NSX roles in VMware Cloud on AWS have a specific set of permissions for operations on SDDC network objects.
This table provides a detailed breakdown of the permissions that each
NSX role has for operations on
VMware Cloud on AWS SDDC network objects.
| Operation | NSX Cloud Admin | NSX Cloud Auditor | NSX Network Admin | NSX Network Auditor | NSX Security Admin | NSX Security Auditor |
|---|---|---|---|---|---|---|
| Networking > Connectivity > Tier-1 Gateways | Full Access Access | Read | Full Access | Read | Read | Read |
| Networking > Connectivity > Segments | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Connectivity > Segments > Segment Profiles | Full Access | Read | Full Access | Read | Read | Read |
| Networking > IP Management > DNS | Full Access | Read | Full Access | Read | Read | Read |
| System > Certificates | Full Access | Read | None | None | Full Access | Read |
| Networking > Network Services > NAT | Full Access | Read | Full Access | Read | Full Access | Read |
| Networking > Network Services > VPN | Full Access | Read | Full Access | Read | Full Access * | Read |
| Tools > IPv6 Profiles | Full Access | Read | Full Access | Read | Read | Read |
| Plan & Troubleshoot > Traffic Analysis > Traceflow | Full Access | Read | Full Access | Full Access | Full Access | Full Access |
| Plan & Troubleshoot > Traffic Analysis > Live Traffic Analysis | Full Access | Read | Full Access | Full Access | Full Access | Full Access |
| Plan & Troubleshoot > Port mirroring | Full Access | Read | Full Access | Read | Read | Read |
| Plan & Troubleshoot > IPFIX > Switch IPFIX and Collectors | Full Access | Read | Full Access | Read | Read | Read |
| Security > Distributed Firewall | Full Access | Read | Read | Read | Full Access | Read |
| Security > Gateway Firewall | Full Access | Read | Read | Read | Full Access | Read |
| Security > IDS/IPS | Full Access | Read | Read | Read | Full Access | Read |
| Inventory > Context Profiles | Full Access | Read | Full Access | Read | Full Access | Read |
| Inventory > Virtual Machines | Read | Read | Read | Read | Read | Read |
| Inventory > Services | Full Access | Read | Full Access | Read | Full Access | Read |
| Inventory > Profiles | Full Access | Read | Full Access | Read | Full Access | Read |
| Inventory > Virtual Machines > Create and Assign Tags to VM. | Full Access | Read | Read | Read | Full Access | Read |
| Inventory > Groups | Full Access | Read | Full Access | Read | Full Access | Read |
| Networking > Direct Connect | Full Access | Read | Full Access | Read | Read | Read |
| Networking >Transit Connect | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Connected VPC | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Public IPs> Request Public IP | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Traffic Groups | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Settings > Networking Profiles | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Settings > Global Configuration | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Settings > Global Configuration > Route Aggregation | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Settings > Global Configuration > Route Filtering | Full Access | Read | Full Access | Read | Read | Read |
| Networking > Settings > Global Configuration > Uplinks | Full Access | Read | Full Access | Read | Read | Read |
| System > Identity Firewall AD | Full Access | Read | Full Access | Read | Full Access | Read |
| System > User Management | Full Access | Read | Read | Read | Read | Read |
| System> Certificates | Full Access | Read | None | None | Full Access | Read |
| Integrated Services > Advanced Firewall Add-On Enable/Disable | Full Access | Read | Full Access | Read | Full Access | Read |
Note: The
NSX Security Admin role cannot create an L2VPN. While the role has Full Access to policy-based VPN and L2VPN objects, it has Read-only access to route-based VPN objects. Because an L2VPN requires a route-based VPN, this role is effectively unable to create an L2VPN.
