As demonstrated in one of my previous posts for VMware Horizon View 5.2:
Using PowerCLI to create new role and assign service account used by VMware Horizon View 5.2 (View Manager & View Composer) permissions for vCenter Server 5.1
https://blog.terenceluk.com/2013/04/using-powercli-to-create-new-role-and.html
… you can use PowerCLI to create, configure and assign the role required for the VMware View Manager and View Composer service account to access the vCenter. As my current role requires me to architect and implement VDI solutions from VMware and Citrix, I thought I’d also write the equivalent post for Citrix XenDesktop 5.6 demonstrating how to create a role in vCenter with permissions required by the XenDesktop DDC (Desktop Delivery Controller) to deploy and manage desktop catalogs.
Before I being, note that the documentation for the required permissions that I will be using can be found at the following URLs:
Using VMware with XenDesktop
http://support.citrix.com/proddocs/topic/xendesktop-rho/cds-vmware-rho.html
More information about the permissions required can be found in one of my previous posts here:
Permissions required for Citrix XenDesktop 5.6 and VMware vSphere 5.1
https://blog.terenceluk.com/2013/04/permissions-required-for-citrix.html
Assigning permissions to variable
Prior to creating the role, we’ll need to assign the required permissions to a variable and prior to assigning the permissions to variable, we’ll need to identify the unique Id for the privilege by using the following PowerCLI command for each permission required:
Get-VIPrivilege -Name “<Name of permissions>” | FL
The reason why we need to identify the unique Id is because permissions such as Power On are generic and can be found in nodes such as Interaction:
… and vApp:
… which are permissions we don’t need. Without making this post too long, I will demonstrate the output for the Power On permissions in the PowerCLI:
Connect-VIServer <yourvCenterFQDN>
Get-VIPrivilege -Name “Power On” | FL
Note that the Power On permissions we’re interested in is under the ParentGroupID VirtualMachine.Interact and the unique Id is VirtualMachine.Interact.PowerOn.
Once I’ve gone through the list of privileges required, I was able to assign the permissions with the following cmdlet to assign the permissions to a variable:
$priv = Get-VIPrivilege –ID Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.Memory,VirtualMachine.Config.RemoveDisk,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.GetVmFiles,VirtualMachine.Provisioning.PutVmFiles,VirtualMachine.Provisioning.CloneTemplate,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Global.ManageCustomFields,Global.SetCustomField,Network.Assign,Task.Create
Creating the VMware View service role and assigning permissions
With the permissions stored in a variable, what need to do is combine the cmdlet to create the role and assign the stored permissions as such:
$priv = Get-VIPrivilege -ID Datastore.AllocateSpace,Datastore.Browse,Datastore.FileManagement,Host.Config.AdvancedConfig,VirtualMachine.Config.AddExistingDisk,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.CPUCount,VirtualMachine.Config.Resource,VirtualMachine.Config.Memory,VirtualMachine.Config.RemoveDisk,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.CreateFromExisting,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Register,VirtualMachine.Inventory.Delete,VirtualMachine.Provisioning.DiskRandomAccess,VirtualMachine.Provisioning.GetVmFiles,VirtualMachine.Provisioning.PutVmFiles,VirtualMachine.Provisioning.CloneTemplate,VirtualMachine.Provisioning.Clone,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.State.CreateSnapshot,VirtualMachine.State.RevertToSnapshot,Resource.AssignVMToPool,Global.ManageCustomFields,Global.SetCustomField,Network.Assign,Task.Create
New-VIRole -Name “XenDesktop Service” -Privilege $priv
Once this role has been created:
… the last step was to execute the following to add your domain service account to the role:
$rootFolder = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $rootFolder -Principal “domainsvc_XenDesktop” -Role “XenDesktop Service” -Propagate:$true
… which will assign the domain service account to the vCenter object (top most level).
Note that the cmdlets above were tested with Citrix XenDesktop 5.6 and vCenter 5.1.0 Build 947673.