Security Audit – vCenter user roles, and assigned permissions

So once you have established the source of accounts isn’t vCenter, then it needs to be made clear permissions are not directly assigned to users or groups.

Make sure you understand this; vCenter uses Roles,  permissions are assigned to the role not the user.

audit-userValidation - Roles








Roles and assignment can be extracted from each vCenter with a few simple PowerCLI commands

Get-VIRole | ft -AutoSize


Show how the roles are assigned, this command sorts by Role (probably the auditor is most concerned about the Admin Role)

Get-VIPermission | Select Role, Principal, IsGroup, Entity, Propagate | Sort-Object –Property Role | ft -AutoSize | more
Principle = User account or Group
Entity = Object where permission is applied, ie: Datacenter, Folder


Its useful to know how to re-sort the output, for example to indicate permissions are applied to a group

Get-VIPermission –Principal | Select Role, Principal, IsGroup, Entity, Propagate | ft -AutoSize | more


To get a complete listing of the permissions granted to each role on vCenter is a little tricky, but can be obtained through a PowerCLI script, and exported to xml format.

PowerCLI script to export vCenter Roles and Permissions

This is a wonderful, piece of code, as it’s is almost impossible to get and sort this information just using exports to csv – believe me I’ve tried…


Note: I recently discovered that this can also be done using powercli vmware powergui / community power pack – see virtu-al vmware-powerpack