Create a vCenter Server Service Account (user) with a role having the following permissions. This user can be used by the NSX Advanced Load Balancer Controller to interact with the vCenter Server and provide lifecycle management for the Service Engines.

The NSX-T cloud connector interacts with vCenter for Service Engine (SE) lifecycle management, and with NSX-T manager to sync and create objects for networking and security. For this, the admin needs to configure vCenter and NSX-T user credentials which have required permissions for NSX Advanced Load Balancer to be able to perform these operations.

Category

Privilege

Sub-Privilege

Content Library

  • Add library item

  • Delete library item

  • Update files

  • Update library item

Date Store

  • Allocate space

  • Remove file

Folder

Create Folder

Network

  • Assign network

  • Remove

Resource

Assign virtual machine to resource pool

Tasks

  • Create task

  • Update task

vApp

  • Add virtual machine

  • Assign resource pool

  • Assign vApp

  • Create

  • Delete

  • Export

  • Import

  • Power off

  • Power on

  • vApp application configuration

  • vApp instance configuration

Virtual machine

Change configuration

  • Add existing disk

  • Add new disk

  • Add or remove device

  • Advanced configuration

  • Change CPU count

  • Change Memory

  • Change Settings

  • Change resource

  • Display connection settings

  • Extend virtual disk

  • Remove disk

Edit inventory

  • Create new

  • Remove inventory

Interaction

  • Connect devices

  • Install VMware Tools

  • Power off

  • Power on

Provisioning

  • Allow disk access

  • Allow file access

  • Allow read-only disk access

  • Deploy template

  • Mark as virtual machine
Note:

Propagate to children checkbox must be checked for vCenter user having global permissions.

AviRole - Global

Category

Privilege

Sub-Privilege

Content Library

  • Add library item

  • Delete library item

  • Update files

  • Update library item

Date Store

  • Allocate space

  • Remove file

Folder

Create Folder

Network

  • Assign network

  • Remove

Resource

Assign virtual machine to resource pool

Tasks

  • Create task

  • Update task

vApp

  • Add virtual machine

  • Assign resource pool

  • Assign vApp

  • Create

  • Delete

  • Export

  • Import

  • Power off

  • Power on

  • vApp application configuration

  • vApp instance configuration

Virtual machine

Change configuration

  • Add existing disk

  • Add new disk

  • Add or remove device

  • Advanced configuration

  • Change CPU count

  • Change Memory

  • Change Settings

  • Change resource

  • Display connection settings

  • Extend virtual disk

  • Remove disk

Edit inventory

  • Create new

  • Remove inventory

Interaction

  • Connect devices

  • Install VMware Tools

  • Power off

  • Power on

Provisioning

  • Allow disk access

  • Allow file access

  • Allow read-only disk access

  • Deploy template

  • Mark as virtual machine
Note:

Propagate to children checkbox must be selected for vCenter user having global permissions.



Table 1. Design Decisions for vCenter Server Access Control for NSX Advanced Load Balancer Controller

Decision ID

Design Description

Design Justification

Design Implication

AVI-VI-VC-009

Create or use a vCenter Server User/ Role with the described privileges.

Note:

Do not use the local administrator or root user of vCenter Server for this purpose.

Required for NSX Advanced Load Balancer Controller to perform lifecycle management of the Service Engines.

Note:

Update the vCenter User credential on the Controller when password for this user account is rotated.

None