Introduction
Managing vCenter effectively means having tight control over roles, permissions, alarms, and automation. PowerCLI enables administrators to standardize access, monitor activity, and automate routine responses to infrastructure events.
In this article, you will learn how to:
- Create custom roles and assign permissions
- Audit existing access and role assignments
- Manage alarms for VM, host, and datastore conditions
- Trigger actions based on thresholds
- View and schedule vCenter tasks
My Personal Repository on GitHub
Creating and Assigning Roles
Step 1: Create a Custom Role
$privileges = @(
"System.Anonymous",
"System.View",
"VirtualMachine.Interact.PowerOn",
"VirtualMachine.Interact.PowerOff"
)
New-VIRole -Name "VM-PowerUser" -Privilege $privileges
Step 2: Assign the Role to a User or Group
$entity = Get-Folder -Name "Production VMs"
New-VIPermission -Entity $entity -Principal "LAB\DomainAdmins" -Role "VM-PowerUser" -Propagate:$true
Auditing Roles and Permissions
List All Roles
Get-VIRole
View Permissions for a Specific Object
Get-Folder -Name "Production VMs" | Get-VIPermission
List All Principals with Permissions
Get-VIPermission | Select Entity, Principal, Role
Alarm Configuration and Monitoring
vCenter alarms monitor object health and trigger actions automatically. PowerCLI allows for querying and creating alarm definitions.
View Existing Alarms
Get-AlarmDefinition
Example: Trigger Alarm on Host Connection Loss
$entity = Get-Cluster -Name "Prod-Cluster"
New-AlarmDefinition -Name "HostDisconnected" -Entity $entity -Expression {
New-AlarmExpression -Metric "Host.ConnectionState" -Operator "isEqual" -Value "notResponding"
} -Action {
New-AlarmAction -SendEmail -To "admin@company.com"
} -Enabled:$true
Diagram: vCenter Role and Alarm Automation
Scheduled Tasks and Task Management
View Scheduled Tasks
Get-Task | Where-Object {$_.State -eq "running"}
Schedule a VM Power Operation
PowerCLI does not natively schedule tasks inside vCenter. However, you can use Windows Task Scheduler or cron to execute PowerCLI scripts like:
Start-VM -VM "SQL-Prod01"
Save the script and create a scheduled task to run it daily.
Use Case: Delegating Limited Power Control to Helpdesk
Many organizations want to allow junior staff or helpdesk to power on or off VMs without full access. This can be achieved by:
- Creating a custom role with only power-on and power-off privileges
- Assigning that role to the helpdesk group scoped to a specific folder
- Enforcing through propagated permissions
This ensures least privilege access while maintaining operational flexibility.
Troubleshooting and Gotchas
| Issue | Fix |
|---|---|
| Cannot assign role to user | Verify user exists in identity source and has access to vCenter |
| Alarm not triggering | Check metric and object scope match the alarm configuration |
| Permissions not propagating | Use -Propagate:$true in New-VIPermission |
| Scheduled task fails silently | Run PowerCLI scripts interactively to test before scheduling |
What’s Next
In the next article, we will explore:
- vSphere Tags and Custom Attributes
- Metadata-driven automation
- Tag assignment logic and reports