The first part of the challenge is figuring out the mapping between the "GUI path" (i.e Virtual machine/State/Create Snapshot) and the actual name (VirtualMachine.State.CreateSnapshot). Usually these are pretty straight forward, however you can "cheat" by creating a new role in the GUI then using PowerCLI to see what is in the role. So say you created a role in the GUI called "Test" then ticked off all the rights you wanted. From Powershell connect to vC (connect-viserver vcname) then run
(get-virole Test).PrivilegeList
That will give you a list of all the privs for the role. So for a role with Virtual machine/State/Create Snapshot, Virtual machine/State/Remove Snapshot and Global/Log Event you'd get back
Global.LogEvent
System.Anonymous
System.Read
System.View
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
You can ignore the "System" ones as they're defaults you always get back. So to see if Role1 has Virtual machine/State/Create Snapshot Right you could say
([string](get-virole Role1).PrivilegeList).Contains("VirtualMachine.State.CreateSnapshot")
which will return $True (the role is checked) or $False (the role is not checked)
You can also do things like find all roles that have a right by doing
get-virole | where-object {$_.PrivilegeList -contains "VirtualMachine.State.CreateSnapshot"}
