VMware vCloud Usage Meter – BND to Bundle Translation Technical Discussion

Recently, we received a post on VMware Communities forum for vCloud Usage Meter requesting clarification on the “BND” column on the Virtual Machine History Report. I’d like to spend a little more time discussing this further for others and some of the logic under the covers.

Moreover, I’m going to review a sanitized customer collection and discuss something I even learned.

Luis Ayuso and I spend a lot of time with Usage Meter, so over time, we’ve come intimately close to the inner workings of UM logic (more Luis, follow him for further updates and direction!). While UM has its quirks, it has quite a bit of logic and intelligence integrated for billing purposes.

First, here’s the BND mapping to current VCPP bundles –

Items that I want to point out:

  1. The BND identifier does not reflect the actual bundle point value. This is by design due to the variances of past bundles.
  2. The Standard Bundle is being retired, but will still show up in any existing or previous Usage Meter instances.
  3. While we have a unique ID for the Standard SP Bundle with Management or Networking, the point bundle value remains the same.

The second thing I’d like to cover is the BND column inside of the Virtual Machine History report – this is column P –

We can see in the above screenshot three important columns:

  1. Bnd Column – which is the bundle identifier. In the above example, we see VM’s reporting ID 7, which is the Standard Bundle.
  2. vROps Column – we would see a “Y” or “N” here depicting if this VM is registered inside of vRealize Operations. What we can conclude from the above screenshot is the following:
    1. Running vSphere Enterprise (NOT Enterprise Plus)
    2. vRealize Operations Itemized Breakout
    3. How? Well, Usage Meter will always pick the most cost-effective option as a bundle for the Providers. We know that the 7-point/Advanced Bundle has vSphere Enterprise Plus while the 5-point Standard bundle uses vSphere Enterprise which was EoL’d a few years ago. Moreover, if the Provider utilizes Advanced or Standard vROps, this is not in any VCPP bundle, so this will be itemized billed out. This could also be the Enterprise version since we are using the 5-point bundle.
  3. NSX Column – in this example, we do not have any NSX detection. However, if we did, we would see:
    1. B – NSX SP Base Version. Included in Advanced/7-Point Bundle
    2. A – Advanced SP Version. Included in Standard with Networking (8-Point) OR Advanced with Networking Bundle (9-Point).
    3. E – Enterprise SP Version. Included in Advanced with Networking and Management/12-Point Bundle.

As a quick refresher, here are the different versions of NSX inside of VCPP –

We can see in the below screenshot where the VM state changed – VM was registered inside of vROps. Therefore, the bundle went from BND 8 (Advanced SP) to BND 10 (Standard with Management). Why? Well, it was not utilizing vCloud Director nor NSX, so this is the most cost-effective option for this VM. 

Makes sense. Moreover, this is AVERAGED over the month, so if you utilize the Advanced bundle for half of the month while utilizing Standard with Management for the rest, you only pay for the specific hours of use.

Let’s talk about an interesting scenario. I noticed that a VM was “flapping” between BND 7 and BND 13 – that’s a big change. We can see that it’s utilizing vROps and NSX Advanced, but why wasn’t defaulting to a lower point bundle?

Well, Usage Meter will append a new line for VM state change – that includes vMotions. What we can see if this VM vMotion from host-30 to host-31 (sanitized names) but were using different vSphere licenses. Ah ha!

We can see on the top line which is host-30, it was using a vSphere Enterprise license while the next three line items (host-31) were on an vSphere Enterprise Plus license.

Interesting! So, how did this look in the Monthly Usage Report?

We can see NSX Advanced in the Monthly Report. While there is no itemized NSX Advanced in the Product Usage Guide, I believe the Provider would have to just report NSX Enterprise for these VM’s.

So, what did we learn from this scenario? Make sure your licensing is configured in a uniform fashion! This will be very unlikely in the future as Enterprise is not supported after September 2018, but it’s imperative to have proper hygiene for the same hosts in the same cluster.

Happy Metering,

-Daniel

VMworld 2018 Sessions for VMware Cloud Providers

This is a very exciting time for us at VMware, especially in the Cloud Provider Program. I am elated to say there are over 34 sessions that are tied to VMware Cloud Providers at VMworld 2018 – we are only publishing the sessions that are allowed currently…

I believe this is the most we’ve ever had at a VMworld. This signifies the importance of our Cloud Providers to VMware and our channel partners. As many of you have experienced, we are in a significant growth space and these sessions are very important for us to showcase what VMware is delivering around Cloud Providers. Moreover, this is a very important venue for us to present our current and future investments in VCPP.

I was honored when two of my sessions were accepted a few months ago. While it’s a little stressful on ensuring we are creating valuable content for our Cloud Service Providers, I am looking forward to presenting this material at VMworld.

Why VMware vSAN Is the Best Solution for Cloud Provider Environments [HCI1145BU]

The first session I have is with Greg Kaffenberger who is one of my esteemed colleagues inside of the VMware Cloud Provider team. We’ve noticed there’s some confusion around how vSAN works inside of our subscription model. Our goal is to demystify and showcase how vSAN is a sustainable operating model for Cloud Service Providers.

A lot of great content created that will be reviewed in this hour. Unfortunately, I wish we had more time – we’ve had to cut a lot but we will make the best of it!

Case Study: Hybrid Cloud with vCloud Extender from Customer to Provider [HYP1142BU]

I am co-presenting with Raffaelo Poltronieri at CloudItalia and we are stoked about speaking about vCloud Director Extender. While many of you have seen my Extender posts over the past year, we will be talking about some of the best practices and lessons learned with one of our strategic partners. Moreover, I will be discussing the goals going forward for our extensibility solutions – significant investment is going in to ensure we make it easy for our Cloud Providers to provide hybridity between on-prem and vCloud environments.

A few callouts I want to make as these are sessions you should not miss –

  • Consuming Cloud Provider SD-WAN Services [BRE3038BU] – this reviews VeloCloud for VCPP and it is very top of mind for many providers. Providing seamless connectivity between sites in a secure, multi-tenant, architecture is critical.
  • Delivering Custom Services Through vCloud Director Extensibility [HYP1803BU] – you will continue to see further development in UI Extensibility inside of vCloud Director. Milko and Martin will do a great job discussing what’s possible inside of the new vCD H5 UI.
  • Introducing VMware Cloud Provider Pod [HYP1499BU] – I can’t speak much about this right now, but check out what Wade Holmes and Yves Sandfort will be presenting. This is a new initiative and we’d love to get feedback from our Cloud Providers.

Honestly, they are all awesome. I was going to continue to list more, but there’s some valuable content being created by amazing leaders in this organization.

I will be at VMworld Saturday to Thursday – please reach out if ever want to talk about any of our solutions!

See you there,

-Daniel

Automate retrieving the Horizon Usage Report for VMware Cloud Providers

For VMware Cloud Providers that are using Horizon, monthly usage collection is not automated or collected by Usage Meter currently. This is a manual process that requires the Provider to retrieve the highwater mark concurrent usage on a monthly basis.

This post will document the automation of reporting of Horizon statistics in a Cloud Provider environment. I have tested this in my environment with vSphere 6.5 with Horizon 7.x.

First off, I did not do this by myself. Winston Blake and Carahsoft provided the initial script and I built off of it from there. Moreover, I received guidance from Luis Ayuso, Ray Heffer, and Wouter Kursten – this is the power of the #vCommunity! This is the first time I’ve created PowerShell code and published it to a git repo.

What does this PowerShell script provide?

  1. Creation of secure string for storing service account password
  2. Collection of Horizon Concurrent Usage data
  3. Outputs this to a file
  4. Emails this to a specified recipient(s)

What does it not provide?

  1. Setup of Windows Scheduled Task
  2. Reset of Highest Count in Horizon – yes, this is a bummer but will explain further on why.

High-Level Steps:

  1. Create a service account for running the usage collection.
  2. Download scripts to a folder on your View Manager server.
  3. Modify scripts and input folder and SMTP parameters.
  4. Run Part 1 of 2 – the securestring/password PS script.
  5. Create a basic task in Task Scheduler
    1. Test Run
  6. Enjoy emailed reports on a monthly basis and a quick link on resetting the highest count.

Create a service account

  1. In my lab environment, I created an account called “horizonsvc” in my domain. This is just a non-privileged account that I will utilize for read-only access to the Horizon environment. While the PowerShell script does convert the password to a securestring, this is just another best practice rather than running it as the default administrator account.
  2. In AD, we can see my Horizon Service Account – 
  3. And we also see that I added this user that’s attached to the Administrators (Read Only) group that provides limited permissions (no modifications available). 

Download scripts to a folder on your View Manager server

My repo is located here – https://github.com/dpaluszek/horizon-vcpp

VCPP Horizon Reporting
https://github.com/dpaluszek/horizon-vcpp
0 forks.
0 stars.
0 open issues.
Recent commits:

The first file is the password file that will store the service account password in a secure string.

https://github.com/dpaluszek/horizon-vcpp/blob/master/horizon-password.ps1

Next, the second file does the work on collection while creating the file and emailing it out –

https://github.com/dpaluszek/horizon-vcpp/blob/master/horizon-usage-script.ps1

While this does automate the collection of the highwater mark of concurrent users, it does NOT reset the usage after collection. This has to be manually done and there is a link inside of the received email to do this operation.

Here’s why –

  1. There’s not a direct API/PowerShell command today that can reset this.
  2. However, one can see this field under the ADSI structure under “OU=Properties, OU=Global, CN=Counters” – we can see pae-NumCCUCountHigh which is the variable we need. 
  3. After my testing of changing this variable (along with Wouter’s help), it seems to be delayed on propagation and I do not know the long term effects of this while View Manager is running. Last of all, I do not know if this would be a production-supported operation – but researching other options and what the BU can do in the future.

Modify scripts and input parameters

Let’s walk through each file and what needs to be modified before running this in your environment:

  1. horizon-password.ps1
    1. On line 8, we need to change the location directory of where you are going to save this file. I suggest putting it in the same location as the two PS scripts along with the two files that will be created
    2. #Replace "C:\directory\" with the target directory for your secure string text file.
      read-host -AsSecureString -prompt "Please enter the password" | ConvertFrom-SecureString | Out-File C:\horizon\$filename.txt
      
      
  2. horizon-usage-script.ps1
    1. Line 8/9 –  we need to utilize the same directory location as in 1B –
      1. ##Replace "C:\DIRECTORY\file.txt" with the path to your encrypted service account password
        
        $password = get-content C:\horizon\file.txt | ConvertTo-SecureString
    2. Line 10/11 – change it to your service account. As an example, I am utilizing “CORP\horizonsvc” as my account.
      1. ##Replace "DOMAIN\username" with service account name previously used in Part 1 of 2
        
        $credentials = new-object -TypeName System.Management.Automation.PSCredential -argumentlist "CORP\horizonsvc",$password
    3. Line 13/14 – Modify your FQDN of your View Instance. For example, I am using “view-01a.corp.local”
      1. ##Replace FQDN with hostname of your Horizon Manager server.
        
        $hznode ="view-01a.corp.local"
    4. Line 30 – Another directory change –
      1. $file = "c:\horizon\horizon-usage-$timestamp.txt"
    5. Lines 40 to 43 – this is your SMTP/email information. Update with your SMTP server, recipient, and sender.
      1. ##Change the three variables below for your environment: smtpserver, recipient, and sender. 
        
        $smtpserver = "mail.rainpole.com"
        
        $recipient = "administrator@rainpole.com"
        
        $sender = "administrator@rainpole.com"

Run Part 1 of 2 – securestring/password PS script

  1. This is pretty straightforward – we open up PowerShell and .\ the first script and input your service account password – 
  2. We can now see the service account password stored in the file. 

Create a basic task in Task Scheduler

  1. This could be run locally on the View Manager server or some other Windows server that can traverse the network and hit the View instance.
  2. Right click -> Create a Basic Task, provide a name – I am using Horizon Usage Report 
  3. Select Monthly as we will want to run this on the last day of the month before the next calendar month – 
  4. We will have this start at the end of the month but selecting all calendar months and the last day of the month. I have 11:45 PM local time to give us a 15-minute buffer to run the operation (even though this takes a few seconds to run). 
  5. We want to select Start a Program since we will call on PowerShell – 
  6. I just typed in “powershell.exe” since it should be in your path already. Under Add Arguments, put the full path to your usage script. For example, I am using “C:\horizon\horizon-usage-script.ps1” 
  7. Summary page, but make sure you check the box for Open the Properties dialog for this task as we want to make sure this task runs even if there’s not a logged in user – 
  8. Change the radio button to “Run whether user is logged on or not” and press OK – 
  9. It will then prompt your for credentials to save this task – 
  10. Okay, now we are ready to run it!

Test Run and Expected Output

  1. Let’s try to test run our newly created task – 
  2. We can see the task completes pretty quickly, about 2 seconds – 
  3. Ah, we got the email! We can see the body with the URL to reset the highest count along with the attached usage. 
  4. In the file, we can see in my lab environment I had a count of 2 for the NumConnectionsHigh. This is what I’d report under BizPortal/iAsset for my monthly usage. 
  5. While the file was created in my directory – 

As for the reset highest count, I am still evaluating all options and will be discussing this internally. I am hoping this is valuable for our VMware Cloud Providers and alleviating some of the operational reporting burden.

Again, big thanks to the vCommunity for the help. I had quite a bit of fun and continue to learn more from an automation/programming perspective.

Enjoy!

-Daniel

vCloud Director Extender 1.1.0.1 – Org Admin Permissions Script

On June 11th, there was a new release of vCloud Director (vCD) Extender that included a change in the organization administrator permissions. Big thanks to my peer Tomas Fojta for his collaboration and working with the Business Unit on further enhancing this permissions structure.

I have updated the PowerShell permissions script that will add these to the specified org. Note this is ONLY for version 1.1.0.1 of vCD Extender, so I am leaving my previous revisions alone.

I am probably stating the obvious here, but this can also be added via the vCD API. Here are the right references to add if you so choose:

<RightReferences>
<RightReference href="{url}/right/105191de-9e29-3495-a917-05fcb5ec1ad0" name="Organization vDC Gateway: View L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/eeb2b2a0-33a1-36d4-a121-6547ad992d59" name="Organization vDC Gateway: Configure L2 VPN" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/66b32e08-1eeb-37ac-9266-ffbd19b39dd8" name="Right: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4886663f-ae31-37fc-9a70-3dbe2f24a8c5" name="Catalog: Add vApp from My Cloud" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/438e45e9-9389-3e29-9073-638b36921a2a" name="Disk: Create" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/1e5ad20d-1023-34d1-b073-1ea30bce3854" name="Disk: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/7bbee458-b3c5-3252-ba5a-b1781b1c7b92" name="Disk: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92" name="Disk: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd03d47-38e1-337a-907c-8d5b6a5258f2" name="Organization vDC Distributed Firewall: Configure Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4e61b5b8-0964-36b6-b021-da39aea724fc" name="Organization vDC Distributed Firewall: View Rules" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/9dc33fcb-346d-30e1-8ffa-cf25e05ba801" name="Organization vDC Gateway: Convert to Advanced Networking" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae" name="Organization vDC Gateway: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2cd2d9d7-262c-34f8-8bee-fd92f422cc2c" name="General: Administrator Control" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/0b8c8cd2-5af9-32ad-a0bd-dc356503a552" name="General: Administrator View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/b0cfe989-521b-3d7f-9bc2-f23c74a99633" name="Organization vDC Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2c8d98ef-4acc-3be4-9214-fcb9682b7a19" name="Organization vDC Network: View Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/6cb3596a-15eb-3c2f-a657-5f14f2039719" name="Organization Network: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/194c71a1-3d68-3156-b789-6a6384028b78" name="Organization Network: View" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a" name="Organization Network: Create or Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/2dc8abec-2e0d-3789-a5f9-ce0453160b53" name="vApp: Create / Reconfigure" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/df05c07f-c537-3777-8d9b-a9cfe8d49014" name="vApp: Delete" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/c2a29357-1b2a-3f9d-9cd6-de3d525d49f3" name="vApp: Edit Properties" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/580860cd-55bc-322d-ac39-4f9d8e3e1cd2" name="vApp: Power Operations" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/4965b0e7-9ed8-371d-8b08-fc716d20bf4b" name="vApp: Copy" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/8832800f-575f-3501-ad84-8e15f3898f11" name="vApp: Change Owner" type="application/vnd.vmware.admin.right+xml"/>
<RightReference href="{url}/right/5250ab79-8f50-33f9-8af5-015cb39c380b" name="vApp: Edit VM Properties" type="application/vnd.vmware.admin.right+xml"/>
</RightReferences>

 

Below is the updated PowerShell script. Again, another thanks to Jon Waite for letting me borrow his initial code!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# vCloud Director Extender Permissions Setup - initially created by KiwiCloud.Ninja - modified by Daniel Paluszek - paluszek.com
# Creation Date: 2018-June-15
# Version 2.1 - for vCD Extender 1.1.0.1 and vCloud Director 9.1
# Adds specific permissions required for vCD Extender Org Admin to connect successfully to cloud instance.
# NOTE: These are tested on version vCD 9.1.0.7905680 and vCD Extender 1.1.0.1
# Note that Organization roles (e.g. Organizational Administrator) still need to be edited to add these rights once is executed
# NOTE: You must be connected to the vCloud API (Connect-CIServer) with a System administrative user prior to running the script for this to work.
# Add your Org name and vCD instance name below
$OrgToUpdate = '&lt;INSERT-ORG-NAME&gt;'
$APIendpoint = '&lt;INSERT-IP-OR-FQDN-OF-VCD&gt;'

Function vCloud-REST(
[Parameter(Mandatory=$true)][string]$URI,
[string]$ContentType,
[string]$Method = 'Get',
[string]$ApiVersion = '27',
[string]$Body,
[int]$Timeout = 40
)
{
$mysessionid = ($global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }).SessionId
$Headers = @{"x-vcloud-authorization" = $mysessionid; "Accept" = 'application/*+xml;version=' + $ApiVersion}
if (!$ContentType) { Remove-Variable ContentType }
if (!$Body) { Remove-Variable Body }
Try
{
[xml]$response = Invoke-RestMethod -Method $Method -Uri $URI -Headers $headers -Body $Body -ContentType $ContentType -TimeoutSec $Timeout
}
Catch
{
Write-Host "Exception: " $_.Exception.Message
if ( $_.Exception.ItemName ) { Write-Host "Failed Item: " $_.Exception.ItemName }
Write-Host "Exiting."
Return
}
return $response
} # Function vCloud-REST End

# Adds required permissions for vCD Extender connectivity - still require to apply permissions in the UI once executed!
$newrights = @{}
$newrights.Add("Organization vDC Gateway: View L2 VPN", "105191de-9e29-3495-a917-05fcb5ec1ad0")
$newrights.Add("Organization vDC Gateway: Configure L2 VPN", "eeb2b2a0-33a1-36d4-a121-6547ad992d59")
$newrights.Add("Right: View", "66b32e08-1eeb-37ac-9266-ffbd19b39dd8")
$newrights.Add("Catalog: Add vApp from My Cloud", "4886663f-ae31-37fc-9a70-3dbe2f24a8c5")
$newrights.Add("Disk: Create", "438e45e9-9389-3e29-9073-638b36921a2a")
$newrights.Add("Disk: Delete", "1e5ad20d-1023-34d1-b073-1ea30bce3854")
$newrights.Add("Disk: Edit Properties", "7bbee458-b3c5-3252-ba5a-b1781b1c7b92")
$newrights.Add("Disk: View Properties", "fd036ae5-b78b-3c9f-8f28-a7f6b33d0d92")
$newrights.Add("Organization vDC Distributed Firewall: Configure Rules", "2cd03d47-38e1-337a-907c-8d5b6a5258f2")
$newrights.Add("Organization vDC Distributed Firewall: View Rules", "4e61b5b8-0964-36b6-b021-da39aea724fc")
$newrights.Add("Organization vDC Gateway: Convert to Advanced Networking", "9dc33fcb-346d-30e1-8ffa-cf25e05ba801")
$newrights.Add("Organization vDC Gateway: View", "d1c77fc0-a4b9-3d99-bd4b-d7fab35e4fae")
$newrights.Add("General: Administrator Control", "2cd2d9d7-262c-34f8-8bee-fd92f422cc2c")
$newrights.Add("General: Administrator View", "0b8c8cd2-5af9-32ad-a0bd-dc356503a552")
$newrights.Add("Organization vDC Network: Edit Properties", "b0cfe989-521b-3d7f-9bc2-f23c74a99633")
$newrights.Add("Organization vDC Network: View Properties", "2c8d98ef-4acc-3be4-9214-fcb9682b7a19")
$newrights.Add("Organization Network: Edit Properties", "6cb3596a-15eb-3c2f-a657-5f14f2039719")
$newrights.Add("Organization Network: View", "194c71a1-3d68-3156-b789-6a6384028b78")
$newrights.Add("Organization Network: Create or Delete", "60be4106-1f9f-325c-8ff4-8bf2c6d9bc0a")
$newrights.Add("vApp: Create / Reconfigure", "2dc8abec-2e0d-3789-a5f9-ce0453160b53")
$newrights.Add("vApp: Delete", "df05c07f-c537-3777-8d9b-a9cfe8d49014")
$newrights.Add("vApp: Edit Properties", "c2a29357-1b2a-3f9d-9cd6-de3d525d49f3")
$newrights.Add("vApp: Power Operations", "580860cd-55bc-322d-ac39-4f9d8e3e1cd2")
$newrights.Add("vApp: Copy", "4965b0e7-9ed8-371d-8b08-fc716d20bf4b")
$newrights.Add("vApp: Change Owner", "8832800f-575f-3501-ad84-8e15f3898f11")
$newrights.Add("vApp: Edit VM Properties", "5250ab79-8f50-33f9-8af5-015cb39c380b")

$myendpoint = $global:DefaultCIServers | Where { $_.Name -eq $APIendpoint }

if (!$myendpoint.IsConnected) {
Write-Host "Not connected to this vCloud endpoint, use 'Connect-CIServer' before running this script."
Exit
}

$org = Get-Org -Name $OrgToUpdate -Server $APIendpoint

if (!$org) {
Write-Host "Couldn't match organization with name $OrgToUpdate, exiting."
Exit
}

$rightsuri = 'https://' + $APIendpoint + "/api/admin/org/" + $org.Id.Substring($org.Id.LastIndexOf(':')+1) + "/rights"

[xml]$rights = vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Method 'Get' -ApiVersion '27.0'

# Add the new API v27 'RightsReference' elements to the XML returned:
foreach($newrule in $newrights.Keys) {
$newright = $rights.CreateElement("RightReference", "http://www.vmware.com/vcloud/v1.5")
$newright.SetAttribute("href","https://$APIEndpoint/api/admin/right/$($newrights.Item($newrule))")
$newright.SetAttribute("name",$newrule)
$newright.SetAttribute("type","application/vnd.vmware.admin.right+xml")
$rights.OrgRights.AppendChild($newright)
}

# Update the Organization with the ammended rights:
vCloud-REST -URI $rightsuri -ContentType 'application/vnd.vmware.admin.org.rights+xml' -Body $rights.InnerXml -Method 'Put' -ApiVersion '27.0'

Happy migrating,

-Daniel