Create VMware Roles for Citrix via PowerCLI

Automation is key, especially when managing multiple projects simultaneously, as is the case for me right now.

How often have you adjusted or created custom VMware roles for Citrix in new projects? For me, it feels like the hundredth time this year—and yes, 2024 started just a month ago, and I’ve been on holiday for half of that time.

That’s why I automated this and as always – sharing is caring in the EUC community.

BE AWARE THAT THESE CODE SNIPPETS WILL OVERWRITE YOUR EXISTING PERMISSIONS – I TAKE NO RESPONSIBILITY.

Let’s dive into the individual tasks

Install VMware Powercli

				
					Install-Module VMware.PowerCLI -AllowClobber

Connect to vCenter

				
					Connect-VIServer -Server vcsa.vdi.lab

Create a new or modify an existing role

Arrays for the permissions. The documentation can be found here.

				
					## Create Role if required ##
New-VIRole -Name "CitrixMCS" -Verbose
## Specify the role which needs to be adjusted ##
$Role = Get-VIRole -Name "CitrixMCS"

				
					
$PermissionsAddConnectionsAndResources = @(
    "System.Anonymous", 
    "System.Read",
    "System.View"
)
$PermissionsPowerManagement = @(
    "VirtualMachine.Interact.PowerOff",
    "VirtualMachine.Interact.PowerOn",
    "VirtualMachine.Interact.Reset",
    "VirtualMachine.Interact.Suspend"
)
$PermissionsMachineCreationServices = @(
    "Datastore.AllocateSpace",
    "Datastore.Browse",
    "Datastore.FileManagement",
    "Network.Assign",
    "Resource.AssignVMToPool",
    "VirtualMachine.Config.AddExistingDisk",
    "VirtualMachine.Config.AddNewDisk",
    "VirtualMachine.Config.AdvancedConfig",
    "VirtualMachine.Config.RemoveDisk",
    "VirtualMachine.Config.CPUCount",
    "VirtualMachine.Config.Memory",
    "VirtualMachine.Config.Settings",
    "VirtualMachine.Interact.PowerOff",
    "VirtualMachine.Interact.PowerOn",
    "VirtualMachine.Interact.Reset",
    "VirtualMachine.Interact.Suspend",
    "VirtualMachine.Inventory.CreateFromExisting",
    "VirtualMachine.Inventory.Create",
    "VirtualMachine.Inventory.Delete",
    "VirtualMachine.Provisioning.Clone",
    "VirtualMachine.State.CreateSnapshot"
)
$PermissionsMCSvTPM = @(
    "Cryptographer.Access",
    "Cryptographer.AddDisk",
    "Cryptographer.Clone",
    "Cryptographer.Encrypt",
    "Cryptographer.EncryptNew",
    "Cryptographer.Migrate",
    "Cryptographer.ReadKeyServersInfo"
)
$PermissionsImageUpdateAndRollback = @(
    "Datastore.AllocateSpace",
    "Datastore.Browse",
    "Datastore.FileManagement",
    "Network.Assign",
    "Resource.AssignVMToPool",
    "VirtualMachine.Config.AddExistingDisk",
    "VirtualMachine.Config.AddNewDisk",
    "VirtualMachine.Config.AdvancedConfig",
    "VirtualMachine.Config.RemoveDisk",
    "VirtualMachine.Interact.PowerOff",
    "VirtualMachine.Interact.PowerOn",
    "VirtualMachine.Interact.Reset",
    "VirtualMachine.Inventory.CreateFromExisting",
    "VirtualMachine.Inventory.Create",
    "VirtualMachine.Inventory.Delete",
    "VirtualMachine.Provisioning.Clone"
)
$PermissionsDeleteProvisionedMachines = @(
    "Datastore.Browse",
    "Datastore.FileManagement",
    "VirtualMachine.Config.RemoveDisk",
    "VirtualMachine.Interact.PowerOff",
    "VirtualMachine.Inventory.Delete"
)
$PermissionsProvisioningServices = @(
    "VirtualMachine.Config.AddRemoveDevice",
    "VirtualMachine.Config.CPUCount",
    "VirtualMachine.Config.Memory",
    "VirtualMachine.Config.Settings",
    "VirtualMachine.Provisioning.CloneTemplate",
    "VirtualMachine.Provisioning.DeployTemplate"
)

Get the IDs from each privilege

				
					$IDAddConnectionsAndResources = Get-VIPrivilege -Id $PermissionsAddConnectionsAndResources
$IDPowerManagement = Get-VIPrivilege -Id $PermissionsPowerManagement 
$IDMachineCreationServices= Get-VIPrivilege -Id $PermissionsMachineCreationServices
$IDMCSvTPM = Get-VIPrivilege -Id $PermissionsMCSvTPM
$IDImageUpdateAndRollback = Get-VIPrivilege -Id $PermissionsImageUpdateAndRollback
$IDDeleteProvisionedMachines = Get-VIPrivilege -Id $PermissionsDeleteProvisionedMachines
$IDProvisioningServices = Get-VIPrivilege -Id $PermissionsProvisioningServices

Combine the single arrays for all needed permissions

				
					$AllPrivilegeID = $IDAddConnectionsAndResources + $IDMachineCreationServices + $IDMCSvTPM #+YourIDs

Assign permissions

				
					Set-VIRole -Role $Role -AddPrivilege ($AllPrivilegeID) -Verbose

Confirm permissions

				
					Get-VIPrivilege -Role $Role

Compare them if needed

You can grab a full copy on Github.

Citrix/VMware at main · BalintOberrauch/Citrix (github.com)

Have fun and leave a reply.

2 Responses

Marco says:
February 1, 2024 at 16:20
Nice idea, keep up your great work and update your site frequently.
Other than mine, which is now down since about 1 year and contained an 5 year old similar script 😉
https://web.archive.org/web/20211017120921/https://marcozimmermann.com/2019/01/script-powercli-create-citrix-permission-role/
I will now use yours 😉
Reply
1. Balint Oberrauch says:
  February 16, 2024 at 19:37
  Thank you Marco! You should start your blog again – the old one seems nice! 😉
  Reply

Create VMware Roles for Citrix via PowerCLI

Let’s dive into the individual tasks

2 Responses

Leave a Reply Cancel reply

2 Responses

Leave a Reply Cancel reply