If you have more than one ESXi server, a vCenter Server will make your ESXi servers much easier to manage. A vCenter Server will also add a lot of additional features, such as HA and DRS clusters, to your vSphere environment. In this chapter, we will discuss some topics that will help you manage your vSphere environment.
The following topics are covered in this chapter:
- Working with roles and permissions
- Managing licenses
- Configuring alarms
- Retrieving events
In a VMware vSphere environment, you might want to give certain permissions to users or administrators, who are not a part of the vSphere administrator's team, to perform specific tasks. For example, you might want to give the administrators of a server the permission to power on and off the server. You don't want to give these administrators all the privileges in your environment because you will lose control over it. There are many privileges you can give to somebody, and you probably want to give only a few. If you assigned privileges to users directly, it would be hard to see who has which privileges.
VMware vSphere has a nice feature named roles. Roles are a collection of privileges that you will need to perform a certain task. You can create a role named Server administrator and assign the Power On and Power Off privileges to this role. Every time you want to give an administrator the rights to power on and off a server, you can assign the Server administrator role to the administrator.
Permissions can be granted for every object in your vSphere environment, such as the root of your vSphere environment, data centers, folders, clusters, and virtual machines. Permissions can be propagated to the child objects of the main object to which you added a permission.
In the preceding Server administrator example, you might want to create a folder for all of the servers assigned to the administrator. You can grant the Server administrator role to the administrator in the folder and propagate this permission to all of the child objects of the folder. This will give the administrator power on and off privileges for all of the servers in the folder.
At the time of writing this book, using vSphere 6.0, there are 310 different privilege items you can grant to somebody. These privileges are arranged in 50 privilege groups. To get a list of all of the privilege items or the privilege groups and their descriptions, you can use the Get-VIPrivilege cmdlet. This cmdlet has the following syntax. The first parameter set is to retrieve privileges by server:
Get-VIPrivilege [-PrivilegeGroup] [-PrivilegeItem] [[-Name]
<String[]>] [-Id <String[]>] [-Server <VIServer[]>]
[<CommonParameters>]
The second parameter set is to retrieve privileges by role:
Get-VIPrivilege [[-Name] <String[]>] [-Role] <Role[]>
[-Id <String[]>] [<CommonParameters>]
The third parameter set is to retrieve privileges by group:
Get-VIPrivilege [[-Name] <String[]>] [-Group] <PrivilegeGroup[]>
[-Id <String[]>] [<CommonParameters>]
The -Role and -Group parameters are required. Using the Get-VIPrivilege cmdlet without parameters will retrieve all of the privilege items and the privilege groups.
In the first example, we will retrieve all of the privilege items that have a name starting with Power:
PowerCLI C:> Get-VIPrivilege -PrivilegeItem -Name Power*
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Power Power system operations 192.168.0.132 Power On Power On or resume a virtual machine 192.168.0.132 Power Off Power Off a virtual machine 192.168.0.132 Power On Power On a vApp 192.168.0.132 Power Off Power Off a vApp 192.168.0.132
In the second example, we will use the Get-VIPrivilege -Role parameter to retrieve the privileges of the ReadOnly role:
PowerCLI C:> Get-VIPrivilege -Role ReadOnly
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Anonymous The only privilege held by sessions which ... 192.168.0.132 View Visibility without read access to an entity.. 192.168.0.132 Read Grants read access to an entity 192.168.0.132
In the third example, we will retrieve a list of the privilege groups using the following command:
PowerCLI C:> Get-VIPrivilege -PrivilegeGroup
The output of the preceding command is too long to show in this book. Try the command yourself and see what it does.
In the fourth and last example of the Get-VIPrivilege cmdlet, we will use the -Group parameter to retrieve all of the privilege items of the Alarms group:
PowerCLI C:> Get-VIPrivilege -Group Alarms
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Create alarm Create an alarm 192.168.0.132 Remove alarm Remove an alarm 192.168.0.132 Modify alarm Modify an alarm 192.168.0.132 Acknowledge alarm Acknowledge an alarm 192.168.0.132 Set alarm status Set status for an alarm 192.168.0.132 Disable alarm action Disable actions for an alarm 192.168.0.132
Now that you know how to retrieve the vSphere privilege items and groups, you can start using the predefined roles or creating custom roles.
You can use the New-VIRole cmdlet to create a new role. The syntax of the New-VIRole cmdlet is as follows:
New-VIRole [-Name] <String> [[-Privilege] <Privilege[]>]
[-Server <VIServer[]>] [-WhatIf] [-Confirm] [<CommonParameters>]
The -Name parameter is required to create a new role.
In the following example, you will create the Server administrator role with the Power on and Power off privileges:
PowerCLI C:> $Privileges = Get-VIPrivilege -Name 'Power On', 'Power Off' PowerCLI C:> New-VIRole -Name 'Server administrator' -Privilege $Privileges
The output of the preceding commands is as follows:
Name IsSystem ---- -------- Server administrator False
In the following screenshot of vSphere Web Client, you will see the privileges under the Server administrator role under Privileges after executing the preceding PowerCLI commands to create the role:
The Get-VIRole cmdlet retrieves all of the roles on your server. The syntax of this cmdlet is as follows:
Get-VIRole [[-Name] <String[]>] [-Id <String[]>]
[-Server <VIServer[]>] [<CommonParameters>]
The Get-VIRole cmdlet has no required parameters. The Get-VIRole cmdlet without parameters retrieves all of the roles in your environment:
PowerCLI C:> Get-VIRole
The output of the preceding command is as follows:
Name IsSystem ---- -------- com.vmware.Content.Admin False NoCryptoAdmin True NoAccess True Anonymous True View True ReadOnly True Admin True VirtualMachinePowerUser False VirtualMachineUser False ResourcePoolAdministrator False VMwareConsolidatedBackupUser False DatastoreConsumer False NetworkConsumer False VirtualMachineConsoleUser False InventoryService.Tagging.TaggingAdmin False Server administrator False
You can also use the -Name parameter to retrieve specific roles:
PowerCLI C:> Get-VIRole -Name "Server administrator"
The output of the preceding command is as follows:
Name IsSystem ---- -------- Server administrator False
If you combine the Get-VIRole and Get-VIPrivilege cmdlets, you will get the privileges of a role. If you look at the privileges of the Server administrator role, you will see that it has not only the Power On and Power Off privileges, but also the Anonymous, View, and Read privileges. These three privileges are added to all of the roles you create, and they cannot be removed from the created roles:
PowerCLI C:> Get-VIRole -Name 'Server administrator' | Get-VIPrivilege
The output of the preceding command is as follows:
Name Description Server ---- ----------- ------ Anonymous The only privilege held by sessions which ... 192.168.0.132 View Visibility without read access to an entity.. 192.168.0.132 Read Grants read access to an entity 192.168.0.132 Power On Power On or resume a virtual machine 192.168.0.132 Power Off Power Off a virtual machine 192.168.0.132 Power On Power On a vApp 192.168.0.132 Power Off Power Off a vApp 192.168.0.132
You can use the Set-VIRole cmdlet to give a new name to a role, add privileges to a role, or remove privileges from a role. The syntax of the Set-VIRole cmdlet is as follows. The first parameter set is there to add privileges or privilege groups to a role:
Set-VIRole [-Role] <Role[]> [-Name <String>] [-AddPrivilege
<Privilege[]>] [-Server <VIServer[]>] [-WhatIf] [-Confirm]
[<CommonParameters>]
The second parameter set removes privileges or privilege groups from a role:
Set-VIRole [-Role] <Role[]> [-Name <String>] [-RemovePrivilege
<Privilege[]>] [-Server <VIServer[]>] [-WhatIf] [-Confirm]
[<CommonParameters>]
The -Role parameter is required to modify a role:
In the following example, you will modify the Server administrator role into an Alarm operator role. The name will be changed, the power privileges will be removed, and the alarms privileges will be added using the following commands:
PowerCLI C:> Get-VIRole -Name 'Server administrator' | >> Set-VIRole -Name 'Alarm operator' -RemovePrivilege (Get-VIPrivilege -Name 'Power On','Power Off') | >> Set-VIRole -AddPrivilege (Get-VIPrivilege -Group Alarms)
The output of the preceding command is as follows:
Name IsSystem ---- -------- Alarm operator False
The Remove-VIRole cmdlet can be used to remove roles. This cmdlet has the following syntax:
Remove-VIRole [-Role] <Role[]> [-Force] [-Server <VIServer[]>]
[-WhatIf] [-Confirm] [<CommonParameters>]
The -Role parameter is required to remove a role. By default, you cannot remove a role that is associated with a permission. The -Force parameter indicates that you want to remove the role even if it is associated with a permission.
In the following example, we will remove the Alarm operator role:
PowerCLI C:> Remove-VIRole -Role 'Alarm operator' -Confirm:$false
The preceding command does not return any output.
Now that you know how to create and use roles in PowerCLI, you can start creating permissions. A vSphere permission grants the privileges in a role to users or groups of users on a vSphere inventory item.
The New-VIPermission cmdlet creates new permissions. The New-VIPermission cmdlet has the following syntax:
New-VIPermission [-Entity] <VIObject[]> [-Principal] <VIAccount[]>
[-Role] <Role> [-Propagate [<Boolean>]] [-Server <VIServer[]>]
[-WhatIf] [-Confirm] [<CommonParameters>]
The -Entity, -Principal, and -Role parameters are required to create a new permission.
By default, new permissions are propagated to child objects in the vSphere inventory. If you just want to create a permission for an inventory item and not for its child objects, you have to use the -Propagate parameter with the $false value.
It is not possible to create new permissions for the following objects:
- Direct child folders of a data center
- Root resource pools of clusters and standalone hosts
These objects always inherit the permissions of their parent.
Note
VMware vCenter Single Sign-On (SSO) was first introduced in vSphere 5.1. In vSphere 5.5 and 6.0, the default Single Sign-On domain is named vsphere.local, and the default Single Sign-On administrator account is [email protected]. In vSphere 5.1, the default Single Sign-On domain is named System-Domain, and the default Single Sign-On administrator account is admin@System-Domain.
In the following example, the vCenter Single Sign-On account VSPHERE.LOCALAdministrator is granted the Admin role for the New York data center:
PowerCLI C:> New-VIPermission -Entity (Get-Datacenter
-Name 'New York')
-Principal VSPHERE.LOCALAdministrator -Role Admin
The output of the preceding command is as follows:
Role Principal Propagate IsGroup ---- --------- --------- ------- Admin VSPHERE.LOCA... True False
In the following screenshot of the vSphere Web Client, you will see the permissions of the New York data center under the Permissions tab after executing the preceding PowerCLI command to grant the Admininistrator role to the VSPHERE.LOCALAdministrator account for the New York data center:
The Get-VIPermission cmdlet retrieves the permissions defined for inventory objects. The syntax of this cmdlet is as follows:
Get-VIPermission [[-Entity] <VIObject[]>] [-Principal <VIAccount[]>]
[-Server <VIServer[]>] [<CommonParameters>]
The Get-VIPermission cmdlet has no required parameters. If you don't specify parameters, the cmdlet will retrieve all of the permissions in your environment. You can use the -Entity parameter to retrieve only the permissions for the specified inventory objects. Use the -Principal parameter to retrieve permissions for certain users or groups.
In the following example, we will retrieve all of the permissions of the New York data center:
PowerCLI C:> Get-VIPermission -Entity (Get-Datacenter -Name
'New York') | Select-Object -Property Role,Principal
The output of the preceding command is as follows:
Role Principal ---- --------- Admin VSPHERE.LOCALAdministrator Admin VSPHERE.LOCALvpxd-905bbfa6-51c6-477e-b77b-8fed8fceb492 Admin VSPHERE.LOCALvsphere-webclient-905bbfa6-51c6-477e-b77b-8fed... Admin VSPHERE.LOCALvpxd-extension-905bbfa6-51c6-477e-b77b-8fed8fc... Admin VSPHERE.LOCALAdministrators
If you retrieve the permissions, the default output doesn't show you the vSphere object for the permission. You can add this object by piping the output to the Format-Table cmdlet. Use the -Property parameter and specify all of the properties you want to retrieve, as shown in the following command line. The vSphere object is in the Entity property:
PowerCLI C:> Get-VIPermission | Format-Table -Property
Entity,Role,Propagate,IsGroup,Principal -AutoSize
The output of the preceding command is as follows:
Entity Role Propagate IsGroup Principal ------ ---- --------- ------- --------- New York Admin True False VSPHERE.LOCALAdministrator Datacenters Admin True False VSPHERE.LOCALvpxd-905bbfa6-51... Datacenters Admin True False VSPHERE.LOCALvsphere-webclien... Datacenters Admin True False VSPHERE.LOCALvpxd-extension-9... Datacenters Admin True False VSPHERE.LOCALAdministrator Datacenters Admin True True VSPHERE.LOCALAdministrators
You can use the Set-VIPermission cmdlet to change the role of a permission or to modify a permission if it propagates to child objects or vice versa. The Set-VIPermission cmdlet has the following syntax:
Set-VIPermission [-Permission] <Permission[]> [-Role <Role>]
[-Propagate [<Boolean>]] [-Server <VIServer[]>] [-WhatIf]
[-Confirm] [<CommonParameters>]
The -Permission parameter is required to modify permissions.
In the following example, the permission of the account VSPHERE.LOCALAdministrator on the data center New York is changed into ReadOnly, and the propagation of the permission to child objects is disabled:
PowerCLI C:> Get-VIPermission -Entity (Get-Datacenter -Name 'New York') -Principal VSPHERE.LOCALAdministrator | >> Set-VIPermission -Role ReadOnly -Propagate:$false
The output of the preceding command is as follows:
Role Principal Propagate IsGroup ---- --------- --------- ------- ReadOnly VSPHERE.LOCA... False False
The Remove-VIPermission cmdlet will remove the specified permissions from your inventory. The syntax of this cmdlet is as follows:
Remove-VIPermission [-Permission] <Permission[]> [-WhatIf]
[-Confirm] [<CommonParameters>]
The -Permission parameter is required to remove a permission.
In the following example, the permission for VSPHERE.LOCALAdministrator is removed from the New York data center:
PowerCLI C:> Get-VIPermission -Entity (Get-Datacenter -Name 'New York') -Principal VSPHERE.LOCALAdministrator | >> Remove-VIPermission -Confirm:$false
The preceding command does not return any output.