(such as Finance, Legal, and Customer Services) or by function (Internet, Active Directory, File Servers, Print Servers, Databases), or any other view that makes sense to your organization. Blue folders could also be used to reflect a security function and used to group the VMs into folders that only certain people can access. Once you create the folder, you can use it to grant access to various vCenter Server permissions.
Creating a Folder Structure from Scratch
You can initially create your folder structure when you create your new VMs; create your templates and move them into the appropriate folder. Another way of creating the folder structure is to plan the layout in a comma-separated value (CSV) file. This type of plan can easily be created in an Excel document, as shown in Figure 1-2, and then exported to the CSV format needed to create the virtual folder structure.
Figure 1-2: Sample CSV layout
In the example CSV file we created, there are two columns. The first column, Name, is used to define the name of the folder that you wish to create. The second column, Path, is used to show the path to where this folder is to be created in vCenter Server. As seen in Figure 1-2, in the Path column all entries begin with vm\. This folder will not be created but is used by the underlying application programming interface (API). Once you have created the CSV file that contains the layout of your folder structure, a script can easily read your CSV file and create the structure using the code shown in Listing 1-5.
Listing 1-5: Using a CSV file to create a vCenter file structure
Exporting a Folder Structure
Both yellow and blue folder views can be exported to a CSV file. You will find this technique useful when you are rebuilding your vCenter Server from scratch or creating a DR replica of the current virtual infrastructure.
The script in Listing 1-6 can be used to export either a blue or a yellow folder structure to a CSV. It can also be used to export the location of the current VMs, ensuring a replicated location when you reimport the structure.
Listing 1-6: Exporting a vCenter structure to a CSV file
Importing a Folder Structure
You can import an existing blue or yellow folder structure into vCenter Server using the Import-Folders function previously shown in Listing 1-5. You can also choose if you would like your VMs moved back into their correct blue folders by using the Import-VMLocation function, as shown in Listing 1-7.
Listing 1-7: Importing VMs to their blue folders
Define Users and Their Privileges
The authorization to perform tasks in your virtual infrastructure is controlled by a role-based access control (RBAC) system. A vCenter Server administrator can specify in great detail which users or groups can perform which tasks on which objects. RBAC systems are defined using three key concepts:
Privilege A privilege is the ability to perform an action or read a property. Examples include powering on a VM or adding a folder.
Role A role is a collection of privileges. Roles provide a way to add all the individual privileges that are required to perform a number of tasks, such as administering a vSphere host.
Object An object is an item on which actions can be performed. vCenter Server objects are datacenters, folders, resource pools, clusters, hosts, and VMs.
Granting Privileges
Privileges are found in the vSphere Web Client. When using the Roles wizard, you are able to add new privileges. The privileges are listed in Figure 1-3.
Figure 1-3 : vCenter Server Privileges
How many privileges are there? Think of any action you have ever performed in the vCenter Client. Think about the actions you have not yet come across or used in your everyday job. Now add them up, and you will have some idea of how many privileges there are in vCenter Server. Luckily, we are able to use PowerCLI to come up with a scientific answer for this question. You can easily list all privileges available to assign to a user through vCenter Server using the Get-VIPrivilege cmdlet:
We purposely truncated the output listing due to the large number of privileges available. You can count the number of privileges available for assigning to your roles and users or groups by using the Measure-Object cmdlet:
You can also use the Get-VIPrivilege cmdlet to show only the privileges available to certain sets of objects like a host:
You can view which groups (collections of privileges) are available by using the Get-VIPrivilege cmdlet with the – PrivilegeGroup parameter, as shown here:
Creating New Roles
A number of default roles come preconfigured with the installation of vCenter Server (see Figure 1-4). By selecting a role in the vSphere Web Client, you can see the list of privileges given to that role (on the right side). Each privilege category may be expanded and collapsed to see all the privileges set for the current role.
Figure 1-4 : vCenter Server roles
You can see an overview of the predefined roles by using the Get-VIRole cmdlet, as shown here:
Now that you know that a role is a group of privileges and you’ve learned to use the Get-VIPrivilege and Get-VIRole cmdlets, we want to introduce you to New-VIRole. You can use the New-VIRole cmdlet with Get-VIPrivilege to define a new role. You can define your own group of privileges, which can later be assigned to your users. An example is shown in Listing 1-8; you can see the results in the vCenter Client, as shown in Figure 1-5.
Listing 1-8: Creating a new role
A new role can also be created at a granular level. First, choose the privileges you want to use:
Figure 1-5: New roles
And then add each of them into an array:
