Auditing New Role Privileges in vSphere 6 using PowerCLI

As part of a vSphere 5.5 to vSphere 6 migration effort, we wanted to audit privilege changes for numerous custom roles to see how they would need to be updated in the vSphere 6 environment.  I’ll briefly outline the (mostly generic) method I used to do this comparison and also include the results.

Before getting started, we had used a script to export all the custom roles from vCenter 5.5, and then another script to create all those roles with “matching” permissions.  This comparison helped us identify privileges that were not present in the new environment, such as privileges related to VMware components not yet installed (for example Update Manager).

Comparing Privileges

The comparison was just quick and dirty for internal use, and as you can see I put zero effort into formatting the output to make it “pretty”.  It is, however very readable.  A couple notes:

  • The script compares the PrivilegeList property of each Role and returns the delta along with an indicator (<= for a privilege in the old role only, => for a privilege in the new role only)
  • The actual comparison leverages the wonderful Compare-Object cmdlet

This script to be adapted in may ways, for example you could compare privilege lists of roles with dissimilar names if you wanted to identify which roles and privileges might be good to combine into a common role.

Results – vSphere 6 Default Admin Role

Here’s a list of privileges that did not exist in our vCenter 5.5 environment for the admin role, but do exist in our vCenter 6.0 environment for the admin role.

InputObject SideIndicator
———– ————-
Authorization.ModifyPrivileges =>
AutoDeploy.Host.AssociateMachine =>
AutoDeploy.Profile.Create =>
AutoDeploy.Profile.Edit =>
AutoDeploy.Rule.Create =>
AutoDeploy.Rule.Delete =>
AutoDeploy.Rule.Edit =>
AutoDeploy.RuleSet.Activate =>
AutoDeploy.RuleSet.Edit =>
Certificate.Manage =>
ContentLibrary.AddLibraryItem =>
ContentLibrary.CreateLocalLibrary =>
ContentLibrary.CreateSubscribedLibrary =>
ContentLibrary.DeleteLibraryItem =>
ContentLibrary.DeleteLocalLibrary =>
ContentLibrary.DeleteSubscribedLibrary =>
ContentLibrary.DownloadSession =>
ContentLibrary.EvictLibraryItem =>
ContentLibrary.EvictSubscribedLibrary =>
ContentLibrary.GetConfiguration =>
ContentLibrary.ImportStorage =>
ContentLibrary.ProbeSubscription =>
ContentLibrary.ReadStorage =>
ContentLibrary.SyncLibrary =>
ContentLibrary.SyncLibraryItem =>
ContentLibrary.TypeIntrospection =>
ContentLibrary.UpdateConfiguration =>
ContentLibrary.UpdateLibrary =>
ContentLibrary.UpdateLibraryItem =>
ContentLibrary.UpdateLocalLibrary =>
ContentLibrary.UpdateSession =>
ContentLibrary.UpdateSubscribedLibrary =>
InventoryService.Provider.Management =>
InventoryService.Provider.Update =>
InventoryService.Tagging.CreateScope =>
InventoryService.Tagging.DeleteScope =>
InventoryService.Tagging.ModifyUsedByForCategory =>
InventoryService.Tagging.ModifyUsedByForTag =>
TransferService.Manage =>
TransferService.Monitor =>
VirtualMachine.Config.ToggleForkParent =>
VirtualMachine.GuestOperations.ModifyAliases =>
VirtualMachine.GuestOperations.QueryAliases =>
VirtualMachine.Interact.DnD =>
VirtualMachine.Interact.Pause =>

Note, I removed some extraneous permissions that were not present in vCenter 6.0 due to the products not being installed (vRealize Operations Manager and Update Manager permissions).

Hope this helps.