With PowerCLI, you can automate management of vSphere permissions, roles, and privileges.


vSphere permissions determine your level of access to vCenter Server, ESX, and ESXi hosts. Privileges define individual rights to perform actions and access object properties. Roles are predefined sets of privileges.

Connect to a vSphere server.


Get the privileges of the Readonly role.

$readOnlyPrivileges = Get-VIPrivilege -Role Readonly

Create a new role with custom privileges.

$role1 = New-VIRole -Privilege $readOnlyPrivileges -Name Role1

Add the PowerOn privileges to the new role.

$powerOnPrivileges = Get-VIPrivilege -Name "PowerOn"
$role1 = Set-VIRole –Role $role1 –AddPrivilege $powerOnPrivileges

Create a permission and apply it to a vSphere root object.

$rootFolder = Get-Folder -NoRecursion
$permission1 = New-VIPermission -Entity $rootFolder -Principal "user" -Role readonly -Propagate

The Principal parameter accepts both local and domain users and groups if the vSphere server is joined in AD.


Update the new permission with the custom role.

$permission1 = Set-VIPermission -Permission $permission1 -Role $role1

You created a new role and assigned permissions to a user.