Skip to content

Datastore cluster permissions lost - Script Workaround

Placing the datastore clusters inside a folder in some cases is not an option, so i decided to write a PowerCLI script which creates the permisson after vCenter service restart. As you might know, all permissons set at datastore cluster level are gone after vCenter restarts. This workaround referred to VMware KB: 2008326.

First you have to find affected permissons. This applies to permissons which are set directly to datastore clusters. A datastore cluster is referred as "StoragePod", so this is the keyword:

Get-VIPermission | Where-Object {$_.EntityId -match 'StoragePod'} |format-table -autosize

EntityId              Role              Principal        IsGroup Propagate
--------              ----              ---------        ------- ---------
StoragePod-group-p103 ReadOnly          homer            False   True
StoragePod-group-p105 DatastoreConsumer LAB\Domain Users True    True

In this case there are 2 affected entries. The Administrator is not listed, because the permisson is set at vCenter level and propagated to all datastore clusters. Recreating the permissons can be done using the following script. Please be aware that i am not a programmer by profession, so this code might be crappy. Also this script is not supported by VMware, so please test this in a unproductive environment.

# EntityId              Role              Principal        IsGroup Propagate
# --------              ----              ---------        ------- ---------
# StoragePod-group-p103 ReadOnly          homer            False   True

$pod = New-Object VMware.Vim.ManagedObjectReference
$pod.type = "StoragePod"
$pod.Value = "group-p103"

$perm = New-Object VMware.Vim.Permission
$perm.roleId = -2
$perm.principal = "homer"
$perm.group = $false
$perm.propagate = $true

$auth = Get-View -Id 'AuthorizationManager-AuthorizationManager'
$auth.SetEntityPermissions($pod, $perm)

# EntityId              Role              Principal        IsGroup Propagate
# --------              ----              ---------        ------- ---------
# StoragePod-group-p105 DatastoreConsumer LAB\Domain Users True    True

$pod = New-Object VMware.Vim.ManagedObjectReference
$pod.type = "StoragePod"
$pod.Value = "group-p105"

$perm = New-Object VMware.Vim.Permission
$perm.roleId = 8
$perm.principal = "LAB\Domain Users"
$perm.group = $true
$perm.propagate = $true

$auth = Get-View -Id 'AuthorizationManager-AuthorizationManager'
$auth.SetEntityPermissions($pod, $perm)

You can set up this script to run automatically after the vCenter service starts.
Use the Get-VIRole cmdlet to find out the corresponding RoleIDs. For the standard roles this are:

-5 = NoAccess
-4 = Anonymous
-3 = View
-2 = ReadOnly
-1 = Admin
4 = VirtualMachinePowerUser
5 = VirtualMachineUser
6 = ResourcePoolAdministrator
7 = VMwareConsolidatedBackupUser
8 = DatastoreConsumer
9 = NetworkConsumer

Leave a Reply

Your email address will not be published. Required fields are marked *