Assign NSX Manager Roles to Active Directory Groups for Identity and Access Management for VMware Cloud Foundation

To manage administrative access to NSX after configuring NSX Manager with Active Directory as an idenity source, you assign the NSX roles to Active Directory security groups.

You assign access to Active Directory security groups for the following roles in NSX Manager:

Enterprise Admin
Network Admin
Auditor

Attention:

For an environment with NSX Federation, you must use the component's user interface to assign NSX roles for NSX Global Manager in Active Directory. The PowerShell module does not support configuring the authentication services for an NSX Global Manager instance.

UI Procedure

Log in to NSX Local Manager for the management domain at https://<management_domain_nsx_local_manager_fqdn>/login.jsp?local=true as admin.
On the main navigation bar, click System.
In the left pane, click Users management.
Click the Users role assignment tab.
From the Add Role for Providers drop-down menu, select LDAP, select the group and the role you want to assign, and click Save.
Repeat Step 5 for each role you want to assign.
Repeat the procedure for all NSX Local Managers in each workload domain.
Repeat the procedure for the NSX Global Manager of the management domain and each workload domain.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$nsxEnterpriseAdminGroup = "[email protected]"
$nsxNetworkAdminsGroup = "[email protected]"
$nsxAuditorGroup = "[email protected]"

Perform the configuration by running the command in the PowerShell console.

Add-NsxtLdapRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxEnterpriseAdminGroup -role enterprise_admin

Add-NsxtLdapRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxNetworkAdminsGroup -role network_engineer

Add-NsxtLdapRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -type group -principal $nsxAuditorGroup -role auditor

Repeat the procedure for each NSX Local Manager in each workload domain.
Repeat the procedure for the NSX Global Managers of the management domain and each workload domain.