To limit the privileges and scope for the NSX integration with vSphere, you create a custom role in vSphere with the required privileges.

UI Procedure

  1. Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].

  2. From the vSphere Client menu, select Administration.

  3. In the Access control section, click Roles.

  4. From the Roles provider drop-down menu, select vsphere.local.

  5. Create a role for NSX in vSphere.

    1. For VMware Cloud Foundation 4.4 and later, click New, in the New role dialog box, configure the privileges, and click Create.

    2. For VMware Cloud Foundation 4.3.1 or earlier, click the Create role action button, configure the privileges, and click Next.

      Category

      Privilege

      Extension

      All Extension Privileges

      Global

      Cancel task

      Licenses

      Host

      Configuration.Maintenance

      Configuration.Network configuration

      Local operations.Create virtual machine

      Local operations.Delete virtual machine

      Network

      Assign network

      Permissions

      Modify permission

      Modify role

      Reassign role permissions

      Resource

      Assign vApp to resource pool

      Assign virtual machine to resource pool

      Scheduled task

      All Scheduled task Privileges

      Service account management

      Administer

      Sessions

      Message

      Validate session

      View and stop sessions

      Tasks

      All Tasks Privileges

      VMware vSphere Lifecycle Manager

      Lifecycle Manager: General Privileges.Read

      Lifecycle Manager: General Privileges.Write

      Lifecycle Manager: Image Privileges.Read

      Lifecycle Manager: Image Privileges.Write

      Lifecycle Manager: Image Remediation Privileges.Write

      Lifecycle Manager: Settings Privileges.Read

      Lifecycle Manager: Settings Privileges.Write

      Virtual machine

      Change Configuration

      Edit Inventory

      Guest Operations

      Provisioning

      vApp

      All vApp Privileges

    3. In the Role name text box, enter a name for the NSX to vSphere integration role, and click Finish.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$vsphereRoleName = "NSX to vSphere Integration"

  3. Define a custom role in vSphere for the NSX service accounts.

    1. Perform the configuration by running the command in the PowerShell console.

      Add-vSphereRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -roleName $vsphereRoleName

    2. In the dialog box that opens, navigate to the vSphereRoles folder and open the nsx-vsphere-integration.role file.

      The default path for the vSphereRoles folder is C:\Program Files\WindowsPowerShell\Modules\PowerValidatedSolutions\<powervalidatedsolutions_version>\vSphereRoles.