NSX roles in VMware Cloud on AWS have a specific set of permissions for operations on SDDC network objects.

This table provides a detailed breakdown of the permissions that each NSX role has for operations on VMware Cloud on AWS SDDC network objects.
Table 1. NSX Roles and Permissions in VMware Cloud on AWS
Operation NSX Cloud Admin NSX Cloud Auditor NSX Network Admin NSX Network Auditor NSX Security Admin NSX Security Auditor
Networking > Connectivity > Tier-1 Gateways Full Access Access Read Full Access Read Read Read
Networking > Connectivity > Segments Full Access Read Full Access Read Read Read
Networking > Connectivity > Segments > Segment Profiles Full Access Read Full Access Read Read Read
Networking > IP Management > DNS Full Access Read Full Access Read Read Read
System > Certificates Full Access Read None None Full Access Read
Networking > Network Services > NAT Full Access Read Full Access Read Full Access Read
Networking > Network Services > VPN Full Access Read Full Access Read Full Access * Read
Tools > IPv6 Profiles Full Access Read Full Access Read Read Read
Plan & Troubleshoot > Traffic Analysis > Traceflow Full Access Read Full Access Full Access Full Access Full Access
Plan & Troubleshoot > Traffic Analysis > Live Traffic Analysis Full Access Read Full Access Full Access Full Access Full Access
Plan & Troubleshoot > Port mirroring Full Access Read Full Access Read Read Read
Plan & Troubleshoot > IPFIX > Switch IPFIX and Collectors Full Access Read Full Access Read Read Read
Security > Distributed Firewall Full Access Read Read Read Full Access Read
Security > Gateway Firewall Full Access Read Read Read Full Access Read
Security > IDS/IPS Full Access Read Read Read Full Access Read
Inventory > Context Profiles Full Access Read Full Access Read Full Access Read
Inventory > Virtual Machines Read Read Read Read Read Read
Inventory > Services Full Access Read Full Access Read Full Access Read
Inventory > Profiles Full Access Read Full Access Read Full Access Read
Inventory > Virtual Machines > Create and Assign Tags to VM. Full Access Read Read Read Full Access Read
Inventory > Groups Full Access Read Full Access Read Full Access Read
Networking > Direct Connect Full Access Read Full Access Read Read Read
Networking >Transit Connect Full Access Read Full Access Read Read Read
Networking > Connected VPC Full Access Read Full Access Read Read Read
Networking > Public IPs> Request Public IP Full Access Read Full Access Read Read Read
Networking > Traffic Groups Full Access Read Full Access Read Read Read
Networking > Settings > Networking Profiles Full Access Read Full Access Read Read Read
Networking > Settings > Global Configuration Full Access Read Full Access Read Read Read
Networking > Settings > Global Configuration > Route Aggregation Full Access Read Full Access Read Read Read
Networking > Settings > Global Configuration > Route Filtering Full Access Read Full Access Read Read Read
Networking > Settings > Global Configuration > Uplinks Full Access Read Full Access Read Read Read
System > Identity Firewall AD Full Access Read Full Access Read Full Access Read
System > User Management Full Access Read Read Read Read Read
System> Certificates Full Access Read None None Full Access Read
Integrated Services > Advanced Firewall Add-On Enable/Disable Full Access Read Full Access Read Full Access Read
Note: The NSX Security Admin role cannot create an L2VPN. While the role has Full Access to policy-based VPN and L2VPN objects, it has Read-only access to route-based VPN objects. Because an L2VPN requires a route-based VPN, this role is effectively unable to create an L2VPN.