community.vmware.vmware_object_role_permission – Manage local roles on an ESXi host

Note

This plugin is part of the community.vmware collection (version 1.7.0).

To install it use: ansible-galaxy collection install community.vmware.

To use it in a playbook, specify: community.vmware.vmware_object_role_permission.

Synopsis

  • This module can be used to manage object permissions on the given host.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.7

  • PyVmomi

Parameters

Parameter Choices/Defaults Comments
group
string
The group to be assigned permission.
Required if principal is not specified.
hostname
string
The hostname or IP address of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_HOST will be used instead.
Environment variable support added in Ansible 2.6.
object_name
string / required
The object name to assigned permission.
object_type
string
    Choices:
  • Folder ←
  • VirtualMachine
  • Datacenter
  • ResourcePool
  • Datastore
  • Network
  • HostSystem
  • ComputeResource
  • ClusterComputeResource
  • DistributedVirtualSwitch
The object type being targeted.
password
string
The password of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_PASSWORD will be used instead.
Environment variable support added in Ansible 2.6.

aliases: pass, pwd
port
integer
Default:
443
The port number of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_PORT will be used instead.
Environment variable support added in Ansible 2.6.
principal
string
The user to be assigned permission.
Required if group is not specified.
If specifying domain user, required separator of domain uses backslash.
proxy_host
string
Address of a proxy that will receive all HTTPS requests and relay them.
The format is a hostname or a IP.
If the value is not specified in the task, the value of environment variable VMWARE_PROXY_HOST will be used instead.
This feature depends on a version of pyvmomi greater than v6.7.1.2018.12
proxy_port
integer
Port of the HTTP proxy that will receive all HTTPS requests and relay them.
If the value is not specified in the task, the value of environment variable VMWARE_PROXY_PORT will be used instead.
recursive
boolean
    Choices:
  • no
  • yes ←
Should the permissions be recursively applied.
role
string / required
The role to be assigned permission.
User can also specify role name presented in Web UI. Supported added in 1.5.0.
state
string
    Choices:
  • present ←
  • absent
Indicate desired state of the object's permission.
When state=present, the permission will be added if it doesn't already exist.
When state=absent, the permission is removed if it exists.
username
string
The username of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_USER will be used instead.
Environment variable support added in Ansible 2.6.

aliases: admin, user
validate_certs
boolean
    Choices:
  • no
  • yes ←
Allows connection when SSL certificates are not valid. Set to false when certificates are not trusted.
If the value is not specified in the task, the value of environment variable VMWARE_VALIDATE_CERTS will be used instead.
Environment variable support added in Ansible 2.6.
If set to true, please make sure Python >= 2.7.9 is installed on the given machine.

Notes

Note

  • Tested on ESXi 6.5, vSphere 6.7

  • The ESXi login user must have the appropriate rights to administer permissions.

  • Permissions for a distributed switch must be defined and managed on either the datacenter or a folder containing the switch.

Examples

- name: Assign user to VM folder
  community.vmware.vmware_object_role_permission:
    hostname: '{{ esxi_hostname }}'
    username: '{{ esxi_username }}'
    password: '{{ esxi_password }}'
    role: Admin
    principal: user_bob
    object_name: services
    state: present
  delegate_to: localhost

- name: Remove user from VM folder
  community.vmware.vmware_object_role_permission:
    hostname: '{{ esxi_hostname }}'
    username: '{{ esxi_username }}'
    password: '{{ esxi_password }}'
    role: Admin
    principal: user_bob
    object_name: services
    state: absent
  delegate_to: localhost

- name: Assign finance group to VM folder
  community.vmware.vmware_object_role_permission:
    hostname: '{{ esxi_hostname }}'
    username: '{{ esxi_username }}'
    password: '{{ esxi_password }}'
    role: Limited Users
    group: finance
    object_name: Accounts
    state: present
  delegate_to: localhost

- name: Assign view_user Read Only permission at root folder
  community.vmware.vmware_object_role_permission:
    hostname: '{{ esxi_hostname }}'
    username: '{{ esxi_username }}'
    password: '{{ esxi_password }}'
    role: ReadOnly
    principal: view_user
    object_name: rootFolder
    state: present
  delegate_to: localhost

- name: Assign domain user to VM folder
  community.vmware.vmware_object_role_permission:
    hostname: "{{ vcenter_hostname }}"
    username: "{{ vcenter_username }}"
    password: "{{ vcenter_password }}"
    validate_certs: false
    role: Admin
    principal: "vsphere.local\\domainuser"
    object_name: services
    state: present
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
changed
boolean
always
whether or not a change was made to the object's role



Authors

  • Derek Rushing (@kryptsi)

  • Joseph Andreatta (@vmwjoseph)