Monday, April 8, 2013

Using PowerCLI to create new role and assign service account used by VMware Horizon View 5.2 (View Manager & View Composer) permissions for vCenter Server 5.1

As demonstrated in one of my previous posts:

Using PowerCLI to create new role and assign service account used by VMware View Manager 5.1 permissions for vCenter Server

http://terenceluk.blogspot.com/2013/03/using-powercli-to-create-new-role-and.html

… you can use PowerCLI to create, configure and assign the role required for the VMware View Manager and View Composer service account to access the vCenter.  As I notice that I am involved with VMware Horizon View projects more and more, I find it important to cut back the amount of time required to setup or fix account permissions so this post serves to demonstrate how to create, configure and assign the role and service account for VMware Horizon View 5.2 and VMware vCenter 5.1.

Before I being, note that the documentation for the required permissions that I will be using can be found at the following URLs:

Configuring User Accounts for vCenter Server and View Composer
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-997107E5-F66D-494C-B2BA-A74977C7804C.html

View Manager Privileges Required for the vCenter Server User
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-A878F876-B359-42FC-9124-A1E34BFB3319.html

View Composer Privileges Required for the vCenter Server User

http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-467F552F-3034-4917-A985-B5E5FEC5C68F.html

Assigning permissions to variable

Prior to creating the role, we’ll need to assign the required permissions to a variable and prior to assigning the permissions to variable, we’ll need to identify the unique Id for the privilege by using the following PowerCLI command for each permission required:

Get-VIPrivilege -Name “<Name of permissions>” | FL

The reason why we need to identify the unique Id is because permissions such as Power On are generic and can be found in nodes such as Interaction:

clip_image001

… and vApp:

clip_image001[4]

… which are permissions we don’t need.  Without making this post too long, I will demonstrate the output for the Power On permissions in the PowerCLI:

Connect-VIServer <yourvCenterFQDN>

Get-VIPrivilege -Name “Power On” | FL

clip_image001[6]

Note that the Power On permissions we’re interested in is under the ParentGroupID VirtualMachine.Interact and the unique Id is VirtualMachine.Interact.PowerOn.

Once I’ve gone through the list of privileges required, I was able to assign the permissions with the following cmdlet to assign the permissions to a variable:

$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.ManagedBy,VirtualMachine.Config.ChangeTracking,VirtualMachine.Config.DiskLease,VirtualMachine.Config.MksControl,VirtualMachine.Config.DiskExtend,VirtualMachine.Config.HostUSBDevice,VirtualMachine.Config.Memory,VirtualMachine.Config.EditDevice,VirtualMachine.Config.QueryFTCompatibility,VirtualMachine.Config.QueryUnownedFiles,VirtualMachine.Config.RawDevice,VirtualMachine.Config.ReloadFromPath,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Rename,VirtualMachine.Config.ResetGuestInfo,VirtualMachine.Config.Annotation,VirtualMachine.Config.Settings,VirtualMachine.Config.SwapPlacement,VirtualMachine.Config.Unlock,VirtualMachine.Config.UpgradeVirtualHardware,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Move,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Unregister,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RenameSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Resource.ColdMigrate,Global.EnableMethods,Global.DisableMethods,Global.SystemTag,Global.VCServer,Network.Assign,Network.Config,Network.Move,Network.Delete

Creating the VMware View service role and assigning permissions

With the permissions stored in a variable, what need to do is combine the cmdlet to create the role and assign the stored permissions as such:

$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.ManagedBy,VirtualMachine.Config.ChangeTracking,VirtualMachine.Config.DiskLease,VirtualMachine.Config.MksControl,VirtualMachine.Config.DiskExtend,VirtualMachine.Config.HostUSBDevice,VirtualMachine.Config.Memory,VirtualMachine.Config.EditDevice,VirtualMachine.Config.QueryFTCompatibility,VirtualMachine.Config.QueryUnownedFiles,VirtualMachine.Config.RawDevice,VirtualMachine.Config.ReloadFromPath,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Rename,VirtualMachine.Config.ResetGuestInfo,VirtualMachine.Config.Annotation,VirtualMachine.Config.Settings,VirtualMachine.Config.SwapPlacement,VirtualMachine.Config.Unlock,VirtualMachine.Config.UpgradeVirtualHardware,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Move,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Unregister,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RenameSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Resource.ColdMigrate,Global.EnableMethods,Global.DisableMethods,Global.SystemTag,Global.VCServer,Network.Assign,Network.Config,Network.Move,Network.Delete

New-VIRole -Name "VMware View Service" -Privilege $priv

clip_image001[8]

Once this role has been created:

clip_image001[10]

… the last step was to execute the following to add your domain service account to the role:

$rootFolder = Get-Folder -NoRecursion

$myPermission = New-VIPermission -Entity $rootFolder -Principal “domain\svc_view” -Role “VMware View Service” -Propagate:$true

clip_image001[12]

… which will assign the domain service account to the vCenter object (top most level) indicated as a requirement in the documentation here:

In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user.

Note

You must define the vCenter Server user at the vCenter Server level.

http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-80D653FA-BCC0-45B9-AF84-5E0EEC2AD139.html

clip_image001[14]

Note that the cmdlet above was tested with VMware Horizon View 5.2 and vCenter 5.1.0 Build 947673.

No comments: