With vSphere PowerCLI, you can automate management of vSphere permissions, roles, and privileges.


vSphere permissions determine your level of access to vCenter Server, and ESX/ESXi hosts. Privileges define individual rights to perform actions and access object properties. Roles are predefined sets of privileges.

Verify that you are connected to a vCenter Server system.


Get the privileges of the Readonly role.

$readOnlyPrivileges = Get-VIPrivilege -Role Readonly

Create a new role with custom privileges.

$role1 = New-VIRole -Privilege $readOnlyPrivileges -Name Role1

Add the PowerOn privileges to the new role.

$powerOnPrivileges = Get-VIPrivilege -Name "PowerOn"
$role1 = Set-VIRoleRole $role1 –AddPrivilege $powerOnPrivileges

Create a permission and apply it to a vSphere root object.

$rootFolder = Get-Folder -NoRecursion
$permission1 = New-VIPermission -Entity $rootFolder -Principal "user" -Role readonly -Propagate

The Principal parameter accepts both local and domain users and groups if the vCenter Server system is joined in AD.


Update the new permission with the custom role.

$permission1 = Set-VIPermission -Permission $permission1 -Role $role1

You created a new role and assigned permissions to a user.