Assign NSX-T Data Center Roles to Active Directory Groups for Identity and Access Management for VMware Cloud Foundation

To manage administrative access to NSX-T Data Center after you integrate NSX Manager with Workspace ONE Access, you assign the NSX-T Data Center roles to Active Directory groups.

You assign access to Active Directory groups for the following roles in NSX Manager:

Enterprise Admin
Network Admin
Auditor

Attention:

For an environment with NSX Federation, you must use the component's user interface to assign NSX roles for NSX Global Manager in Active Directory. The current version of SDDC Manager includes limited integration with NSX Federation and the PowerShell cmdlets cannot configure an NSX Global Manager instance.

UI Procedure

Log in to NSX Local Manager for the management domain at https://<management_domain_nsx_local_manager_fqdn>/login.jsp?local=true as admin.
On the main navigation bar, click System.
In the left pane, click Users management.
Click the Users Role Assignment tab.
From the Add drop-down menu, select Role assignment for VIDM, select the group and the role you want to assign, and click Save.
Repeat this step fo each role you want to assign.
Repeat this procedure for all NSX Local Managers in each workload domain.
Repeat this procedure for the NSX Global Manager of the management domain and each workload domain.

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$nsxEnterpriseAdminGroup = "gg-nsx-enterprise-admins@sfo.rainpole.io"
$nsxNetworkEngineerGroup = "gg-nsx-network-admins@sfo.rainpole.io"
$nsxAuditorGroup = "gg-nsx-auditors@sfo.rainpole.io"

Perform the configuration by running the command in the PowerShell console.

Add-NsxtVidmRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxEnterpriseAdminGroup -role enterprise_admin

Add-NsxtVidmRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxNetworkEngineerGroup -role network_engineer

Add-NsxtVidmRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxAuditorGroup -role auditor

Repeat this procedure for each NSX Local Manager in each workload domain.
Repeat this procedure for the NSX Global Managers of the management domain and each workload domain.