Using PowerCLI to dump your permission structure in vCenter
So there I was pondering the question, “How can I pull the details of the Permission tab in vCenter without logging into all of my damn vCenters!”
I tossed around a few ideas of commands which didn’t give me what I wanted. I searched and found some really awesome scripts by @LucD22 and others which were awesome if I wanted to view the rights assigned to roles, assign rights to those roles, and import them respectively. But my objective was far more simpler than that. I wanted a very easy way to dump what Role is tied to which User accounts across my hundreds of vCenters in a simple fashion.
Lo and behold, here is the base result!
Get-VIPermission | Select Role, Principal, Entity, UID
Wow that was easy! but wait! WTF WHY DOES UID KEEP TRUNCATING! Hey, calm down, calm down… I have a fix for that. ;) Also in that same fix, I really cared specifically who was granted the Administrative type roles, less so caring about Virtual Machine User, or Power User. Thus the following two modifications took care of that.
Get-VIPermission | Where {$_.Role –eq “Admin”} | Select Role, Principal, Entity, UID | Export-CSV “C:\Temp\Rights.csv”
And there it went! Dumping all of the data I wanted into a CSV file which I could sort and manipulate unflustered and unfettered by the results!
What was really useful about this, is unlike just looking at the top level permissions tab, this will also drill down into sub-objects whereby I was able to find accts which were granted permission on a sub-part! Hopefully this helps you as much as it helped me in discovering and respectively writing this :)
I’ll probably come back and revisit this script on a quarterly basis making sure no-one went rogue in the meantime. You should too. :)