readd-permission

by Grzegorz Kulikowski

This is only usefull if you get into problems with VC, if everything is ok then powercli cmdlet is more than enough for managing permissions. I could not do it via powercli cmdlet because i was receving error (user already exists, which is sort of true, but that due to the ‘issue’ i had).
Kudos to William Lam LINK He was describing accessing other methods, really helpful article for what i had to do.
Via powershell you will be calling methods in the same way as you would do it via mob(via your web browser)
The way i did this particular one is that , first you would have to login to VC, then get permissions in some variable so , $perms=get-vipermission
Then you would call it readd-permission -permission $perms[4]
for example. if would transform the [domain]\username to [full.domain.name]\username and later on will add the permission on exactly the same object, in the same way as the permission you are sending was built. I also left 1 parameter if you want to edit on the fly the username , so with: -user ‘shortdomain\username’ you will be replacing the current user on the permission you sent to the function.
I don’t want to go too deep with the issue i had but, all in all i had issues with not being able to search entities (any kind, vm, network, datastore,host).
[sourcecode language=”powershell”]
function readd-permission{
[CmdletBinding()]
param(
[parameter(Mandatory=$true)]
[VMware.VimAutomation.Types.PermissionManagement.Permission]
$permission,
$user,
$vcenter=$global:DefaultVIServer.name
)
$entity=$permission.EntityId
$principal=$permission.Principal
$isgroup=$permission.isgroup
if($user){$principal=$user}
$udomain=$principal.Split(‘\’)[0]
$domain = (((([ADSI]"LDAP://$udomain").DistinguishedName).Split(‘DC=’)).replace(‘,’,”) |?{$_}) -join ‘.’
$properusername=$principal.Split(‘\’)[1]+’@’+$domain
$principal=[uri]::EscapeDataString($properusername)
[uri]::EscapeUriString($properusername)
$propagate=$permission.Propagate
$roleid=$permission.ExtensionData.RoleId
[regex]$pattern = ‘-‘
$goodentity = [uri]::EscapeDataString($pattern.replace($entity,’:’,1))
$mob_url = "https://$vcenter/invsvc/mob3/?moid=authorizationService&method=AuthorizationService.AddAccessControlList"
$sessionnonce = (Invoke-WebRequest -Uri $mob_url -SessionVariable vmware -Credential $cred -Method GET).inputfields[0].value
$iuuid = $global:DefaultVIServer.InstanceUuid
$body = @"
vmware-session-nonce=$sessionnonce&docUri=urn%3Avmomi%3A$goodentity%3A$iuuid&permissions=%3Cpermissions%3E%0D%0A+++%3Cprincipal%3E%0D%0A++++++%3Cname%3E$principal%3C%2Fname%3E%0D%0A++++++%3Cgroup%3E$isgroup%3C%2Fgroup%3E%0D%0A+++%3C%2Fprincipal%3E%0D%0A+++%3Croles%3E$roleid%3C%2Froles%3E%0D%0A+++%3Cpropagate%3E$propagate%3C%2Fpropagate%3E%0D%0A+++%3Cversion%3E42%3C%2Fversion%3E%0D%0A%3C%2Fpermissions%3E
"@
Invoke-WebRequest -Uri $mob_url -WebSession $vmware -Method POST -Body $body
$body
$result = (get-view -id $entity).permission
return $result
}
[/sourcecode]

before running this , you would already need the $cred variable prepared + ignore ssl issue
[sourcecode language=”powershell”]
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;

public class IDontCarePolicy : ICertificatePolicy {
public IDontCarePolicy() {}
public bool CheckValidationResult(
ServicePoint sPoint, X509Certificate cert,
WebRequest wRequest, int certProb) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = new-object IDontCarePolicy
$cred = get-credential
[/sourcecode]

You may also like

Leave a Reply

Chinese (Simplified)EnglishFrenchGermanHindiPolishSpanish