NSX Manager Account – NSX CLI account – Part-3 (Features Roles and Permissions)

NSX Manager Account – NSX CLI account – Part-3 (Features Roles and Permissions)

Comments 0 Comment

The earlier posts were discussed NSX CLI account creation (part-1) and the account modification (part-2). In this part, we will go through the roles and permission for those accounts.

As discussed in part-1, the only NSX CLI is not getting transformed or matched to the vCenter based role is the super_user role, which is same as NSX manager’s built-in admin role. The rest two roles, Security Admin and Auditor get matched and can manage from vCenter GUI. Same goes when we consider the roles and permissions.

The default admin account can do anything on NSX manager including add NSX manager to vCenter, same goes to super_user. Other users have some limitation in some area. The table below shows the features and permission on those for individual roles.

Feature Description   Roles
    Auditor Security Admin NSX Admin Ent. Admin
Administrator        
Configuration vCenter and SSO Configuration with NSX R R R, W R, W
Update   No Access No Access R, W R, W
System Events System Events R R, W R, W R, W
Audit Logs Audit Logs R R R R
User Account Management (URM)        
User Account Management User Management No Access No Access R R, W
Object Access Control   No Access No Access R R
Feature Access Control   No Access No Access R R
Edge          
System System refers to general system parameters R R R, W R, W
Appliance Different form factors of NSX Edge (Compact /Large/X-Large/QuadLarge) R R R, W R, W
High availability   R R R, W R, W
vNic Interface configuration on NSX Edge R R, W R, W R, W
DNS   R R, W R R, W
SSH SSH configuration on NSX Edge R R, W R, W R, W
Auto plumbing   R R, W R R, W
Statistics   R R R R, W
NAT NAT configuration on NSX Edge R R, W R R, W
DHCP   R R, W R R, W
Load balance   R R, W R R, W
VPN   R R, W R R, W
Syslog Syslog configuration on NSX Edge R R, W R, W R, W
Support   No Access R, W R, W R, W
Routing All routing static and dynamic routing (BGP/OSPF) on NSX Edge R R, W R R, W
Firewall Firewall configuration on NSX Edge R R, W R R, W
Bridging   R R, W R R, W
Certificate   R R, W R R, W
System control System control refers to system kernel parameters such as maximum limits, IP forwarding, networking, and system settings. For example:

ysctl.net.ipv4.conf.vNic_1.rp_filter

sysctl.net.netfilter.nf_conntrack_tcp_timeout_established

 R R, W R, W R, W
Distributed Firewall          
Firewall config Layer3 (General) and Layer2 (Ethernet) firewall rules R R, W No Access R, W
Flows Flow monitoring is for monitoring traffic flows in the system. Live Flows can also be monitored R R, W No Access R, W
IPFix config IPFix enable/disable and assigning collectors R R, W No Access R, W
ForceSync ForceSync does full sync from the Installation > Host Preparationpage R R No Access R, W
Install DFW (host preparation) Install VIBS on clusters R R R, W R, W
Saved Configurations (drafts) Every publish will automatically save existing DFW configuration as a draft R R, W No Access R, W
Exclusion List Add VMs to exclusion list to be NOT protected by DFW or to remove them R R, W No Access R, W
DFW Tech Support Collecting DFW Tech Support bundle from a host (only NSX config shell) No Access R, W No Access R, W
DFW Session Timers Configure TCP/UDP/Other protocol connection timeout configuration R R , W No Access R, W
IP Discovery (DHCP/ARP Snooping) IP discovery when VMware Tools are not running on Guest VMs R R , W No Access R, W
Application Rule Manager Flows are collected for selected set of applications. Firewall rules are then created based on the collected flows. R R , W No Access R, W
NameSpace          
Config   R R R, W R, W
SpoofGuard          
Config SpoofGuard publish in TOFU or Manual Mode R R, W No Access R, W
Endpoint Security (EPSEC)        
Reports   R R R, W R, W
Registration Manage [Register, Unregister, Query registered solutions, Activate] Solutions R No Access R, W R, W
Health monitoring Retrieve health status of VM, SVM to the NSX Manager No Access R R R
Policy Manage security policies [Create, Read,Update, Delete] R R, W R, W R, W
Scan scheduling   R No Access R, W R, W
Library          
Host preparation Host preparation action on cluster No Access No Access R, W R, W
Grouping IP Set, MAC Set, Security Group, Service, Service Group R R, W R R, W
Tagging Security tag (for example, attach or detach VMs) R R, W R R, W
Install          
App   No Access R R, W R, W
EPSEC   No Access R R, W R, W
DLP   No Access R R, W R, W
VDN          
Config NSM Configure Network Security Manager R R R, W R, W
Provision   R R R, W R, W
ESX Agent Manager (EAM)          
Install ESX Agent Manager No Access R R, W R, W
Service Insertion        
Service   R R, W R, W R, W
Service profile   R R R, W R, W
Trust Store        
trustentity_management NSX certificate management R R, W R, W R, W
IP Address Management (IPAM)        
Configuration Configuration of IP pool R R, W R, W R, W
IP allocation IP allocation and release R R, W R, W R, W
Security Fabric        
Deploy Deploy service or security VM on cluster using the Service Deployment page R R R, W R, W
Alarms From the Service Deployment page, manage alarms that are generated by security VM R R R, W R, W
Agent health status Managing agent health status alarm over rest call, mainly used by partner VMs R R, W R, W R, W
Messaging          
Messaging Messaging framework used by NSX Edge and Guest Introspection to communicate with NSX Manager R R, W R, W R, W
Replicator (Multi vCenter setup with secondary NSX Manager)        
Configuration Select or deselect Primary role for NSX Manager, and add or remove Secondary NSX Manager R R R, W R, W
Security Policy        
Configuration Configure security policy to create, update, edit, or delete R R, W No Access R, W

Leave a Reply

Your email address will not be published. Required fields are marked *