If you have read my previous article on vSphere security model, you know how it works. Still, you may wonder what roles a particular user may have, as asked in a recent email from one of my former VMware colleagues.
In an operating system, a user is assigned to a group or multiple groups therefore granted a certain permissions. In vSphere, a role is simply a set of privileges and that is it. It’s natural to think of a role as a group sometimes, but it’s really not.
Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.
Generally speaking, there is no generic roles for a user to have, but always under a scope of what entity alone or plus its descendants in the inventory tree.
The following screenshot from MOB should explain more. As you can see, a Permission object always has entity while associating user with a role. The propagate field indicates whether the entity’s descendants are covered as well.
With that being clarified, you can check what roles a user has on a managed entity. To get that information, you can call the retrieveEntityPermissions() of the AuthorizationManager managed object type. Note that you need to pass in a managed entity or its ManagedObjectReference as parameter. Optionally, you can use the retrieveAllPermissions() method assuming you want to filter through all the returned Permission objects by yourself.
Now, this is not yet the end of the problem. What if as shown above, the principle is actually a group (indicated by the group field in Permission)? In that case, your ID may not show up in any of the Permission objects. How would you know you are part of one of the groups?
The answer is no if you only look at vSphere itself. You want to look it up from the AD of your domain. It is not that difficult by the way. On your computer running vSphere Client, just type in the following command in a DOS console:
> gpresult /X myGroup.xml
Then you will find your group information in the XML file. It’s too long to be list here, but you can easily try it out by yourself.
With these two piece of information, you can figure out what roles, if any, a user has over an entity in the inventory hierarchy.