Migrating Roles & Privileges from an old vCenter to a new vCenter using PowerCLI

So we’re finally upgrading an old environment running vCenter 4.0 to a new vCenter running 5.5.  Instead of attempting an upgrade, we’re building new.  As it’s a new build, we had to find a way to migrate the roles & privileges to the new vCenter.

I have done this in the past utilizing the “Cheap Disaster Recovery” scripts from Gabe’s Virtual World.  You can find Gabe on twitter here! For some reason, the export script didn’t work for me here. Perhaps the source environment is too old, but when I tried to edit the script to find the problem, I noticed the script was written before the Get-VIRole cmdlet was created in PowerCLI.

Then, I came across this CLONE ROLES BETWEEN TWO VIRTUAL CENTER SERVERS blog post by Grzegorz Kulikowski which talked about how to do the export/import using the Get-VIRole cmdlet.  Although his post was written for transferring one role at a time, I decided to expand on it and write a script to transfer ALL ROLES!  So, I wrote a “foreach” loop to capture each role, export the privileges, create the new role in the new vCenter and finally transfer the privileges over to the new role.  It then loops back to the next role… RINSE/REPEAT!

Any existing roles will error out, so you may see some _BLOOD SPLATTER_, but don’t worry.  Smile

#################################################
#
# PowerCLI Script to Transfer Roles between vCenters
# Written by BLiebowitz on 11/6/2015
#
#################################################

# Variables
$VC1="VCENTER1"
$VC2="VCENTER2"

# Set the PowerCLI Configuration to connect to multiple vCenters
Set-PowerCLIConfiguration -DefaultVIServerMode multiple -Confirm:$false

# Connect to both the source and destination vCenters
connect-viserver -server $VC1, $VC2

# Get roles to transfer
$roles = get-virole -server $VC1

# Get role Privileges
foreach ($role in $roles) {
[string[]]$privsforRoleAfromVC1=Get-VIPrivilege -Role (Get-VIRole -Name $role -server $VC1) |%{$_.id}

# Create new role in VC2
New-VIRole -name $role -Server $VC2

# Add Privileges to new role.
Set-VIRole -role (get-virole -Name $role -Server $VC2) -AddPrivilege (get-viprivilege -id $privsforRoleAfromVC1 -server $VC2)
}

disconnect-viserver –server $VC1, $VC2

Hope you find it useful!

Ben Liebowitz, VCP, vExpert

NJ VMUG Leader

Share This:

6 thoughts on “Migrating Roles & Privileges from an old vCenter to a new vCenter using PowerCLI

    1. I tried a few different scripts. One included a custom function written by vNuggets.com in July of 2013. I used the export, import scripts that you posted as well. However, as my environments went to newer and newer versions of vCenter, they stopped working.

      The Cheap Disaster Recovery scripts from (http://www.gabesvirtualworld.com/cheap-disaster-recovery/) worked for me until recently.

      However, I found using the script I posted above to be much easier as the Get-VIRole cmdlet is now built into PowerCLI and there’s no need for building new functions, etc.

      – Ben

  1. I am trying export and import both roles and permissions do you have a script for this?

    I am basically removing a vcenter from enhanced linked mode and after you do that all custom roles and permissions are removed and have to be rebuilt. Any help would be great. thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.