Reconfigure the vSphere Role and Permissions Scope for NSX Service Accounts for Identity and Access Management for VMware Cloud Foundation

To limit the privileges and scope for the NSX integration with vSphere, update the global permissions to use the custom role in vSphere and restrict access to vCenter Server instances not applicable to the service account scope.

UI Procedure

Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
From the vSphere Client Menu, select Administration.

Edit the global permissions for the NSX Manager service accounts created by SDDC Manager.

In the Access control section, click Global permissions.
Select the first VSPHERE.LOCAL\ NSX Manager service account.
Click the Edit button.

In the Change role dialog box, configure the settings and click OK.


Setting	Value
Domain	vsphere.local
User / group	svc-`<nsx-manager-name>`-`<vcenter-server-name>`
Role	NSX to vSphere Integration
Propagate to children	Selected

Repeat this step for each VSPHERE.LOCAL\ NSX Manager service account.

Limit the scope of the global permissions for the NSX Manager service accounts created by SDDC Manager.

From the vSphere Client menu, select Global Inventory Lists.
Navigate to Resources > vCenter Servers.
Select the first vCenter Server instance.
Click the Permissions tab.
Select the VSPHERE.LOCAL\ NSX Manager service account that is not applicable for the vCenter Server instance.
Click the Edit permissions icon.

In the Edit permissions dialog box, configure the settings and click OK.


Setting	Value
Domain	vsphere.local
User / group	svc-`<nsx-manager-name>`-`<vcenter-server-name>`
Role	No Access
Propagate to children	Selected

Repeat this step for each VSPHERE.LOCAL\ NSX Manager service account that is not applicable for the vCenter Server instance.
Repeat this step for each vCenter Server instance.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$vsphereRoleName = "NSX to vSphere Integration"

$mgmtSddcDomainName = "sfo-m01"
$mgmtServiceAccount = "svc-sfo-m01-nsx01-sfo-m01-vc01"

$wldSddcDomainName = "sfo-w01"
$wldServiceAccount = "svc-sfo-w01-nsx01-sfo-w01-vc01"

Perform the configuration by running the command in the PowerShell console.

Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $mgmtSddcDomainName -domain vsphere.local -principal $mgmtServiceAccount -role $vsphereRoleName -propagate true -type user -localdomain

Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $mgmtSddcDomainName -domain vsphere.local -principal $wldServiceAccount -role $vsphereRoleName -propagate true -type user -localdomain

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain vsphere.local -workloadDomain $mgmtSddcDomainName  -principal $wldServiceAccount -role "NoAccess"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain vsphere.local -workloadDomain $wldSddcDomainName  -principal $mgmtServiceAccount -role "NoAccess"