Objective 9.1 – Configure Roles, Permissions, and Scopes

Principles

  1. Understand default roles
  2. Understand Single Sign-On (SSO) integration
  3. Configure SSO
  4. Assign a role to a vCenter Server user or group
  5. Compare and contrast the uses for the various NSX Security Roles
  6. Determine how roles can be applied to a subset of the vCenter infrastructure for multi Tenancy purposes
  7. Understand how to apply NSX Roles to an AD group
  8. Assign objects to a user
  9. Enable/Disable a user account
  10. Edit/Delete a user account

References

  1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

Understand default roles

Role Permissions
Enterprise Administrator All NSX product deployment and configuration tasks + NSX Manager administration tasks
NSX Administrator All tasks related to deployment & administration of NSX Manager instance. e.g. deploy Edges and configure VXLANs
Security Administrator Configure security compliance policies + review reporting & auditing information e.g. define distributed firewall rules, configure NAT and load balancer services
Auditor Read only: system settings, auditing, events, and reporting information
Security Engineer (from 6.4.2) All security tasks, such as configuring policies, firewall rules + read access to some networking features, but no access to host preparation and user account management.
Network Engineer (from 6.4.2) All networking tasks, such as routing, DHCP, bridging + read access to endpoint security features, but no access to other security features
Security & Role Administrator (from 6.4.5) Same as Security Engineer + perform user management tasks
  • SSO users access granted as follows
    • vSphere Web Client NSX plug-in
    • NSX Manager appliance, including API. (from 6.4)
  • NSX Manager and API access:
    • Enterprise Administrator: full admin
    • Other users: read only

Understand Single Sign-On (SSO) integration

  • Integrate NSX Manager by registering as an SSO user with an SSO lookup service
  • Supported SSO sources: AD, NIS, LDAP
  • Group membership is cached in NSX – changes can take up to 60m to propagate
  • Pre-requisites:
    • vCenter 6.0+ with SSO configured
    • NSX must use same configuration as vCenter
    • NTP configuration

Configure SSO

  • Configure lookup service URL and SSO administrator credentials in appliance from:
    • Manager vCenter Registration -> Lookup Service URL

Assign a role to a vCenter Server user or group

  • Roles can be assigned individually or by group
  • Individual user roles take precedence over group membership roles
  • NSX -> System -> User and Groups: Users
  • Assign vCenter user or Group followed by Role

Compare and contrast the uses for the various NSX Security Roles

See above

Determine how roles can be applied to a subset of the vCenter infrastructure for multi Tenancy purposes

  • Prior to NSX 6.2 could be done with “limit scope” feature
  • No longer available but can be done with API

Understand how to apply NSX Roles to an AD group

When adding a user, select “vCenter Group” – see screenshot above

Assign objects to a user

??

Enable/Disable a user account

NSX -> Users and Domains: Users

Select User and click “enable” (green tick) or “Disable” (red circle) as appropriate

Edit/Delete a user account

NSX -> Users and Domains: Users

Client pencil icon to edit