To provide role-based access for each NSX Management cluster, you configure Active Directory as an identity provider, assign NSX roles to Active Directory security groups, and reconfigure the integration between NSX and vSphere.

Prerequisites

  • Verify all necessary security groups in Active Directory are created and configured for each NSX role you assign access to.

Configure an LDAP Identity Source in NSX Manager for Identity and Access Management for VMware Cloud Foundation

To provide Active Directory authentication services to NSX Manager, you configure an Active Directory over LDAP identity provider so that you can assign access to users and groups.

Attention:

For an environment with NSX Federation, you must use the components' user interfaces to configure an LDAP identity source in the NSX Global Manager instances. The PowerShell module does not support configuring the authentication service for an NSX Global Manager instance.

Procedure

  1. Log in to NSX Manager at https://<nsx_manager_fqdn>/login.jsp?local=true as admin.
  2. On the main navigation bar, click System.
  3. In the left pane, click Settings > User management and click the Authentication providers tab.

  4. Click the LDAP tab and click Add identity source.

  5. In the Add identity source dialog box, configure the following settings, configure the remaining settings according to your VMware Cloud Foundation Planning and Preparation Workbook, and click Save.

    Setting

    Value

    Type

    Active Directory over LDAP

  6. Under LDAP servers, click Set.

  7. In the Set LDAP server dialog box, click Add LDAP server.

  8. Configure the following settings, configure the remaining settings according to your VMware Cloud Foundation Planning and Preparation Workbook.

    Setting

    Value

    LDAP Protocol

    LDAPS

    Port

    636

  9. In the Certificate text box, paste the contents of the Root CA certificate file and click Add.

  10. Click Apply.

  11. Click Save.

  12. Repeat the procedure for each NSX Local Manager in each workload domain.

  13. Repeat the procedure for the NSX Global Managers of the management domain and each workload domain.

Assign NSX Manager Roles to Active Directory Groups for Identity and Access Management for VMware Cloud Foundation

To manage administrative access to NSX after configuring NSX Manager with Active Directory as an idenity source, you assign the NSX roles to Active Directory security groups.

You assign access to Active Directory security groups for the following roles in NSX Manager:

  • Enterprise Admin

  • Network Admin

  • Auditor

Attention:

For an environment with NSX Federation, you must use the component's user interface to assign NSX roles for NSX Global Manager in Active Directory. The PowerShell module does not support configuring the authentication services for an NSX Global Manager instance.

Procedure

  1. Log in to NSX Local Manager for the management domain at https://<management_domain_nsx_local_manager_fqdn>/login.jsp?local=true as admin.
  2. On the main navigation bar, click System.
  3. In the left pane, click Users management.

  4. Click the Users role assignment tab.

  5. From the Add Role for Providers drop-down menu, select LDAP, select the group and the role you want to assign, and click Save.

  6. Repeat Step 5 for each role you want to assign.

  7. Repeat the procedure for all NSX Local Managers in each workload domain.

  8. Repeat the procedure for the NSX Global Manager of the management domain and each workload domain.

Configure Service Account Privileges for NSX for Identity and Access Management for VMware Cloud Foundation

The principle of least privilege is a critical aspect of access management and should be part of a comprehensive defense-in-depth security strategy. Use as custom role in vSphere with the minimal required privileges for NSX to manage a vCenter Server configured as an NSX compute manager instance. Apply the custom role, group membership, and limit the scope for the NSX SERVICE accounts created in the vCenter Single Sign-On built-in identity provider.

Define a Custom Role in vSphere for the NSX Service Accounts for Identity and Access Management for VMware Cloud Foundation

To limit the privileges and scope for the NSX integration with vSphere, you create a custom role in vSphere with the required privileges.

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
  2. From the vSphere Client menu, select Administration.

  3. In the Access control section, click Roles.

  4. From the Roles provider drop-down menu, select vsphere.local.

  5. Create a role for NSX in vSphere.

    1. Click New.

    2. In the Role name text box, enter NSX to vSphere Integration.

    3. Configure the privileges, and click Create.

      Category

      Privilege

      Extension

      All Extension Privileges

      Global

      Cancel task

      Licenses

      Host

      Configuration.Maintenance

      Configuration.Network configuration

      Local operations.Create virtual machine

      Local operations.Delete virtual machine

      Network

      Assign network

      Permissions

      Modify permission

      Modify role

      Reassign role permissions

      Resource

      Assign vApp to resource pool

      Assign virtual machine to resource pool

      Scheduled task

      All Scheduled task Privileges

      Service account management

      Administer

      Sessions

      Message

      Validate session

      View and stop sessions

      Tasks

      All Tasks Privileges

      vApp

      All vApp Privileges

      Virtual machine

      All Change Configuration

      All Edit Inventory

      All Guest Operations

      All Provisioning

      VMware vSphere Lifecycle Manager

      Lifecycle Manager: General Privileges.Read

      Lifecycle Manager: General Privileges.Write

      Lifecycle Manager: Image Privileges.Read

      Lifecycle Manager: Image Privileges.Write

      Lifecycle Manager: Image Remediation Privileges.Write

      Lifecycle Manager: Settings Privileges.Read

      Lifecycle Manager: Settings Privileges.Write

    4. In the Role name text box, enter a name for the NSX to vSphere integration role, and click Finish.

Add NSX Service Accounts to the vCenter Single Sign-On License Administrators Group for Identity and Access Management for VMware Cloud Foundation

The service accounts, created by SDDC Manager, in the vCenter Single Sign-On built-in identity provider for each management and VI workload domain, must be members of the LicenseService.Administrators group. You add the NSX service accounts to the group to provide the minimum required privileges and scope.

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
  2. From the vSphere Client Menu, select Administration.
  3. In the Single Sign On section, click Users and groups.

  4. Click the Groups tab.

  5. Select the LicenseService.Administrators group and click Edit.

  6. In the Edit group dialog box, add the service accounts for NSX Manager.

    1. From the Add members drop-down menu, select vsphere.local.

    2. To search for the service accounts created by SDDC Manager, in the Search text box, enter svc-.

      The format of the service account name is svc-<nsx-manager-name>-<vcenter-server-name>.

    3. Add the service accounts for NSX Manager for each management and VI workload domain to the LicenseService.Administrators group and click Save.

  7. Repeat the procedure for each VI workload domain you add to the SDDC.

Reconfigure the vSphere Role and Permissions Scope for NSX Service Accounts for Identity and Access Management for VMware Cloud Foundation

To limit the privileges and scope for the NSX integration with vSphere, update the global permissions to use the custom role in vSphere and restrict access to vCenter Server instances not applicable to the service account scope.

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as [email protected].
  2. From the vSphere Client Menu, select Administration.
  3. Edit the global permissions for the NSX Manager service accounts created by SDDC Manager.

    1. In the Access control section, click Global permissions.

    2. Select the first VSPHERE.LOCAL\ NSX Manager service account.

    3. Click the Edit button.

    4. In the Change role dialog box, configure the settings and click OK.

      Setting

      Value

      Domain

      vsphere.local

      User / group

      svc-<nsx-manager-name>-<vcenter-server-name>

      Role

      NSX to vSphere Integration

      Propagate to children

      Selected

    5. Repeat this step for each VSPHERE.LOCAL\ NSX Manager service account.

  4. Limit the scope of the global permissions for the NSX Manager service accounts created by SDDC Manager.

    1. From the vSphere Client menu, select Global Inventory Lists.

    2. Navigate to Resources > vCenter Servers.

    3. Select the first vCenter Server instance.

    4. Click the Permissions tab.

    5. Select the VSPHERE.LOCAL\ NSX Manager service account that is not applicable for the vCenter Server instance.

    6. Click the Edit permissions icon.

    7. In the Edit permissions dialog box, configure the settings and click OK.

      Setting

      Value

      Domain

      vsphere.local

      User / group

      svc-<nsx-manager-name>-<vcenter-server-name>

      Role

      No Access

      Propagate to children

      Selected

    8. Repeat this step for each VSPHERE.LOCAL\ NSX Manager service account that is not applicable for the vCenter Server instance.

    9. Repeat this step for each vCenter Server instance.