How to Get VMware Account Permissions

Native Solution vs. Netwrix Auditor for VMware
{{ firstError }}
We care about security of your data. Privacy Policy
Native Solution Netwrix Auditor for VMware
Native Solution
Netwrix Auditor for VMware
  1. Download the latest PowerCLI installer from the Download page of the VMware Web site and install the PowerCLI software.
  2. Open the PowerShell ISE and create a new file with the following PowerShell script, specifying your own connection information, the report output path and the user name to collect report for:

#Connection info 
$VIuser = 'DOMAIN\UserName' 
$VIpass = 'Password' 
$VIserver = '' 
$VIport = '443' 
#Output path 
$out = 'C:\VM_Permissions.csv' 
#User to get report for  
$user = 'DOMAIN\UserName' 
#Connecting to vSphere 
Connect-VIServer -Server $VIserver -Port $VIport -User $VIuser -Password $VIpass 
#Collecting information 
$rep = foreach($vm in Get-Inventory){ 
   Get-VIPermission -Entity $vm|Where-Object {$_.Principal -eq $user}| 
   Select Principal,Role, Propagate,IsGroup,  
$rep |Export-Csv -Path $out -NoTypeInformation

  1. Open and review the resulting CSV report:
  1. Run Netwrix Auditor and navigate to Reports Predefined VMware VMware -State-in-TimeAccount Permissions in vCenter.
  2. Click View.
  3. Type the desired user name into the User (domain\account) filter and click View Report
  • Clicking the Object path link opens a report that shows who has permissions to that object.
  • The Role link opens a detailed report on privileges for that role.
  • Clicking the Defined in link will show you accounts with explicit or inherited permissions on that object. 

Conduct regular permissions attestations to make sure each VMware account has proper access to your infrastructure

If your organization hosts mission-critical data or applications in your VMware environment, you need to be scrupulous about preventing breaches and other improper access. The two cornerstones of security are permissions management and auditing. 
The authorization model for vCenter Server systems is based using roles to assign user permissions to virtual machines, data stores, hosts, and other objects. Roles are predefined sets of privileges that can be assigned to individual users or groups of users, or set globally to the whole VMware instance (global permissions). With the exception of global permissions, propagation is not universally applied to all child objects in the hierarchy, and permissions defined for a child object always override the permissions that are propagated from parent objects. 

Considering the branchy structure of VMware objects, it is hard for even the most experienced administrators to make sense of permissions in complex environments. Native tools, such as vSphere and PowerCLI, enable administrators to view the roles and permissions to a particular object or its child objects; however, it requires a good deal of time, effort and skill to grasp the true range of permissions for even a single user.

Netwrix Auditor for VMware provides a clear summary of all the vCenter objects that user or group has explicit or inherited permissions for, either directly or through group membership. It also  enables you to analyze VMware permission from different angles — in particular, you can see all the permissions that a specific account or a group has, list all accounts that have permissions to a specific VMware object, or view all permissions assigned to a specific role.  
In addition to providing clear insight into permissions, Netwrix Auditor also enables you to keep close tabs on who has changed what in your virtual infrastructure — without plodding through cryptic VMware logs. You can produce clear reports in a few clicks, quickly investigate suspicious activity using interactive search, and even get alerted to critical changes so you can respond in time to prevent a breach.  

Related How-tos