]] [-Server <VIServer[]>] [-WhatIf]
[-Confirm] [<CommonParameters>]
The -Permission
parameter is required to modify permissions.
In the following example, the permission of the account VSPHERE.LOCALAdministrator
on the data center New York
is changed into ReadOnly
, and the propagation of the permission to child objects is disabled:
PowerCLI C:> Get-VIPermission -Entity (Get-Datacenter -Name 'New York') -Principal VSPHERE.LOCALAdministrator | >> Set-VIPermission -Role ReadOnly -Propagate:$false
The output of the preceding command is as follows:
Role Principal Propagate IsGroup ---- --------- --------- ------- ReadOnly VSPHERE.LOCA... False False
The Remove-VIPermission
cmdlet will remove the specified permissions from your inventory. The syntax of this cmdlet is as follows:
Remove-VIPermission [-Permission] <Permission[]> [-WhatIf]
[-Confirm] [<CommonParameters>]
The -Permission
parameter is required to remove a permission.
In the following example, the permission for VSPHERE.LOCALAdministrator
is removed from the New York
data center:
PowerCLI C:> Get-VIPermission -Entity (Get-Datacenter -Name 'New York') -Principal VSPHERE.LOCALAdministrator | >> Remove-VIPermission -Confirm:$false
The preceding command does not return any output.
3.137.161.222