As demonstrated in one of my previous posts:
Using PowerCLI to create new role and assign service account used by VMware View Manager 5.1 permissions for vCenter Server
http://terenceluk.blogspot.com/2013/03/using-powercli-to-create-new-role-and.html
… you can use PowerCLI to create, configure and assign the role required for the VMware View Manager and View Composer service account to access the vCenter. As I notice that I am involved with VMware Horizon View projects more and more, I find it important to cut back the amount of time required to setup or fix account permissions so this post serves to demonstrate how to create, configure and assign the role and service account for VMware Horizon View 5.2 and VMware vCenter 5.1.
Before I being, note that the documentation for the required permissions that I will be using can be found at the following URLs:
Configuring User Accounts for vCenter Server and View Composer
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-997107E5-F66D-494C-B2BA-A74977C7804C.html
View Manager Privileges Required for the vCenter Server User
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-A878F876-B359-42FC-9124-A1E34BFB3319.html
View Composer Privileges Required for the vCenter Server User
Assigning permissions to variable
Prior to creating the role, we’ll need to assign the required permissions to a variable and prior to assigning the permissions to variable, we’ll need to identify the unique Id for the privilege by using the following PowerCLI command for each permission required:
Get-VIPrivilege -Name “<Name of permissions>” | FL
The reason why we need to identify the unique Id is because permissions such as Power On are generic and can be found in nodes such as Interaction:
… and vApp:
… which are permissions we don’t need. Without making this post too long, I will demonstrate the output for the Power On permissions in the PowerCLI:
Connect-VIServer <yourvCenterFQDN>
Get-VIPrivilege -Name “Power On” | FL
Note that the Power On permissions we’re interested in is under the ParentGroupID VirtualMachine.Interact and the unique Id is VirtualMachine.Interact.PowerOn.
Once I’ve gone through the list of privileges required, I was able to assign the permissions with the following cmdlet to assign the permissions to a variable:
$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.ManagedBy,VirtualMachine.Config.ChangeTracking,VirtualMachine.Config.DiskLease,VirtualMachine.Config.MksControl,VirtualMachine.Config.DiskExtend,VirtualMachine.Config.HostUSBDevice,VirtualMachine.Config.Memory,VirtualMachine.Config.EditDevice,VirtualMachine.Config.QueryFTCompatibility,VirtualMachine.Config.QueryUnownedFiles,VirtualMachine.Config.RawDevice,VirtualMachine.Config.ReloadFromPath,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Rename,VirtualMachine.Config.ResetGuestInfo,VirtualMachine.Config.Annotation,VirtualMachine.Config.Settings,VirtualMachine.Config.SwapPlacement,VirtualMachine.Config.Unlock,VirtualMachine.Config.UpgradeVirtualHardware,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Move,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Unregister,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RenameSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Resource.ColdMigrate,Global.EnableMethods,Global.DisableMethods,Global.SystemTag,Global.VCServer,Network.Assign,Network.Config,Network.Move,Network.Delete
Creating the VMware View service role and assigning permissions
With the permissions stored in a variable, what need to do is combine the cmdlet to create the role and assign the stored permissions as such:
$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.ManagedBy,VirtualMachine.Config.ChangeTracking,VirtualMachine.Config.DiskLease,VirtualMachine.Config.MksControl,VirtualMachine.Config.DiskExtend,VirtualMachine.Config.HostUSBDevice,VirtualMachine.Config.Memory,VirtualMachine.Config.EditDevice,VirtualMachine.Config.QueryFTCompatibility,VirtualMachine.Config.QueryUnownedFiles,VirtualMachine.Config.RawDevice,VirtualMachine.Config.ReloadFromPath,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Rename,VirtualMachine.Config.ResetGuestInfo,VirtualMachine.Config.Annotation,VirtualMachine.Config.Settings,VirtualMachine.Config.SwapPlacement,VirtualMachine.Config.Unlock,VirtualMachine.Config.UpgradeVirtualHardware,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Move,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Unregister,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RemoveSnapshot,VirtualMachine.State.RenameSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Resource.ColdMigrate,Global.EnableMethods,Global.DisableMethods,Global.SystemTag,Global.VCServer,Network.Assign,Network.Config,Network.Move,Network.Delete
New-VIRole -Name "VMware View Service" -Privilege $priv
Once this role has been created:
… the last step was to execute the following to add your domain service account to the role:
$rootFolder = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $rootFolder -Principal “domain\svc_view” -Role “VMware View Service” -Propagate:$true
… which will assign the domain service account to the vCenter object (top most level) indicated as a requirement in the documentation here:
In vSphere Client, right-click the vCenter Server at the top level of the inventory, click Add Permission, and add the vCenter Server user.
Note
You must define the vCenter Server user at the vCenter Server level.
Note that the cmdlet above was tested with VMware Horizon View 5.2 and vCenter 5.1.0 Build 947673.
No comments:
Post a Comment