The NSX Manager Account – NSX CLI account – Part-1 (Creation) was for creating the user account. In this section, we will go through how to modify the privilege or delete an NSX CLI account.

Modifying the NSX CLI user account privilege –
Modifying account privilege is easy from vCenter GUI. It is as simple as selecting the user and set new privilege you like to prefer. But wait, we cannot do whatever we want to do with the user account. If we are trying to assign a new privilege for a NSX CLI user, the user needs to be with security_user (Security Admin in GUI) or auditor. And the new role can be from either of these. If we are trying to assign Enterprise Admin or NSX Admin role, a pop-up will appear with a warning that shows only three roles can be assigned to the user, super_user, security_user and auditor. But where is super_user? GUI doesn’t have any option for change user role to super_user. The super_user role is the System Admin role in GUI.

In the example above, I was login using administrator@vsphere.local account that has Enterprise admin role. But still cannot make an NSX CLI account to System Admin. It is understandable that an NSX user cannot be Enterprise Admin or NSX Admin. These accounts do not have access to vCenter to manager NSX.

Now, what happens to the System Admin account. From GUI an Enterprise Admin cannot do anything with this account but giving a full name and email address. The account with System Admin (super_user) role cannot be even deleted from GUI. All options are disabled for the role.

So how to modify role for the account with the super_user role? Can we do it from API? Yes! That the only option here. This is same as creating a user. But this time it is a PUT method rather than POST method with same body text. Please note, if the command gets successful, you will get see a Status 200 OK result (it was 204 for account creation time).

The PUT command – https://NSX_Manager_IP_or_URL/api/2.0/services/usermgmt/role/user_name

Body will be –

<?xml version=“1.0” encoding=“UTF-8”?>
<accessControlEntry>
<role>auditor</role>
<resource>
<resourceId>globalroot-0</resourceId>
</resource>

 

Deleting Account –
Deleting an account is also two step process –
1. Delete an account from NSX in vCenter or using API
2. Delete from NSX Manager CLI

In the example below, the user-5 account was deleted from GUI. And after running API to check user role (for my example, it is user-5), the result came with “User user_name doesn’t exist”. Basically, there is no role been assigned to the user.

Once this is done, the user cannot do anything in NSX management point of view. But for safety, we still need to delete the account/s from NSX Manager CLI. Please, don’t forget to save running config to start-up file.

Since we cannot modify or delete any System Admin (super_user) account from GUI, the only option for this type of account is to delete through API.

The command for delete an account from API is –

https://NSX_Manager_IP_or_URL/api/2.0/services/usermgmt/role/user_name , please note this time it is a Delete method.

 

To know more about roles and permissions for the NSX user accounts, please visit NSX Manager Account – NSX CLI account – Part-3 (Roles and Permissions). (Coming Soon)