Each NSX Advanced Load Balancer user account is associated with a role. The role defines the type of access the user has to each area of the NSX Advanced Load Balancer system. Roles provide granular Role-Based Access Control (RBAC) within NSX Advanced Load Balancer. The role, in combination with the tenant (optional), comprise the authorization settings for an NSX Advanced Load Balancer user.

For each NSX Advanced Load Balancer system area, the role can be one of the following:

  • Write: User has full access to create, read, modify, and delete items. For example, the user may be able to create a virtual service, modify its properties, view its health and metrics, and later delete that virtual service.

  • Read: User may only read the existing configuration of the item. For example, the user may see how a virtual service is configured while being unable to view the current metrics, modify, or delete that virtual service.

  • No Access: User can neither see nor modify this section of Avi Vantage. For example, the user would be prohibited from creating, modifying, deleting, or even viewing (reading) any virtual services at all.

Pre-defined NSX Advanced Load Balancer User Roles

NSX Advanced Load Balancer comes with the following pre-defined roles:

  • Application-Admin: User has write access to the Application and Profiles sections of NSX Advanced Load Balancer, read access to the Infrastructure settings, and no access to the Account or System sections.

  • Application-Operator: User has read access to the Application and Profiles sections of NSX Advanced Load Balancer, and no access to the Infrastructure, Account, and System sections.

  • Security-Admin: User has read/write access only to the Templates > Security section.

  • System-Admin: User has write access to all sections of NSX Advanced Load Balancer.

  • Tenant-Admin: User has write access to all sections of NSX Advanced Load Balancer except the System section, to which the user has no access.

  • WAF-Admin: User has write access to WAF Profiles and Policies, read access to application VSs, pools and pool groups, read access to clouds, and no access to the rest.

Each user must be associated with at least one role. The role can be either predefined or a custom role. If multitenancy is configured, a user can be assigned to more than one tenant, and can have a separate role for each tenant.