You can assign roles to users if LDAP or TACACS+ remote authentication is used.

Roles are assigned to users based on the following:

  • LDAP group: A role is assigned to users in any group or specifically to users who are either members or not members of specific groups.

  • LDAP attributes: For users who match the LDAP group filter, the role is assigned to those who either do or do not have specific attributes and values.

The mappings are configured within NSX Advanced Load Balancer rather than the LDAP or TACACS+ server.

To map LDAP or TACACS+ users to NSX Advanced Load Balancer roles, use the following steps. Multiple mappings can be configured if needed for any combination of user group name and attribute:value pair.


  • NSX Advanced Load Balancer authentication or authorization is set to remote, and an LDAP or TACACS+ Auth profile is applied.

  • Group names are case-sensitive for LDAP mapping.


  1. Navigate to Administration > Settings > Authentication/Authorization.
  2. Click New Mapping.
  3. Select the filter for the LDAP group.
    • Any: Users in any LDAP group match the filter.

    • Member: Users must be members of the specified groups. If entering multiple group names, use commas between the names.

    • Not a Member: Users must not be members of the specified groups.

  4. Select the filter for the LDAP attribute.
    • Any: Users match regardless of attributes or their values.

    • Contains: The user must have the specified attribute, and the attribute must have one of the specified values.

    • Does Not Contain: The user must not have the specified attribute and value(s).

  5. Select the role from the User Role drop-down menu.
    • From Select List: Displays a Roles drop-down menu. Select the role from the menu.

    • All: Assigns all roles.

    • Matching Attribute Value: Assigns the role whose name matches an attribute value from the LDAP server.

    • Matching Group Name: Assigns the role whose name matches a group name on the LDAP server.

  6. If using multitenancy, users also can be mapped to tenants. See Tenant Settings.
  7. ClickSave.


The new mapping appears in theTenant and Role Mapping table.