Automating vSphere Global Permissions with PowerCLI

vSphere Global Permissions was first introduced in vSphere 6.0, which provides a simple and consistent method for assigning permissions for individual users and/or groups across multiple vCenter Servers joined to the same vCenter Single Sign-On (SSO) Domain. Global permissions works in the same way as traditional vSphere Permissions, but rather than assigning a permission to a specific entity, the association is applied at the root level of the vCenter Server.

The other added benefit for customers who are using vCenter's Enhanced Linked Mode (ELM), the global permission will be available to all vCenter Servers which are part of that ELM configuration. Without global permissions, a customer would have to create and assign a new permission to each and every vCenter Server and ensure that they all match which can be very error prone.

One downside to using vSphere Global Permissions today is that there is currently not a public API for those wanting to automate the creation and deletion of global permissions. However, as quick workaround, I have found a way in which you can automate the global permission management using the vSphere MOB which would allow us to use PowerCLI or any other vSphere Automation toolkit for that matter.

I have created a simple PowerShell script called GlobalPermissions.ps1 which contains two functions New-GlobalPermission and Remove-GlobalPermission which hopefully is self explanatory in what they do.

To create a new vSphere Global Permission, the function requires the following 6 parameters:

  • vc_server - Hostname or IP of the vCenter Server
  • vc_username - The VC username
  • vc_password - The VC password
  • vc_user - The vSphere User to assign the permission to
  • vc_role_id - The Role ID associated with the vSphere Role within vCenter Server (more on this later)
  • propagate - true or false on whether to propagate the permission

To retrieve the vc_role_id, you simply need access to a vCenter Server and run the following snippet along with the name of the vSphere Role to get its ID. In the example below, the Administrator role is called "Admin" using the vSphere API and the following will return the ID:

(Get-VIRole -Name Admin).ExtensionData.RoleId

Once you have retrieved the vSphere Role ID, here is an example of running the New-GlobalPermission function:

$vc_server = ""
$vc_username = "[email protected]"
$vc_password = "VMware1!"
$vc_role_id = "-1"
$vc_user = "VGHETTO\lamw"
$propagate = "true"
New-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user -vc_role_id $vc_role_id -propagate $propagate

If the operation was successful, you should be able to login using the vSphere Web Client and refresh the global permissions view and you should see the new permission assignment as shown in the screenshot below.

To remove a global permission, you only need to provide the vCenter Server, its credentials and the user permission you wish to remove:

Remove-GlobalPermission -vc_server $vc_server -vc_username $vc_username -vc_password $vc_password -vc_user $vc_user

Exploring new VCSA VAMI API w/PowerCLI: Part 9

In Part 9, we were initially going to cover the new backup and restore capability that was introduced in vSphere 6.5 for the VCSA. However, it looks like Brian Graf has already created an awesome PowerCLI module (Backup-VCSA.psm1) that can be used to backup the VCSA, which you can find more details here.

While going through the VAMI APIs for the backup feature, I did notice there was one interesting backup VAMI API that Brian may not have looked at, at least I did not see a function consuming this API. Prior to initiating a backup for either a VCSA or PSC, you can query the expected size of the backup. This information can be pretty helpful beyond just for backups, but understanding the size of your system at any point in time.

VAMI UI Area of Focus

The backup and restore feature for the VCSA is located in the VAMI UI, but there is not a UI for retrieving the current expected backup size.


  • GET /appliance/recovery/backup/parts

PowerCLI Function

Sample Output

The output is pretty straight forward, it provides the total expected backup size (MB) as well as the breakdown of the total size into "configuration" data and the "Stats, Events, Alarms and Tasks" (SEAT) data.

With this new API, you can now easily see how large your vCenter Server Database is and take appropriate action such as truncating the data or reducing the retention period which can especially help with the performance of vCenter Server as well as the time it takes during upgrades.

Virtual Hardware Plug-N-Play improvements in vSphere 6.5

Have you ever noticed when you create a new VM, a floppy device is present in the GuestOS regardless if you had actually added one or not? If not, it is pretty simple to demonstrate. Create any Windows VM using a non-vSphere 6.5 release, install the OS and then power it on. You should now see a floppy device (A:) show up under "My Computer" as seen in the screenshot below.

Although this may look like a strange behavior (more on this in a bit), it is completely harmless as there is no real floppy device being presented to the VM. For many customers, this behavior was either unnoticed or it was just ignored as it did not bother them. However, there is a concern for some customers who must prove that the virtual hardware seen from the GuestOS matches the virtual hardware presented to the VM, usually for compliance purposes. To prevent a floppy device from showing up, you can edit the BIOS, but this generally does not scale as it must be done manually (no APIs exists) and even some of the BIOS editing utilities are fairly limited in their capabilities.

So why does this happen and how does vSphere 6.5 help?

In talking to one of our Principal Engineers about this topic, as this question comes up from time to time about disabling floppy devices in the BIOS. I came to learn more about the behavior described above and the nice enhancement that was introduced in vSphere 6.5 for Virtual Hardware Plug-N-Play.

Continue reading

Cross vCenter Server operations (clone / migrate) between versions of vSphere 6.x

When cross vCenter Server operations such as clone and migrate was first introduced in vSphere 6.0, it required that both the source and destination vCenter Server (includes ESXi hosts) to be running the same vSphere version. With the release of vSphere 6.5, this base requirement still holds true (e.g. vSphere 6.5 for both source and destination), especially when performing these operations using the vSphere Web Client where mixed-vSphere versions is not supported outside of a rolling upgrade.

Having said that, it is possible and supported to clone or migrate a VM across different versions of vSphere 6.x, for example a vSphere 6.5 and a vSphere 6.0 environment. This can be accomplished by performing a xVC-vMotion or xVC-Clone operation using the vSphere API. For the the xVC-vMotion use case, I have extensively written about it here and here and with PowerCLI 6.5r1, the Move-VM cmdlet has even been updated based on my feedback to support this capability natively. Furthermore, you can even perform these operations across completely different vCenter Single Sign-On Domains, which enables a new level of mobility for your VMs and access to resources of independently deployed vCenter Server instances.

To help make sense of the different combinations of vMotions and cloning operations, below are a few tables to help outline what is possible and supported today.

vMotion (Hot / Cold)

Source vCenter Server Destination vCenter Server Supported UI or API
vSphere 6.0 vSphere 6.0 Yes UI and API
vSphere 6.0 vSphere 6.5 Yes API
vSphere 6.5 vSphere 6.5 Yes UI and API
vSphere 6.5 vSphere 6.0 No N/A

Clone (Hot / Cold)

Source vCenter Server Destination vCenter Server Supported  UI or API
vSphere 6.0 vSphere 6.0 Yes UI and  API
vSphere 6.0 vSphere 6.5 No N/A
vSphere 6.5 vSphere 6.5 Yes UI and API
vSphere 6.5 vSphere 6.0 No N/A

Virtual Networking Migration

Source Type Destination Type Supported

Note1: vMotioning and/or cloning of VMs which uses the new vSphere Encryption feature introduced in vSphere 6.5 is not supported.

Note2: "Compute" only xVC-vMotion insufficient space issue has now been resolved with vSphere 6.0 Update 3, see this post here for more details.

Here are some additional xVC-vMotion and vMotion articles that may also useful to be aware of:

Quick Tip - vSphere 6.0 Update 3 resolves "Compute" only Cross-vCenter vMotion operation

Previously when a "Compute" only Cross-vCenter vMotion (xVC-vMotion) was initiated, which only migrates the VMs compute from one vCenter Server to another while maintaining its current storage configuration, an insufficient space error may be thrown under certain conditions. This behavior was due to the way vCenter Server used to calculate the available space on the destination vCenter Server.

Prior to vSphere 6.0 Update 3, vCenter Server used the Managed Object Reference (MoRef) ID of the vSphere Datastore determine whether the source and destination was the same. Even if you have the exact same vSphere Datastore mounted in both the source and destination vCenter Server, there was a good chance the MoRef ID will be different which then causes this calculation to occur. Now, the "insufficient space" error only occurs IF, the free space on the current vSphere Datastore is less than the size of the VM to be migrated which is why this behavior was only observed in some environments. Some customers workaround the problem by simply freeing up enough capacity which then allowed them to perform the operation.

The good news is this has now been resolved in the latest vSphere 6.0 Update 3 release which came out last Friday and has been outlined as one of the resolved issues in the release notes:

  • Attempts to perform an exclusive compute resource cross vCenter vMotion might fail.
    When a VM is migrated using vMotion or cold migrate from a vCenter to another vCenter and space available on datastore is less than size of the Virtual Machine Disk (VMDK), an error similar to the following is displayed:
    insufficient space

Rather than using the MoRef ID to determine if the vSphere Datastore is the same in both the source and destination vCenter Server, it is now using the datastore URL path. This means, if you want the correct behavior for a "Compute" only xVC-vMotion, you should ensure that the vSphere Datastore is mounted using the same name in both the source and destination vCenter Server.