This will be a quick post will look at some of the options for allowing access to manage NSX deployments. When the NSX manager is registered with a vCenter, the vCenter user specified is granted the NSX administrator role, which gives it full permissions within NSX. Permissions for other users will need to be set up manually, by adding users/groups to NSX roles, of which NSX has four:
- NSX Administrator – This role allows users to perform NSX operations such as deploying NSX components – logical switches and routers
- Enterprise Administrator – This role can perform operations and security functions – allows you to do anything within NSX
- Security Administrator – This role allows users to perform security functions such as managing firewall services and SpoofGuard, but can’t deploy NSX components
- Auditor – This is a read only role, which allows users to view settings and reports
In addition to the roles, there are two built in scopes, which define what the users have access two. The two scopes are ‘unrestricted’ which gives access to the entire NSX system, and ‘limit access scope’ which gives access to a specified edge.
Back when deploying NSX Manager , you can register NSX Manager with SSO. This allows you to specify vCenter users and assign them roles within NSX.
Assigning NSX Roles to vCenter Users
To assign roles to vCenter users, make your way to the ‘Networking and Security’ pane in the vSphere Web Client, then click on ‘NSX Managers’. Select the NSX Manager, then go to the ‘Manage’ tab, then the ‘Users’ menu item:
Click the green ‘+’ to add a new vCenter user or group to a role:
Click next, then select the role to be assigned to the user:
On the next screen, select the scope over which the user will have permission:
Once complete, your new users will be listed:
To edit an existing user, you can highlight the user object then click the ‘pencil’ edit button. This will allow you to change to role and scope assigned to the user. Other actions available here include the option to enable/disable users, and the option to delete a user.
If you log into vCenter with a user that has vCenter permissions but has not been assigned a role within NSX, then you receive a message like this: