Create VMware Roles for Citrix via PowerCLI
Automation is key, especially when managing multiple projects simultaneously, as is the case for me right now.
How often have you adjusted or created custom VMware roles for Citrix in new projects? For me, it feels like the hundredth time this year—and yes, 2024 started just a month ago, and I’ve been on holiday for half of that time.
That’s why I automated this and as always – sharing is caring in the EUC community.
BE AWARE THAT THESE CODE SNIPPETS WILL OVERWRITE YOUR EXISTING PERMISSIONS – I TAKE NO RESPONSIBILITY.
Let’s dive into the individual tasks
Install VMware Powercli
Install-Module VMware.PowerCLI -AllowClobber
Connect to vCenter
Connect-VIServer -Server vcsa.vdi.lab
Create a new or modify an existing role
Arrays for the permissions. The documentation can be found here.
## Create Role if required ##
New-VIRole -Name "CitrixMCS" -Verbose
## Specify the role which needs to be adjusted ##
$Role = Get-VIRole -Name "CitrixMCS"
$PermissionsAddConnectionsAndResources = @(
"System.Anonymous",
"System.Read",
"System.View"
)
$PermissionsPowerManagement = @(
"VirtualMachine.Interact.PowerOff",
"VirtualMachine.Interact.PowerOn",
"VirtualMachine.Interact.Reset",
"VirtualMachine.Interact.Suspend"
)
$PermissionsMachineCreationServices = @(
"Datastore.AllocateSpace",
"Datastore.Browse",
"Datastore.FileManagement",
"Network.Assign",
"Resource.AssignVMToPool",
"VirtualMachine.Config.AddExistingDisk",
"VirtualMachine.Config.AddNewDisk",
"VirtualMachine.Config.AdvancedConfig",
"VirtualMachine.Config.RemoveDisk",
"VirtualMachine.Config.CPUCount",
"VirtualMachine.Config.Memory",
"VirtualMachine.Config.Settings",
"VirtualMachine.Interact.PowerOff",
"VirtualMachine.Interact.PowerOn",
"VirtualMachine.Interact.Reset",
"VirtualMachine.Interact.Suspend",
"VirtualMachine.Inventory.CreateFromExisting",
"VirtualMachine.Inventory.Create",
"VirtualMachine.Inventory.Delete",
"VirtualMachine.Provisioning.Clone",
"VirtualMachine.State.CreateSnapshot"
)
$PermissionsMCSvTPM = @(
"Cryptographer.Access",
"Cryptographer.AddDisk",
"Cryptographer.Clone",
"Cryptographer.Encrypt",
"Cryptographer.EncryptNew",
"Cryptographer.Migrate",
"Cryptographer.ReadKeyServersInfo"
)
$PermissionsImageUpdateAndRollback = @(
"Datastore.AllocateSpace",
"Datastore.Browse",
"Datastore.FileManagement",
"Network.Assign",
"Resource.AssignVMToPool",
"VirtualMachine.Config.AddExistingDisk",
"VirtualMachine.Config.AddNewDisk",
"VirtualMachine.Config.AdvancedConfig",
"VirtualMachine.Config.RemoveDisk",
"VirtualMachine.Interact.PowerOff",
"VirtualMachine.Interact.PowerOn",
"VirtualMachine.Interact.Reset",
"VirtualMachine.Inventory.CreateFromExisting",
"VirtualMachine.Inventory.Create",
"VirtualMachine.Inventory.Delete",
"VirtualMachine.Provisioning.Clone"
)
$PermissionsDeleteProvisionedMachines = @(
"Datastore.Browse",
"Datastore.FileManagement",
"VirtualMachine.Config.RemoveDisk",
"VirtualMachine.Interact.PowerOff",
"VirtualMachine.Inventory.Delete"
)
$PermissionsProvisioningServices = @(
"VirtualMachine.Config.AddRemoveDevice",
"VirtualMachine.Config.CPUCount",
"VirtualMachine.Config.Memory",
"VirtualMachine.Config.Settings",
"VirtualMachine.Provisioning.CloneTemplate",
"VirtualMachine.Provisioning.DeployTemplate"
)
Get the IDs from each privilege
$IDAddConnectionsAndResources = Get-VIPrivilege -Id $PermissionsAddConnectionsAndResources
$IDPowerManagement = Get-VIPrivilege -Id $PermissionsPowerManagement
$IDMachineCreationServices= Get-VIPrivilege -Id $PermissionsMachineCreationServices
$IDMCSvTPM = Get-VIPrivilege -Id $PermissionsMCSvTPM
$IDImageUpdateAndRollback = Get-VIPrivilege -Id $PermissionsImageUpdateAndRollback
$IDDeleteProvisionedMachines = Get-VIPrivilege -Id $PermissionsDeleteProvisionedMachines
$IDProvisioningServices = Get-VIPrivilege -Id $PermissionsProvisioningServices
Combine the single arrays for all needed permissions
$AllPrivilegeID = $IDAddConnectionsAndResources + $IDMachineCreationServices + $IDMCSvTPM #+YourIDs
Assign permissions
Set-VIRole -Role $Role -AddPrivilege ($AllPrivilegeID) -Verbose
Confirm permissions
Get-VIPrivilege -Role $Role
Compare them if needed
You can grab a full copy on Github.
Citrix/VMware at main · BalintOberrauch/Citrix (github.com)
Have fun and leave a reply.
2 Responses
Nice idea, keep up your great work and update your site frequently.
Other than mine, which is now down since about 1 year and contained an 5 year old similar script 😉
https://web.archive.org/web/20211017120921/https://marcozimmermann.com/2019/01/script-powercli-create-citrix-permission-role/
I will now use yours 😉
Thank you Marco! You should start your blog again – the old one seems nice! 😉