Thursday, March 26, 2015

Using PowerCLI to create new role and assign service account used by VMware App Volumes service account permissions for vCenter Server 5.5

One of the most exciting products I've been working with recently has been VMware App Volumes as most of the clients I work with that currently use VMware Horizon View have a need for customizing their virtual desktops but do not want to additional overhead of managing multiple master images. The deployment is actually quite simple (I'll write another blog post demonstrating this) and one task in particular that I've been performing frequently which could be automated is the creation of the service account that the App Volumes Manager uses to access vCenter. Those who may have come across my previous blog posts would know that I'm a huge fan of automating mundane and repetitive tasks so this post serves to do so for configuring the service account used by App Volumes Manager.

The permissions required for the service account that App Volumes Manager uses to connect to vSphere vCenter is displayed in one of the steps during the initial configuration:

Required vCenter Permissions

  • Datastore
    • Allocate space
    • Browse datastore
    • Low level file operations
    • Remove file
    • Update virtual machine files
  • Folder
    • Create folder
    • Delete folder
  • Global
    • Cancel task
  • Host
    • Local operations
      • Create virtual machine
      • Delete virtual machine
      • Reconfigure virtual machine
  • Resource
    • Assign virtual machine to resource pool
  • Sessions
    • View and stop sessions
  • Tasks
    • Create task
  • Virtual machine
    • Configuration
      • Add existing disk
      • Add new disk
      • Add or remove device
      • Change resource
      • Remove disk
      • Settings
    • Interaction
      • Power Off
      • Power On
      • Suspend
    • Inventory
      • Create from exising
      • Create new
      • Move
      • Register
      • Remove
      • Unregister
    • Provisioning
      • Clone template
      • Clone virtual machine
      • Create template from virtual machine
      • Customize
      • Deploy template
      • Mark as template
      • Mark as virtual machine
      • Modify customization specification
      • Promote disks
      • Read customization specifications


Manually configuring the permissions from within the vCenter client would look as such:







Host > Local Operations








Virtual Machine > Configuration


Virtual Machine > Interaction


Virtual Machine > Inventory


Virtual Machine > Provisioning


The cmdlet to execute to automatically create a role named App Volume Manager Service and assign the permissions as displayed in the screenshots above are as follows:

$priv = Get-VIPrivilege -ID Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Datastore.DeleteFile,Datastore.UpdateVirtualMachineFiles,Folder.Create,Folder.Delete,Global.CancelTask,Host.Local.CreateVM,Host.Local.DeleteVM,Host.Local.ReconfigVM,Resource.AssignVMToPool,Sessions.TerminateSession,Task.Create,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.Resource,VirtualMachine.Config.RemoveDisk,VirtualMachine.Config.Settings,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Move,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Inventory.Unregister,VirtualMachine.Provisioning.CloneTemplate,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.CreateTemplateFromVM,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.MarkAsTemplate,VirtualMachine.Provisioning.MarkAsVM,VirtualMachine.Provisioning.ModifyCustSpecs,VirtualMachine.Provisioning.PromoteDisks,VirtualMachine.Provisioning.ReadCustSpecs

New-VIRole -Name "App Volume Manager Service" -Privilege $priv

With the role created, you can execute the following cmdlet to assign the domain service account to the vCenter object (top most level):

$rootFolder = Get-Folder -NoRecursion

$myPermission = New-VIPermission -Entity $rootFolder -Principal “domain\service-avm” -Role “App Volume Manager Service” -Propagate:$true


Note that the cmdlets above were tested with VMware vCenter 5.5 Update 2d and VMware App Volumes Manager

1 comment:

digital certificates said...

I have learned so much from your post. I would definitely bookmark your site to be updated with your upcoming articles. Great job! So much information.