So once you have established the source of accounts isn’t vCenter, then it needs to be made clear permissions are not directly assigned to users or groups.
Make sure you understand this; vCenter uses Roles, permissions are assigned to the role not the user.
Roles and assignment can be extracted from each vCenter with a few simple PowerCLI commands
Get-VIRole | ft -AutoSize
Show how the roles are assigned, this command sorts by Role (probably the auditor is most concerned about the Admin Role)
Get-VIPermission | Select Role, Principal, IsGroup, Entity, Propagate | Sort-Object –Property Role | ft -AutoSize | more
Principle = User account or Group
Entity = Object where permission is applied, ie: Datacenter, Folder
Its useful to know how to re-sort the output, for example to indicate permissions are applied to a group
Get-VIPermission –Principal | Select Role, Principal, IsGroup, Entity, Propagate | ft -AutoSize | more
To get a complete listing of the permissions granted to each role on vCenter is a little tricky, but can be obtained through a PowerCLI script, and exported to xml format.
This is a wonderful, piece of code, as it’s is almost impossible to get and sort this information just using exports to csv – believe me I’ve tried…
Note: I recently discovered that this can also be done using powercli vmware powergui / community power pack – see virtu-al vmware-powerpack