To limit the privileges and scope for the NSX integration with vSphere, update the global permissions to use the custom role in vSphere and restrict access to vCenter Server instances not applicable to the service account scope.

UI Procedure

  1. Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as administrator@vsphere.local.
  2. From the vSphere Client Menu, select Administration.
  3. Edit the global permissions for the NSX Manager service accounts created by SDDC Manager.

    1. In the Access control section, click Global permissions.

    2. Select the first VSPHERE.LOCAL\ NSX Manager service account.

    3. Click the Edit button.

    4. In the Change role dialog box, configure the settings and click OK.

      Setting

      Value

      Domain

      vsphere.local

      User / group

      svc-<nsx-manager-name>-<vcenter-server-name>

      Role

      NSX to vSphere Integration

      Propagate to children

      Selected

    5. Repeat this step for each VSPHERE.LOCAL\ NSX Manager service account.

  4. Limit the scope of the global permissions for the NSX Manager service accounts created by SDDC Manager.

    1. From the vSphere Client menu, select Global Inventory Lists.

    2. Navigate to Resources > vCenter Servers.

    3. Select the first vCenter Server instance.

    4. Click the Permissions tab.

    5. Select the VSPHERE.LOCAL\ NSX Manager service account that is not applicable for the vCenter Server instance.

    6. Click the Edit permissions icon.

    7. In the Edit permissions dialog box, configure the settings and click OK.

      Setting

      Value

      Domain

      vsphere.local

      User / group

      svc-<nsx-manager-name>-<vcenter-server-name>

      Role

      No Access

      Propagate to children

      Selected

    8. Repeat this step for each VSPHERE.LOCAL\ NSX Manager service account that is not applicable for the vCenter Server instance.

    9. Repeat this step for each vCenter Server instance.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    
    $vsphereRoleName = "NSX to vSphere Integration"
    
    $mgmtSddcDomainName = "sfo-m01"
    $mgmtServiceAccount = "svc-sfo-m01-nsx01-sfo-m01-vc01"
    
    $wldSddcDomainName = "sfo-w01"
    $wldServiceAccount = "svc-sfo-w01-nsx01-sfo-w01-vc01"
  3. Perform the configuration by running the command in the PowerShell console.

    Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $mgmtSddcDomainName -domain vsphere.local -principal $mgmtServiceAccount -role $vsphereRoleName -propagate true -type user -localdomain
    
    Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $mgmtSddcDomainName -domain vsphere.local -principal $wldServiceAccount -role $vsphereRoleName -propagate true -type user -localdomain
    
    Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain vsphere.local -workloadDomain $mgmtSddcDomainName  -principal $wldServiceAccount -role "NoAccess"
    
    Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain vsphere.local -workloadDomain $wldSddcDomainName  -principal $mgmtServiceAccount -role "NoAccess"