Recently I was doing a vROps project that requires monitoring NSX environment as well. VMware has a management pack for NSX that monitor the NSX environment. Once I go through the procedure, I found the roadblock. The vROps management pack for NSX requires (here is how to install and configure vRops MP for NSX) an NSX CLI account. For many companies, it is okay to use the built-in ‘Admin’ account. But for the security point of view, it is not acceptable to use Admin account. After googling for NSX manager account, I found a detailed article from my colleague Dale Coghlan. This article is probably a simpler version of Dale’s content for user creation process. It also the roles and management for NSX manager CLI (native) and NSX (with vCenter) account.

Before goes to the account management, let looks at the roles available natively from NSX API and NSX Manager from vCenter.

NSX User roles assign from API –
Based on NSX version 6.3, we have 3 roles for the user
– Super User (super_user)
– Security User (security_user)
– Auditor (auditor)

User roles from vCenter GUI-
– Enterprise Administrator
– NSX Administrator
– Security Administrator
– Auditor

The Security User and Auditor in the NSX CLI account matched with the Security Administrator and Auditor from the GUI accounts respectively.

Creating an NSX Manager CLI account:
In short, it is 2 mejor steps process –
1. Using NSX manager CLI, create and approve web access privilege to the user
2. using API to grant role on NSX with vCenter. (It’s little confusing, but without a vCenter based role, this CLI account cannot perform any NSX related task)

How to –
Step 1:
– Login to the NSX manager either with SSH or directly to the console.
– Go to privileged mode by typing enable or en and provide necessary password

– Go to configure mode by typing config terminal

– Use these two commands to create user and assign web-interfcce previlege.

user user_name password plaintext password_string
user user_name privilege web-interface

The first command is to create a user, and the second one is the marrying the account with web interface (to me it is marrying with API). If you log in to the vCenter GUI to check the account/s, you won’t find it.

In my case, I created 5 test users and assigned the web-interface privilege to all but user-2.
Most importantly don’t forget to save the config and check it.
Command for these are –

write / write memory
show start-config

 

 

Step 2:
Now it’s time to assign previlege to the role for the account created early. Open any restful API client and run the command below.

It is a POST command – https://NSX_Manager_IP_or_URL/api/2.0/services/usermgmt/role/user_name?isCli=true

Body will be –

<?xml version=“1.0” encoding=“UTF-8”?>
<accessControlEntry>
<role>super_user</role>
<resource>
<resourceId>globalroot-0</resourceId>
</resource>
</accessControlEntry>

Once it is successful the result status will be 204 without any content. The integration of the account get complete and can be visible from vCenter GUI.

 

To know more about user NSX CLI user management, please visit NSX Manager Account – NSX CLI account – Part-2 (Modification).