Datasheet
DEFINE USERS AND THEIR PRIVILEGES 21
Install, Con gure, and
Manage the vSphere
Environment
PART I
A new role can also be created at a granular level. First choose the privileges you
want to use:
$Priv = @()
$MyPriv = “Profile”, “VCIntegrity.Baseline”, `
“VApp.Move”, “Profile.Clear”
And then add each of them into a custom object:
Foreach ($CustPriv in $MyPriv){
$Priv += Get-VIPrivilege | Where {$_.Id -eq $CustPriv}
}
You can then use the custom object to apply your speci c permissions to the new role:
New-VIRole “New selected Role” -Privilege $Priv
Bringing in Users
Now that you have de ned your roles, you can start using them. Until now, you
have only been working with roles and privileges. Once you de ne what you want
your user to be able to do, you need to add users and grant them access to the roles.
You can then enable them to start using the features of the vSphere Client.
A role or privilege can be assigned to any of the objects within a vCenter Server. Each
of the objects can be de ned by di erent roles or privileges. Together, objects, roles,
and privileges make up a permission set. Permission sets can be inherited; inheritance
ensures that each object underneath a datacenter, cluster, resource pool, or folder
gives the users the correct access privileges.
So it comes as no great surprise that, when adding a permission through PowerCLI,
you must consider three areas:
Role e role which you will assign to the user
Principal e user or group to which you wish to assign permissions
Entity e object, folder, cluster, datacenter, or resource pool for which you would
like to grant permissions to the user
In the code that follows, we grant a user
(
MyDomain\User01
)
access to
New Custom
Role
at the datacenter level:
New-VIPermission -Role ‘New Custom Role’ `
-Principal ‘MYDOMAIN\User01’ `
-Entity (Get-Datacenter)
890790c01.indd 21890790c01.indd 21 3/3/11 10:22:16 AM3/3/11 10:22:16 AM