NSX roles in VMware Cloud on AWS have a specific set of permissions for operations on SDDC network objects.
This table provides a detailed breakdown of the permissions that each
NSX role has for operations on
VMware Cloud on AWS SDDC network objects.
Operation | NSX Cloud Admin | NSX Cloud Auditor | NSX Network Admin | NSX Network Auditor | NSX Security Admin | NSX Security Auditor |
---|---|---|---|---|---|---|
Networking > Connectivity > Tier-1 Gateways | Full Access Access | Read | Full Access | Read | Read | Read |
Networking > Connectivity > Segments | Full Access | Read | Full Access | Read | Read | Read |
Networking > Connectivity > Segments > Segment Profiles | Full Access | Read | Full Access | Read | Read | Read |
Networking > IP Management > DNS | Full Access | Read | Full Access | Read | Read | Read |
System > Certificates | Full Access | Read | None | None | Full Access | Read |
Networking > Network Services > NAT | Full Access | Read | Full Access | Read | Full Access | Read |
Networking > Network Services > VPN | Full Access | Read | Full Access | Read | Full Access * | Read |
Tools > IPv6 Profiles | Full Access | Read | Full Access | Read | Read | Read |
Plan & Troubleshoot > Traffic Analysis > Traceflow | Full Access | Read | Full Access | Full Access | Full Access | Full Access |
Plan & Troubleshoot > Traffic Analysis > Live Traffic Analysis | Full Access | Read | Full Access | Full Access | Full Access | Full Access |
Plan & Troubleshoot > Port mirroring | Full Access | Read | Full Access | Read | Read | Read |
Plan & Troubleshoot > IPFIX > Switch IPFIX and Collectors | Full Access | Read | Full Access | Read | Read | Read |
Security > Distributed Firewall | Full Access | Read | Read | Read | Full Access | Read |
Security > Gateway Firewall | Full Access | Read | Read | Read | Full Access | Read |
Security > IDS/IPS | Full Access | Read | Read | Read | Full Access | Read |
Inventory > Context Profiles | Full Access | Read | Full Access | Read | Full Access | Read |
Inventory > Virtual Machines | Read | Read | Read | Read | Read | Read |
Inventory > Services | Full Access | Read | Full Access | Read | Full Access | Read |
Inventory > Profiles | Full Access | Read | Full Access | Read | Full Access | Read |
Inventory > Virtual Machines > Create and Assign Tags to VM. | Full Access | Read | Read | Read | Full Access | Read |
Inventory > Groups | Full Access | Read | Full Access | Read | Full Access | Read |
Networking > Direct Connect | Full Access | Read | Full Access | Read | Read | Read |
Networking >Transit Connect | Full Access | Read | Full Access | Read | Read | Read |
Networking > Connected VPC | Full Access | Read | Full Access | Read | Read | Read |
Networking > Public IPs> Request Public IP | Full Access | Read | Full Access | Read | Read | Read |
Networking > Traffic Groups | Full Access | Read | Full Access | Read | Read | Read |
Networking > Settings > Networking Profiles | Full Access | Read | Full Access | Read | Read | Read |
Networking > Settings > Global Configuration | Full Access | Read | Full Access | Read | Read | Read |
Networking > Settings > Global Configuration > Route Aggregation | Full Access | Read | Full Access | Read | Read | Read |
Networking > Settings > Global Configuration > Route Filtering | Full Access | Read | Full Access | Read | Read | Read |
Networking > Settings > Global Configuration > Uplinks | Full Access | Read | Full Access | Read | Read | Read |
System > Identity Firewall AD | Full Access | Read | Full Access | Read | Full Access | Read |
System > User Management | Full Access | Read | Read | Read | Read | Read |
System> Certificates | Full Access | Read | None | None | Full Access | Read |
Integrated Services > Advanced Firewall Add-On Enable/Disable | Full Access | Read | Full Access | Read | Full Access | Read |
Note: The
NSX Security Admin role cannot create an L2VPN. While the role has Full Access to policy-based VPN and L2VPN objects, it has Read-only access to route-based VPN objects. Because an L2VPN requires a route-based VPN, this role is effectively unable to create an L2VPN.