3rd October 2020

Using PowerShell to Export Roles and Privileges

Using PowerShell to Export Roles and Privileges

I got asked the question last week if it was possible to export roles and privileges as a *.csv file from virtual centre?  It’s a question that’s come up a few times over the years and there are various articles over at the VMware Communities and code sites that can help. Anyway, as there isn’t a hand button in VC to extract/export/save roles and privileges to a *.CSV file I’m going to provide some quick *near* one liners to help you do that.

For everything that follows I’m assuming that we’re authenticated to virtual centre already (connect-viserver)


To start we have Get-VIRole, this is going to help us retrieve all roles defined on the provided servers.  Running Get-VIRole on it’s own will only output roles Names and if it’s a system role or not;

 PS C:\Users\Administrator> get-virole

Name                      IsSystem
----                      --------
vStatsUser                False   
vStatsAdmin               False   
NsxViAdministrator        False   
NoTrustedAdmin            True    
TrustedAdmin              True    
NoCryptoAdmin             True    
NoAccess                  True    
Anonymous                 True    
View                      True    
ReadOnly                  True    
Admin                     True    
VirtualMachinePowerUser   False   
VirtualMachineUser        False   
ResourcePoolAdministrator False   
VMwareConsolidatedBack... False   
DatastoreConsumer         False   
NetworkConsumer           False   
VirtualMachineConsoleUser False   
AutoUpdateUser            False   
InventoryService.Taggi... False   
SyncUsers                 False   
vSphere Client Solutio... False   
WorkloadStorageManagement False   
vSphereKubernetesManager  False   
com.vmware.Content.Reg... False   
SupervisorServiceCluster  False   
SupervisorServiceRootF... False   
SupervisorServiceGlobal   False   
AppdApplianceUser         False   
VMOperatorController      False   
VMOperatorControllerGl... False   
NsxAdministrator          False   
NsxAuditor                False   
com.vmware.Content.Admin  False    

Which is a start but it’d be nice to know the privileges each of those Roles has, exploring the extension-data we can see this information is surfaced as a System.String.

 PS C:\Users\Administrator> $role = Get-VIRole 

PS C:\Users\Administrator> $role.extensiondata

RoleId    : -1506435488
System    : False
Name      : vStatsUser
Info      : VMware.Vim.Description
Privilege : {System.Anonymous, System.Read, System.View, vStats.CollectAny...}

RoleId    : -1101281567
System    : False
Name      : vStatsAdmin
Info      : VMware.Vim.Description
Privilege : {System.Anonymous, System.Read, System.View, vStats.CollectAny...} 

Now we know where the interesting information is, we can bring it all together and export it to a CSV that lists the role names alongside the permissions the role has been granted.

$role = get-virole
$role.extensiondata | 
Select-Object -Property Name,@{Name='Privilege';expression={[string]::Join(";",($_.Privilege))}} |
Export-Csv -path C:\Temp\get-viRole.csv -NoTypeInformation 


Can we export a description in plain language of what each privilege in the system entitles a system user to? Yes, yes we can via Get-VIPrivilege;

 PS C:\Users\Administrator> Get-VIPrivilege

Name                                Description                                                      
----                                -----------                                                     
Anonymous                           The only privilege held by sessions which have ...            
View                                Visibility without read access to an entity. Th...            
Read                                Grants read access to an entity                                
Configure token conversion policy   Configure the Trusted Infrastructure administra...             
Configure Key Server Trust          Configure trust between Key Server and Trust Au...            
Read Key Server Trust               List and monitor the trust status between Key S...             
List information about the STS      List the STS certificates and vpxd solution user              
Configure Trust Authority Host T... Configure the CA certificates and public Endors...            
Configure Trust Authority Host m... Configure the set of Trust Authority Host metadata 

To export that as a CSV file;

$priv = get-viprivilege
$priv | 
Select-Object -Property Name,Description |
Export-Csv -path C:\Temp\get-viPrivilege.csv -NoTypeInformation 


Can we tie back those roles and privileges to a user principal names? Yes, yes we can via Get-VIPermission;

 PS C:\Users\Administrator> Get-VIPermission

Role                      Principal       Propagate IsGroup
----                      ---------       --------- -------
VMOperatorControllerGl... VSPHERE.LOCA... True      False  
Admin                     VSPHERE.LOCA... True      False  
vSphere Client Solutio... VSPHERE.LOCA... True      False  
Admin                     VSPHERE.LOCA... True      False  
Admin                     VSPHERE.LOCA... True      False  

Using the same method we can export that to a CSV file;

$perms = get-vipermission
$perms | 
Select-Object -Property Role,Principal,IsGroup |
Export-Csv -path C:\Temp\get-viPermissions.csv -NoTypeInformation 


Via Get-VIRole, Get-VIPrivilege, and Get-VIPermissions we’ve been able to extract the relevant information for use in other artefacts, design documents or as a reference.