Lets go back to basics…..
Lets take a walk down memory lane. Let’s think back to when we were learning about permissions, what was beat into our heads? Assign users and service accounts the least amount of permissions possible to do their jobs or accomplish the task at hand.
A lot of VMware environments I walk into seem to have forgotten this very important rule. In larger environments this is especially important due to the different type of users who have access to the VMware environment.
You can always go through the GUI to add these permissions, but if you have it scripted, you can use it over and over again in your deployments.
Lets Start with VMware Horizon View 6.1 / 6.2
Using a Variable’s to assigning Permissions
Connect to your vCenter instance by running the “Connect-VIServer – Server vcenter.domain” command.
Before we create the role, we will need to assign the required permissions to a variable. We will need to find the unique Id for the privilege by using the “Get-VIPrivilege” PowerCLI command. The reason we need to do this is for example the “Create” privilege is used under multiple permissions.
Get-VIPrivilege -Name “<Name of permissions>” | FL
For example, the first permission you need for a vCenter Server user for Horizon View is “Create Folder”. As highlighted below, the ID for “Create Folder” is “Folder.Create”
Once you go through the list you will have a list of privileges that you can load into your variable.
$perms = Get-VIPrivilege -ID Folder.Create,Folder.Delete,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,Host.Config.AdvancedConfig,Datastore.AllocateSpace,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.EditDevice,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Delete,Resource.AssignVMToPool,Global.VCServer,StorageProfile
Creating the Horizon View (6.X) vCenter Custom Role
After the variable is stored, all we need to do is run the “New-VIRole” Command
New-ViRole -Name "Horizon View Role - No Composer" -Privilege $perms
After running the command, you will see the new role created in vCenter
The last step will be to add the domain user to the role and apply the role to vCenter
$VCPerms = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $VCPerms -Principal “domain/user” -Role “Horizon View Role - No Composer” -Propagate:$true
Its a requirement to apply this role to the top vCenter object per the Horizon View Documentation.
View Composer Privileges Required for vCenter Server User
If you are using Composer with View, you will need additional privileges to support the Composer operations. You will use the below permissions instead of the permissions above.
$perms = Get-VIPrivilege -ID Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,VirtualMachine.Inventory,VirtualMachine.Config,VirtualMachine.State,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.DiskRandomAccess,Resource.AssignVMToPool,Resource.ColdMigrate,Global.EnableMethods,Global.DisableMethods,Global.SystemTag,Global.VCServer,Network,StorageProfile,Folder.Create,Folder.Delete,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,Host.Config.AdvancedConfig
New-ViRole -Name "Horizon View (w/ Composer)" -Privilege $priv
VMware Update Manager (5.5, 6.0 and 6.0U1)
$perms = Get-VIPrivilege -ID VcIntegrity.General.com.vmware.vcIntegrity.Configure,VcIntegrity.Baseline.com.vmware.vcIntegrity.AssignBaselines,VcIntegrity.Baseline,VcIntegrity.Updates.com.vmware.vcIntegrity.Remediate,VcIntegrity.Updates.com.vmware.vcIntegrity.Scan,VcIntegrity.Updates.com.vmware.vcIntegrity.Stage,VcIntegrity.Updates.com.vmware.vcIntegrity.ViewStatus,VcIntegrity.FileUpload.com.vmware.vcIntegrity.ImportFile
New-ViRole -Name "VMware Update Manager" -Privilege $perms
$VCPerms = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $VCPerms -Principal “domain/user” -Role “VMware Update Manager” -Propagate:$true