Friday, March 15, 2013

Using PowerCLI to create new role and assign service account used by VMware View Manager 5.1 permissions for vCenter Server

As most administrators who have deployed VMware View would know, a service account is used by the View Connection server to connect to the vCenter server to create, manage and delete the virtual desktops.  The service account is entered during the process of adding the vCenter that will be managing the virtual desktops:


… and as per the following VMware View 5.1 documentation:


… the required permissions for View Manager (does NOT include View Composer) are as follows:

Privilege Group Privileges to Enable
  • Create Folder
  • Delete Folder
Virtual Machine

In Configuration:

  • Add or remove device
  • Advanced
  • Modify device settings

In Interaction:

  • Power Off
  • Power On
  • Reset
  • Suspend

In Inventory:

  • Create new
  • Remove

In Provisioning:

  • Customize
  • Deploy template
  • Read customization specifications
  • Assign virtual machine to resource pool
  • Act as vCenter Server

I don’t actually live an breath in PowerCLI on a daily basis so my first attempt was to simply use the New-VIRole cmdlet:

… and the switches available to create the role in vCenter and assign the permissions which gives me the following cmdlet:

New-VIRole -Name "View Service" -Privilege "Create folder","Delete folder","Add or remove device","Advanced","Modify device settings","Power Off","Power On","Reset","Suspend","Create new","Remove","Customize","Deploy template","Read customization specifications","Assign virtual machine to resource pool","Act as vCenter Server

Although the role gets created and permissions are assigned, I noticed that additional permissions that weren’t needed were added to the role as well.  The reason why the additional permissions were assigned was because the Power On and Power Off privilege were generic and included multiple these permissions for Interaction:


… which we needed but also vApp:


… which we didn’t need.

After browsing around the internet without any luck, I began using the FL switch at the end of Get-VIPrivilege to list the details of the privileges:

Get-VIPrivilege -Name “Power On” | FL


Notice how the 2 Power On privileges are listed along with the unique Id of the privilege.  With this information, I proceed with repeating Get-VIPrivilege to list all of the privileges I needed for the VMware View service role and writing down the Id of the privilege I needed.  Once I’ve gone through the list of privileges required, I was able to assign the permissions with the following 2 cmdlets:

$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.EditDevice,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Delete,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,Resource.AssignVMToPool,Global.VCServer

New-VIRole -Name "VMware View Service" -Privilege $priv


**Note that it is important that you assign the privileges to the variable then use it to create the role and assign the privileges or this will not work.

Once this role has been created:


… the last step was to execute the following to add your domain service account to the role:

$rootFolder = Get-Folder -NoRecursion

$myPermission = New-VIPermission -Entity $rootFolder -Principal “domain\svc_view” -Role “VMware View Service” -Propagate:$true

… which will assign the domain service account to the vCenter object (top most level) indicated as a requirement in the documentation here:

In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user.


You must define the vCenter Server user at the vCenter Server level.


Note that the this post only covers the permissions required for VMware View Manager and not View Composer.  I will try to find some time to write another post which includes those permissions when I get the chance.

No comments: