ScriptVMware

vCenter IDM overview

Posted Michael Ryom

Dealing with user rights in vCenter isn’t an easy task. Data is not readily available from the given users perspective, instead one have to look through the different rolls, to see what rights the user will end up with, a task that can be hard to complete or do compliance check on. vCenter IDM has always been hard. This has made me turn to the trusted tools of PowerCli, where the answer can quickly be found or data be exported to csv, for later use with your favorite spreadsheet.

This post is about the powercli script that I use to get an better understanding of how the user rights are being handled and what rights people have.

 

vCenter IDM overview

To be fair this isn’t some grand thing, it simple and that’s the way it should also be to manage. The scripts here, that i’m going to list are simple with the exception of the last one, as I didn’t make it.

Export-Roles

This script is good way to document the rights each role has. The script as seen below is quite simple. It exports data about each role to a csv file in the c:\temp dir

Roles_csv

$roles = Get-VIRole
foreach($role in $roles){
$role.name
Get-VIPrivilege -role $role.name | Export-csv C:\temp\Role_$role.csv -NoTypeInformation
}

This is an example of what data would come out of this.

 

 
"AppliedOnParent","ParentGroupId","ParentGroup","Description","ServerId","Server","Id","Uid","Name","ExtensionData","Client"
"False","System","System","The only privilege held by sessions which have not logged in","/VIServer=domain\user@127.0.0.1:443/","127.0.0.1","System.Anonymous","/VIServer=domain\user@127.0.0.1:443/Privilege=System.Anonymous/","Anonymous","VMware.Vim.AuthorizationPrivilege","VMware.VimAutomation.ViCore.Impl.V1.VimClient"
"False","System","System","Visibility without read access to an entity. This is assigned implicitly by the system, if read privileges are assigned at lower levels in the inventory","/VIServer=domain\user@127.0.0.1:443/","127.0.0.1","System.View","/VIServer=domain\user@127.0.0.1:443/Privilege=System.View/","View","VMware.Vim.AuthorizationPrivilege","VMware.VimAutomation.ViCore.Impl.V1.VimClient"
"False","System","System","Grants read access to an entity","/VIServer=domain\user@127.0.0.1:443/","127.0.0.1","System.Read","/VIServer=domain\user@127.0.0.1:443/Privilege=System.Read/","Read","VMware.Vim.AuthorizationPrivilege","VMware.VimAutomation.ViCore.Impl.V1.VimClient"

 

Export-User-Permission

Following the same path as the last script, but instead of exporting roles, it now permissions being exported. Again great for documentation. A lot like the last script. Only how and what is exported has changed.

$UserRight = @()
$path = "C:\temp\UserRights.csv"

$Groups = Get-VIPermission | where {$_.IsGroup -eq $true}
foreach($Group in $Groups){
$SecGroup = $Group.Principal -replace '.*\\'
$Userarray = ((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=Group)(samAccountName=$SecGroup))")).FindOne()).Properties.member
foreach($UserString in $Userarray){
$details = "" | Select SecurityPrincipal, User, EntityName, EntityType, DistinguishedName
$details.SecurityPrincipal = $Group.Role
$details.User = $userstring -replace [Regex]",OU=.*" -replace "CN="
$details.EntityName = (get-view $Group.EntityId).name
$details.EntityType = (get-view $Group.EntityId).MoRef.type
$details.DistinguishedName = $userstring
$UserRight += $details
}}

$Users = Get-VIPermission | where {$_.IsGroup -eq $false}
foreach($User in $Users){
$details = "" | Select SecurityPrincipal, User, EntityName, EntityType, DistinguishedName
$SecUser = $User.Principal -replace '.*\\'
$details.SecurityPrincipal = $User.Role
if(((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$SecUser))")).FindOne()).Properties.displayname){
$details.User = (((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$SecUser))")).FindOne()).Properties.displayname)[0]
}else{
$details.User = $SecUser
}
$details.EntityName = (get-view $User.EntityId).name
$details.EntityType = (get-view $User.EntityId).MoRef.type
$details.DistinguishedName = (((New-Object System.DirectoryServices.DirectorySearcher("(&(objectCategory=User)(samAccountName=$SecUser))")).FindOne()).Properties.distinguishedname)[0]
$UserRight += $details
}

$UserRight | Export-Csv -UseCulture -NoTypeInformation $path
write-host File saved at $path

Here is an expamle of how that might look.

"SecurityPrincipal","User","EntityName","EntityType","DistinguishedName"
"Admin","Michael Ryom,Users,DC=MichaelRyom,DC=local","Datacenters","Folder","CN=Michael Ryom,CN=Users,DC=MichaelRyom,DC=local"

 

List-Privileges

Like I started out stating this one I didn’t create, I just find it very useful. This only drawback is that is requires excel to be installed, in order to work and export the data to an spreadsheet. This script lists each role and what rights the role as. Now it just a matter of mapping the user to the roles.

Thanks to Michael Poore for making this available online via vSpecialist

I had borred this picture to give you an idea of what is provided.

 

I’m also going to provide you the unedited version of the script as make Michael Poore made it available online to benefit the community.

####################################################################
# List-Privileges.ps1                                              #
#                                                                  #
# Author: Michael Poore (www.wekabyte.co.uk)                       #
# Version: 0.1                                                     #
# Date: 12/02/2010                                                 #
#                                                                  #
# Change History:                                                  #
# - 0.1 - First working version                                    #
#                                                                  #
####################################################################

$vcserver = "vCenter.domain"
$startrow = 3
$date = get-date -format F

# Connect to VC Server
Connect-VIServer $vcserver

# Get a list of all privileges from the VC Server
$privs = @()
foreach ($priv in Get-VIPrivilege | sort Id)
{
 $objecta = ""  | select-Object ID,Description
 $objecta.ID = $priv.Id
 $objecta.Description = $priv.Description
 $privs += $objecta
}

# Get a list of all roles from the VC Server and determine which privileges they hold
$roles = @()
foreach ($role in Get-VIRole)
{
 $objectb = "" | select-Object Name,System,Description,Privileges
 $objectb.Name = $role.Name
 $objectb.System = $role.IsSystem
 $objectb.Description = $role.Description
 $myprivs = @()
 $roleprivs = $role.PrivilegeList | Sort
 $roleprivs
 foreach ($priv in $privs)
 {
 $myprivs += $roleprivs -contains $priv.ID
 }
 $objectb.Privileges = $myprivs
 $roles += $objectb
}

# Create new Excel object
$Excel = New-Object -Com Excel.Application
$Excel.visible = $True
$Excel = $Excel.Workbooks.Add(1)
$Sheet = $Excel.WorkSheets.Item(1)

# Write Worksheet title
$Sheet.Cells.Item(1,1) = "Roles and Privileges Report for $vcserver - $date"
$Sheet.Cells.Item(1,1).font.bold = $true
$Sheet.Cells.Item(1,1).font.underline = $true
$Sheet.Cells.Item(1,1).font.size = 18

# Write worksheet column headers
$row = $startrow
$Sheet.Cells.Item($row,3) = "ROLE:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$row++
$Sheet.Cells.Item($row,3) = "DESCRIPTION:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$row++
$Sheet.Cells.Item($row,3) = "SYSTEM:"
$Sheet.Cells.Item($row,3).font.bold = $true
$Sheet.Cells.Item($row,3).HorizontalAlignment = 4
$Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
$Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
$Sheet.Rows.Item($row).Borders.Item(9).LineStyle = 1
$Sheet.Rows.Item($row).Borders.Item(9).Weight = 4
$row++
$sheet.columns.item(1).columnwidth = 5
$sheet.columns.item(2).columnwidth = 5
$sheet.columns.item(3).columnwidth = 30
$sheet.columns.item(4).columnwidth = 2

foreach ($priv in $privs)
{
 $level = [regex]::matches($priv.ID,"\.").count
 switch ($level)
 {
 0 {$col = 1}
 1 {$col = 2}
 default {$col = 3}
 }
 $Sheet.Cells.Item($row,$col) = $priv.Description
 $Sheet.Cells.Item($row,3).Borders.Item(10).LineStyle = 1
 $Sheet.Cells.Item($row,3).Borders.Item(10).Weight = 4
 #$Sheet.Cells.Item($row,3).WrapText = $true
 $Sheet.Cells.Item($row,4) = " "
 $row++
}

$col = 5
foreach ($role in $roles)
{
 $row = $startrow
 $Sheet.Cells.Item($row,$col).Orientation = 90
 $Sheet.Cells.Item($row++,$col) = $role.Name
 $Sheet.Cells.Item($row,$col).HorizontalAlignment = 3
 $Sheet.Cells.Item($row++,$col) = $role.System
 $Sheet.Cells.Item($row,$col).HorizontalAlignment = 5
 $Sheet.Cells.Item($row++,$col) = $role.Description
 foreach ($priv in $role.Privileges)
 {
 if ($priv)
 {
 $Sheet.Cells.Item($row,$col).HorizontalAlignment = 3
 $Sheet.Cells.Item($row,$col) = "Yes"
 }
 $row++
 }
 $sheet.columns.item($col).columnwidth = 6
 $col++
}
Clear

 

That’s all for now..

 

Leave a Reply

Your email address will not be published. Required fields are marked *