Assign NSX Service Roles to Organization Members

Grant users in your organization an NSX service role to allow them to view or configure NSX features in the SDDC.

Unlike organization roles, which specify the privileges that an organization member has over organization assets, service roles specify the privileges that an organization member has when accessing VMware Cloud Services that the organization uses. All service roles can be assigned and changed by an organization owner. When multiple roles are assigned to an organization member, the effective access granted is based on the union of the rights on all assigned roles. For more about service roles available in VMware Cloud on AWS, see Assign a VMware Cloud on AWS Service Role to an Organization Member in VMware Cloud on AWS Getting Started.

The following NSX service roles are defined in SDDCs at version 1.24 and later.

Note: The NSX Cloud Admin and NSX Cloud Auditor roles are not automatically assigned to an organization member. An organization owner can use VMware Cloud Services to assign them, or you can follow the steps in Assign NSX Roles from an LDAP Identity Source to assign them to organization members who have LDAP accounts.

NSX Cloud Admin: This role can perform all tasks related to deployment and administration of the NSX service.
NSX Cloud Auditor: This role can view NSX service settings and events but cannot make any changes to the service.
NSX Security Admin: This role can perform all tasks accessible from the NSX Security tab. This role cannot make role assignments.
NSX Security Auditor: This role can view but not modify settings accessible from the NSX Security tab.
NSX Network Admin: This role can perform all tasks accessible from the NSX Networking tab. This role cannot make role assignments.
NSX Network Auditor: This role can view but not modify settings accessible from the NSX Networking tab.

This table lists some of the tasks typically associated with each NSX service role.

Table 1. NSX Roles and Permitted Tasks
Task	NSX Cloud Admin	NSX Cloud Auditor	NSX Security Admin	NSX Security Auditor	NSX Network Admin	NSX Network Auditor
Open NSX Manager	YES	YES	YES	YES	YES	YES
Activate NSX Advanced Firewall	YES	No	YES	No	YES	No
View SDDC Networking & Security tab	YES	YES	YES	YES	YES	YES
Edit NSX Default Access	YES	No	YES	No	YES	No

For a more detailed view of the rights associated with each NSXrole, see NSX Roles and Permissions in VMware Cloud on AWS.

Prerequisites

You must be an Organization Owner to assign a service role to an organization member.

Procedure

Log in to the VMware Cloud Console at https://vmc.vmware.com.
Click the services icon and select Identity & Access Management.
Select a user and click Edit Roles.
Select the VMware Cloud on AWS service name under Assign Service Roles.
Select an NSX service role to assign.

Note:
When multiple service roles are assigned to an organization user, permissions are granted for the most permissive role. For example, an organization member who has both the NSX Cloud Admin and NSX Cloud Auditor roles is granted all the NSX Cloud Admin permissions, which include those granted to the NSX Cloud Auditor role.
Click SAVE to save your changes.

What to do next

Ensure that any users whose roles have been changed log out of VMware Cloud Services and log back in so that the changes take effect.