VCP-NV: Configure Roles, Permissions, and Scopes

by admin

This will be a quick post will look at some of the options for allowing access to manage NSX deployments. When the NSX manager is registered with a vCenter, the vCenter user specified is granted the NSX administrator role, which gives it full permissions within NSX. Permissions for other users will need to be set up manually, by adding users/groups to NSX roles, of which NSX has four:

  • NSX Administrator – This role allows users to perform NSX operations such as deploying NSX components –  logical switches and routers
  • Enterprise Administrator – This role can perform operations and security functions – allows you to do anything within NSX
  • Security Administrator – This role allows users to perform security functions such as managing firewall services and SpoofGuard, but can’t deploy NSX components
  • Auditor – This is a read only role, which allows users to view settings and reports

In addition to the roles, there are  two built in scopes, which define what the users have access two. The two scopes are ‘unrestricted’ which gives access to the entire NSX system, and ‘limit access scope’ which gives access to a specified edge.

Back when deploying NSX Manager , you can register NSX Manager with SSO. This allows you to specify vCenter users and assign them roles within NSX.

Assigning NSX Roles to vCenter Users

To assign roles to vCenter users, make your way to the ‘Networking and Security’ pane in the vSphere Web Client, then click on ‘NSX Managers’. Select the NSX Manager, then go to the ‘Manage’ tab, then the ‘Users’ menu item:

assign-nsx-users-to-roles

Click the green ‘+’ to add a new vCenter user or group to a role:

nsx-add-user

Click next, then select the role to be assigned to the user:

nsx-assign-role

On the next screen, select the scope over which the user will have permission:

nsx-limit-scope

Once complete, your new users will be listed:

nsx-users

To edit an existing user, you can highlight the user object then click the ‘pencil’ edit button. This will allow you to change to role and scope assigned to the user. Other actions available here include the option to enable/disable users, and the option to delete a user.

Access Denied

If you log into vCenter with a user that has vCenter permissions but has not been assigned a role within NSX, then you receive a message like this:

nsx-access-denied

Useful Links and Resources

http://pubs.vmware.com/NSX-6/topic/com.vmware.ICbase/PDF/nsx_6_admin.pdf

Keep up to date with new posts on Buildvirtual.net - Follow us on Twitter:
Be Sociable, Share!

{ 1 comment… read it below or add one }

Johan Blom May 10, 2016 at 12:22 pm

Hi

How did you manage to get the Limit scope part? I never seen it on 6.2 atleast

Br

Johan

Reply

Leave a Comment

*

Previous post:

Next post: