Setting Organization VDC Permissions in vCloud Director 8.X with PowerShell

First vCloud Director post in a while (been busy trying to organize a move across the world and getting married) but I had a requirement recently to look at having two Org VDC’s (Test and Production) and having two sets of users within a vCloud Organization; both sets with Organization Administrator but each group with the ability to modify only one Org VDC.

VMWare has been improving the granularity of the User Access Control in vCloud Director over the 8.X release introducing new mechanism for delegating roles and access rights at each level of abstraction (Organization Level, Org VDC level) however the 8.20 interfaces still haven’t quite caught up (I imagine this is resolved in vCloud 9.0 which is fast approaching) and it’s a little tricky to get visibility of and make changes to these roles as it is all exposed in the API only.

After reviewing the article by Tom Fojta’s and the API documentation I extended my some PowerShell vCloud Rights Management Powershell module to make control a bit easier.

The module is available on Github.

The documentation in the PowerShell is more complete however below are a quick summary of the main user functions and how to use them;

Get-OrgVdcAccessRights : Returns an object which represents the Access Controls for a provided Organisation Virtual Datacenter object.

Set-OrgVdcAccessRightSharedToEveryone : This cmdlet sets an Organisation Virtual Datacenter as visible or hidden for all users who have rights to the organisation. By default an Org VDC is visible to all members of the containing organization; if the -Visible:$false is provided the org VDC will be hidden from all users by default. If -Visible:$true is set it will be visible to all users by default.

Add-OrgVdcAccessRights : This cmdlet adds a CIUser to the Access Control for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users added using this cmdlet can access/view the Organisational VDC.

Remove-OrgVdcAccessRights : This cmdlet removes a CIUser from the Access Control List for an Organisation Virtual Datacenter. If the Organisation has been hidden using the Set-OrgVdcAccessRightSharedToEveryone cmdlet the users removed using this cmdlet will no longer have rights to access/view the Organisational VDC.

An example, we will have three users; one a Full Organizational admin (pigeon.admin), one with rights to one of the Org VDCs (testuser.test) and one with rights to the other Org VDC (testuser.production) ;

  1. Logon to vCloud Director and clone the Organization Administrator role for the Organization and remove the right Allow Access to All Organization VDCs
  1. Create Org Users and assign them the role created in Step 1. Note that at this point the users can still view all of the Org VDCs in the Organization.
3. Next we can set each of the Org VDCs to be hidden by default using the Set-OrgVdcAccessRightSharedToEveryone cmdlet: (Set-OrgVdcAccessRightSharedToEveryone -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC” -Visible $false) as can be seen below the users with the Org Admin right can no longer see the Org VDCs however the Full Organizational Administrator can still view all Org VDCs

4. Now to add individual users rights to the Org VDC you can use the Add-OrgVdcAccessRights cmdlet : Get-CIUser testuser.test | Add-OrgVdcAccessRights -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC (Test Pool)” which will grant testuser.test access to the Org VDC

5. To remove the rights for the user simply execute Get-CIUser testuser.test | Remove-OrgVdcAccessRights -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC (Test Pool)”

And finally to make the Org VDC visable to all users again just execute the Set-OrgVdcAccessRightsSharedToEveryone with the $true switch: Set-OrgVdcAccessRightSharedToEveryone -OrgName “PigeonNuggets” -OrgVDC “Lab vCloud Org VDC” -Visible $true

These cmdlets are a big rough but have been tested on PowerCLI 6.5.1 and vCloud Director 8.20.0 and 8.20.1; hopefully they will save you some time. Enjoy.

 

One thought on “Setting Organization VDC Permissions in vCloud Director 8.X with PowerShell

  1. Pingback: PowerCLI module to manage Organisation Rights in vCloud Director 8.20 | Pigeon Nuggets

Comments are closed.