Tag Archives: Security

Using Tags To Automate The Assigning Of vCenter Object Permissions

Tags are a really useful component in VMware. They can be used for all manor of things, whether it’s for storage policies, backups, identifying a group of objects or in the case of this post, managing permissions.

Having a method of easily assigning permissions to singular or multiple objects in vCenter can be a great benefit to a vSphere Admin as it’s gives them greater control over the environment they manage.

Lets take a look at what is needed to get this setup:

  • Script
  • Tag Category & Tags for each support role.
  • AD Security Groups
  • AD Service Account
  • vCenter Roles (one for the service account, then one for each of the support roles)
  • PowerCLI VICredentials
  • Scheduled Task

In this example I will use 4 common support teams that could be used, DBA, EUC, Operations and Storage. These can be anything you have a requirement for.

Script

Here is the script that applies the permissions based on the assigned tags. It can also be found here on GitHub. Save this on your management server of choice, or wherever you intend to run the scheduled task as a .PS1 file. In this example it’s saved on a management server in C:\Scripts\VI_Permissions.ps1.

#Load PowerCLI Modules
Import-module VMware.PowerCLI

#Get the Credentials
$creds = Get-VICredentialStoreItem -file  C:\Scripts\VM_Tagging_Perms.creds
 
#Connect to vCenter
Connect-VIServer -Server $creds.host -User $creds.User -Password $creds.Password -Force

#Tags
$dbaT = "Support Team/DBA_Team"
$storT = "Support Team/Storage_Team"
$eucT = "Support Team/EUC_Team"
$operT = "Support Team/Operations_Team"

#Active Directory Groups
$dbaG = "smt-lab\dba_admins"
$storG ="smt-lab\storage_admins"
$eucG = "smt-lab\euc_admins"
$OperG = "smt-lab\operations_users"

#Roles
$dbaR = "DBA VM Administrator"
$storR = "Storage VM Administrator"
$eucR = "End User VM Administrator"
$OperR = "Operations Users"


$VMs = Get-VM

ForEach ($VM in $VMs) {

        $TAGS = Get-TagAssignment -Entity $VM | Select @{l='SupportTeam';e={('{0}/{1}' -f $_.tag.category, $_.tag.name)}}, Entity

                                If ($TAGS.SupportTeam -contains $dbaT)  {New-VIPermission -Principal $dbaG -Role $dbaR -Entity $vm.name} Else {Get-VIPermission -Entity $vm.Name -Principal $dbaG | Remove-VIPermission -Confirm:$false}
                                If ($TAGS.SupportTeam -contains $storT) {New-VIPermission -Principal $storG -Role $storR -Entity $vm.Name} Else {Get-VIPermission -Entity $vm.Name -Principal $storG | Remove-VIPermission -Confirm:$false}
                                If ($TAGS.SupportTeam -contains $eucT) {New-VIPermission -Principal $eucG -Role $eucR -Entity $vm.Name}  Else {Get-VIPermission -Entity $vm.Name -Principal $eucG | Remove-VIPermission -Confirm:$false}
                                If ($TAGS.SupportTeam -contains $operT) {New-VIPermission -Principal $OperG -Role $OperR -Entity $vm.Name}  Else {Get-VIPermission -Entity $vm.Name -Principal $OperG | Remove-VIPermission -Confirm:$false}
                        }

Tag Category & Tags

Now onto Tag Categories and Tags in vCenter. Create a Tag category called ‘Support _Teams’ (Or something of your choosing, just make sure you are consistent throughout):

Or using PowerShell – New-TagCategory -Name Support_Teams -Cardinality Multiple -EntityType All

You can select as many object types as you wish and you will also want to allow multiple tags per object.

Now create a tag for each of the support teams in the tag category you just created:

New-Tag -Name Storage_Team -Category "Support_Teams"
New-Tag -Name DBA_Team -Category "Support_Teams"
New-Tag -Name EUC_Team -Category "Support_Teams"
New-Tag -Name Operations_Team -Category "Support_Teams"
Storage_Team 
DBA—Team 
EUC_Team 
Operations _ Team 
Support Team 
Support Team 
Support Team 
Support Team

Create AD groups

Now for some corresponding AD Security Group for each role you wish to have:

Name 
dba admins 
operation 
storage_ad, 
Type 
Security Group 
Security Group... 
Security Group, 
Security Group

Service Account (AD User)

Now to create an AD user account that will be used to apply the permissions within vCenter. This will be the account that will be used to run the scheduled task, connect to vCenter and will have the appropriate permissions to assign permissions for the support roles.

Name 
Type 
tag_permissions User

Support Team Roles

Now we need to create a suitable role for each team.  In this example I have copied the Virtual Machine Power User role, but these roles can contain which ever privilege’s you require.

Under ‘Administration > Roles’ you will see the options to either create a new Role or copy an existing.  From here you will be able to assign it a name and specify the privilege’s you require.

Roles 
Roles provider: 
Admlnlstrator 
Read-only 
No access 
AppdAppllenceUser 
AutoUpdateUser 
VSPHERE.LOCAL v 
DESCRIPTION 
Datastore 
USAGE 
PRIVILEGES 
Content llbrery edmlnlstretor (sample) 
Content Llbrery Reglsry admlnlstrator (sample) 
Datastore consumer (sample) 
DBA VM Admlnlstretor 
End User VM Admlnlstretor 
Network admlnlstretor (sample) 
No cryptography admlnlstrator 
No Trusted Infrastructure admlnlstretor 
NSX Admlnlstretor 
NSX Auditor 
NSX VI Admlnlstretor 
Operatlons Users 
Resource pool admlnlstretor (sample) 
SRM Admlnlstrator 
42 items 
Browse datastore 
Global 
Cancel task 
Scheduled task 
Create tasks 
• Modify task 
• Remove task 
• Run task 
Virtual machine 
Change Configuration 
Acquire disk lease 
Add existing disk 
Add new disk 
Add or remove device 
Advanced configuration 
Change CPU count 
Change Memory 
Change Settings 
Change resource 
o Modify device settings 
Remove disk

You will be referencing these Role names in the script so make sure you continue to match the names thought the process.

Permissioning Role

As mentioned in the service account section, the account (tag_permissions) running the scheduled task will need permissions in vCenter through a role.  The privileges this role will hold, needs to include all the privilege’s that are referenced in all of your Support Team Roles in order for it to have the right to assign the permissions. For example, if all your support roles are a copy of the ‘Virtual Machine power user’ role, your tagging permissions role will need to contain the same privileges.

Depending on how broad the scope of your support team roles, you may want to use the ‘Administrator’ or the ‘No cryptography administrator’ role.  This is entirely up to you and how you manage your estate.

For this example in my lab, I will use the predefined ‘Administrator’ role to grant the ‘tag_permissions’ AD account permissions at the Global Root, ensuring you have selected the ‘Propagate to children’ option.

Change Role 
Domain 
User/Group 
Role 
Global Permission Root 
SMT-LABLOCAL 
tag_permissions 
Administrator 
Propagate to children 
CANCEL

You could create a copy of the ‘Administrator’ role and name it something like ‘VI Permissions Service’ for instance, to give you flexibility to modify it in the future as well as making it easy to identify. With any high privileged account, ensure you secure it appropriately.

Create VI Credential Item

Now to create an encrypted credentials file that the service account running the scheduled task can import and then use to connect to vCenter without any intervention.

The AD account that is used to run the scheduled task, must be the account that also creates the credentials file as this is the only user that can use it.  It will require permissions to run PowerShell and have access to a folder location to store the credentials file on your chosen management server.

To begin, start a PowerShell session in the context of the service account:

Windows Security 
Run as different user 
Please enter credentials to use for 
Domain: smt-lab 
OK 
Cancel

Note: Ensure the server that you are running this scheduled task from has PowerCLI installed.  Installing PowerCLI.

Then run the following, entering your vCenter FQDN and the user and password that you created:

New-VICredentialStoreItem -host "smt-lab-vcsa-01.smt-lab.local" -user "smt-lab\tag_permissions" -password "VMware123!" -file C:\Scripts\VM_Tagging_Perms.creds
PS C: 
_Perms . creds 
New—VIC redenti al Storeltem 
C: \ Scri pts ng 
-host 
smt—lab. local" -user 
"smt—l ssion 
s" -password 
"VMware123! " 
Hos t 
User 
smt—1ab—vcsa—01 s 
smt—l . 
C: \ Scri ng_Perms . creds

Ensure you are storing the file somewhere with appropriate access to allow this but, also to restrict any unnecessary access.  The credentials file can have the password read if the user account that created it is compromised and gains access to the file using those windows credentials.

Scheduled Task

Now for the last component, the scheduled task. On a management server or a server of your choosing, create a scheduled task:

Vl_permissions Properties (Local Computer) 
General Triggers Actions Conditions Settings 
History 
Location: 
Author: 
VI Permissions 
SMT- LA8\Administrator 
Description: 
Security options 
When running the task, use the following user account: 
SMT- LA rmissio ns 
C) Run only when user is logged on 
@ Run whether user is logged on or not 
Change User or Group... 
[3 Do not store password. The task will only have access to local computer resources. 
Run with highest privileges 
Hidden 
Configure for: 
Windows Vista" , Windows Server" 2008 
Cancel

Assign an appropriate schedule that suits the level of change and size of your environment:

Vl_permissions Properties (Local Computer) 
General Triggers Actions Conditions Settings 
History 
Location: 
Author: 
VI Permissions 
SMT- LA8\Administrator 
Description: 
Security options 
When running the task, use the following user account: 
SMT- LA rmissio ns 
C) Run only when user is logged on 
@ Run whether user is logged on or not 
Change User or Group... 
[3 Do not store password. The task will only have access to local computer resources. 
Run with highest privileges 
Hidden 
Configure for: 
Windows Vista" , Windows Server" 2008 
Cancel

Now configure the trigger to execute the script:

(9 
Create Task 
General Triggers Actions Conditions Settings 
When you create a task, you must specify the action that will occur when your task starts. 
Action 
Start a program 
New... 
Details 
powershell -File 
Edit... 
Delete

Now thats everything you need to set this up, so lets give it a run though!

Assigning Tags and Permissions

Lets take a look at my demo VM permissions before we begin assigning permissions:

Lets check the VM permissions before having any tags assigned:

Get-TagAssignment -Entity $VM
$VM | ForEach-Object {Get-VIPermission -Entity $_ | Where {$_.Principal -like "*smt-lab*"} | Select Principal, Role}

Note that the tag_permissions account has been propagated from the root permissions you set earlier.

—TagAssignment 
-Entity 
ps Get 
ForEach—Object {Get—VIPermission 
principal 
Role 
SMT-LAB\tag_ 
permissions Admin 
—Entity 
Where 
principal 
—like 
Select principal, 
Role} 
SMT-LAB\Stephan 
Admin

Now assign a tag or two from the ones you created earlier using ‘New-TagAssignment’:

New-TagAssignment -Tag DBA_Team -Entity $VM
New-TagAssignment -Tag Operations_Team -Entity $VM
DBA_Team 
Tag 
Support 
Tag 
Support 
New—TagAssignment —Tag 
Team/DBA_Team 
New—TagAssignment —Tag 
Team/Operations_Team 
-Entity $VM 
Entity 
tfdemol 
Operations_Team —Entity $VM 
Entity 
tfdemol

Now you can either manually run the scheduled task or wait until its next scheduled run time.  Once the job has run, you can now check the tags match the permissions assigned by running the following:

Get-TagAssignment -Entity $VM
$VM | ForEach-Object {Get-VIPermission -Entity $_ | Where {$_.Principal -like "smt-lab"} | Select Principal, Role}
—Entity 
Tag 
Support 
Support 
Get—TagAssignment 
Team/DBA_Team 
Team/Operations_Team 
ForEach—Object {Get—VIPermission 
Entity 
tfdemol 
tfdemol 
—Entity 
Where 
principal 
—like 
Select principal, 
Role} 
principal 
SMT 
SMT 
SMT 
SMT 
—LAB\dba_admins 
—LAB\operations_users 
—LAB\tag_permissions 
—LAB\Stephan 
Role 
DBA VM Administrator 
Operations Users 
Admin 
Admin

You will see that the two tags assigned align with the the two AD groups being granted the corresponding role.

Now let do this for multiple VM’s:

Here I have multiple VM’s in the variable ‘$VM’ and I am assigning two tags to each of them.

$VM | ForEach-Object {New-TagAssignment -Tag DBA_Team -Entity $_}
$VM | ForEach-Object {New-TagAssignment -Tag Storage_Team -Entity $_}
DBA_Team 
Tag 
Support 
Support 
Support 
Support 
Support 
Tag 
Support 
Support 
Support 
Support 
Support 
—Object 
ForEach 
Team/DBA_Team 
Team/DBA_Team 
Team/DBA_Team 
Team/DBA_Team 
Team/DBA_Team 
—Object 
ForEach 
Team/Storage_Team 
Team/Storage_Team 
Team/Storage_Team 
Team/Storage_Team 
Team/Storage_Team 
{New—TagAssignment —Tag 
Entity 
Demopho€€6 
Demophoe€5 
Demopho€€2 
Demopho€€u 
Demophoe€3 
—Entity $_} 
{New—TagAssignment —Tag 
Storage_Team 
Entity 
Demopho€€6 
Demopho€€5 
Demopho€€2 
Demopho€€u 
Demopho€€3 
—Entity $_}

You can now see the tags assigned:

$VM | ForEach-Object {Get-TagAssignment -Entity $_}
{Get—TagAssignment 
Entity 
Tag 
Support 
Support 
Support 
Support 
Support 
Support 
Support 
Support 
Support 
Support 
ForEach—Object 
Team/Storage_Team 
Team/DBA_Team 
Team/Storage_Team 
Team/DBA_Team 
Team/Storage_Team 
Team/DBA_Team 
Team/Storage_Team 
Team/DBA_Team 
Team/Storage_Team 
Team/DBA_Team 
—Entity $_} 
Demophoe€6 
Demopho€€6 
Demopho€€5 
Demophoe€5 
Demopho€€2 
Demopho€€2 
Demophoeeu 
Demopho€€u 
Demophoe€3 
Demophoe€3

Following the script / job being run:

 $VM | ForEach-Object {Get-VIPermission -Entity $_ | Where {$_.Principal -like "*smt-lab*"} | Select Principal, Role} 
ForEach 
principal 
—Object {Get—VIPermission 
Role 
DBA VM Administrator 
—Entity 
Where 
principal 
—like 
Select principal, 
Role} 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
SMT 
—LAB\dba_admins 
—LAB\storage_admins 
—LAB\tag_permissions 
—LAB\Stephan 
—LAB\dba_admins 
—LAB\storage_admins 
—LAB\tag_permissions 
—LAB\Stephan 
—LAB\dba_admins 
—LAB\storage_admins 
—LAB\tag_permissions 
—LAB\Stephan 
—LAB\dba_admins 
—LAB\storage_admins 
—LAB\tag_permissions 
—LAB\Stephan 
—LAB\dba_admins 
—LAB\storage_admins 
—LAB\tag_permissions 
—LAB\Stephan 
Storage VM Administrator 
Admin 
Admin 
DBA VM Administrator 
Storage VM Administrator 
Admin 
Admin 
DBA VM Administrator 
Storage VM Administrator 
Admin 
Admin 
DBA VM Administrator 
Storage VM Administrator 
Admin 
Admin 
DBA VM Administrator 
Storage VM Administrator 
Admin 
Admin

As in the singular example, you will see that the two tags assigned, align with the the two AD groups being granted the corresponding role.

Removing Tags and Permissions

Now lets look at removing permissions, in this case, the Operations Team permissions from a VM:

Get-TagAssignment -Entity $VM | Where {$_.Tag -like "*Operations*"} | Remove-TagAssignment -Confirm:$false

Leaving it with just the ‘DBA_Team’ Tag assigned:

Once the script has run:

$VM | ForEach-Object {Get-VIPermission -Entity $_ | Where {$_.Principal -like "*smt-lab*"} | Select Principal, Role}

Reviewing Permissions

Finally, if you want to know which objects are supported by a specific team and have access you can check this by running:

Get-TagAssignment | Where {$_.Tag -like "Support_Teams/DBA_Team"}

You now have a way of assigning and removing permissions from vCenter objects using Tags. In this example I have used virtual machine object, but depending on your requirements, and the scope you set on the tag category, you could use this for other vCenter objects.

Thanks for reading!