Principles
- Understand default roles
- Understand Single Sign-On (SSO) integration
- Configure SSO
- Assign a role to a vCenter Server user or group
- Compare and contrast the uses for the various NSX Security Roles
- Determine how roles can be applied to a subset of the vCenter infrastructure for multi Tenancy purposes
- Understand how to apply NSX Roles to an AD group
- Assign objects to a user
- Enable/Disable a user account
- Edit/Delete a user account
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
Understand default roles
Role | Permissions |
Enterprise Administrator | All NSX product deployment and configuration tasks + NSX Manager administration tasks |
NSX Administrator | All tasks related to deployment & administration of NSX Manager instance. e.g. deploy Edges and configure VXLANs |
Security Administrator | Configure security compliance policies + review reporting & auditing information e.g. define distributed firewall rules, configure NAT and load balancer services |
Auditor | Read only: system settings, auditing, events, and reporting information |
Security Engineer (from 6.4.2) | All security tasks, such as configuring policies, firewall rules + read access to some networking features, but no access to host preparation and user account management. |
Network Engineer (from 6.4.2) | All networking tasks, such as routing, DHCP, bridging + read access to endpoint security features, but no access to other security features |
Security & Role Administrator (from 6.4.5) | Same as Security Engineer + perform user management tasks |
- SSO users access granted as follows
- vSphere Web Client NSX plug-in
- NSX Manager appliance, including API. (from 6.4)
- NSX Manager and API access:
- Enterprise Administrator: full admin
- Other users: read only
Understand Single Sign-On (SSO) integration
- Integrate NSX Manager by registering as an SSO user with an SSO lookup service
- Supported SSO sources: AD, NIS, LDAP
- Group membership is cached in NSX – changes can take up to 60m to propagate
- Pre-requisites:
- vCenter 6.0+ with SSO configured
- NSX must use same configuration as vCenter
- NTP configuration
Configure SSO
- Configure lookup service URL and SSO administrator credentials in appliance from:
- Manager vCenter Registration -> Lookup Service URL
Assign a role to a vCenter Server user or group
- Roles can be assigned individually or by group
- Individual user roles take precedence over group membership roles
- NSX -> System -> User and Groups: Users
- Assign vCenter user or Group followed by Role
Compare and contrast the uses for the various NSX Security Roles
See above
Determine how roles can be applied to a subset of the vCenter infrastructure for multi Tenancy purposes
- Prior to NSX 6.2 could be done with “limit scope” feature
- No longer available but can be done with API
Understand how to apply NSX Roles to an AD group
When adding a user, select “vCenter Group” – see screenshot above
Assign objects to a user
??
Enable/Disable a user account
NSX -> Users and Domains: Users
Select User and click “enable” (green tick) or “Disable” (red circle) as appropriate
Edit/Delete a user account
NSX -> Users and Domains: Users
Client pencil icon to edit