To limit the privileges and scope for the NSX integration with vSphere, you create a custom role in vSphere with the required privileges.

UI Procedure

  1. Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as administrator@vsphere.local.
  2. From the vSphere Client menu, select Administration.

  3. In the Access control section, click Roles.

  4. From the Roles provider drop-down menu, select vsphere.local.

  5. Create a role for NSX in vSphere.

    1. For VMware Cloud Foundation 4.4, click New, in the New role dialog box, configure the privileges, and click Create.

    2. For VMware Cloud Foundation 4.3.1 or earlier, click the Create role action button, configure the privileges, and click Next.




      All Extension Privileges 


      Cancel task




      Configuration.Network configuration

      Local operations.Create virtual machine

      Local operations.Delete virtual machine


      Assign network


      Modify permission

      Modify role

      Reassign role permissions


      Assign vApp to resource pool

      Assign virtual machine to resource pool

      Scheduled task

      All Scheduled task Privileges

      Service account management




      Validate session

      View and stop sessions


      All Tasks Privileges

      VMware vSphere Lifecycle Manager

      Lifecycle Manager: General Privileges.Read

      Lifecycle Manager: General Privileges.Write

      Lifecycle Manager: Image Privileges.Read

      Lifecycle Manager: Image Privileges.Write

      Lifecycle Manager: Image Remediation Privileges.Write

      Lifecycle Manager: Settings Privileges.Read

      Lifecycle Manager: Settings Privileges.Write

      Virtual machine

      Change Configuration

      Edit Inventory

      Guest Operations



      All vApp Privileges

    3. In the Role name text box, enter a name for the NSX to vSphere integration role, and click Finish.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = ""
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    $sddcDomainName = "sfo-m01"
    $vsphereRoleName = "NSX to vSphere Integration"
  3. Define a custom role in vSphere for the NSX service accounts.

    1. Perform the configuration by running the command in the PowerShell console.

      Add-vSphereRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -roleName $vsphereRoleName
    2. In the dialog box that opens, navigate to the vSphereRoles folder and open the nsx-vsphere-integration.role file.

      The default path for the vSphereRoles folder is C:\Program Files\WindowsPowerShell\Modules\PowerValidatedSolutions\<powervalidatedsolutions_version>\vSphereRoles.