NSX Advanced Load Balancer provides RBAC to provide granular access to control, manage, and monitor applications within NSX Advanced Load Balancer.

RBAC can be implemented at a field-level. This section covers the use of sub-resources to implement RBAC per field.

Granular RBAC per-Field

Using Granular RBAC per Field, users can be allowed to update an object but restrict the updates to a specific set of fields.

For example, allow users to:

  • Enable or disable GSLB service groups, but restrict updating any other fields in the GSLB object

  • Enable or disable a virtual service, but restrict updating any other virtual service configuration

  • Add, remove, or update the pool servers, but restrict updating any other pool configuration


To implement per-field RBAC, sub-resources for the existing resources are introduced. These sub-resources are associated with a specific field, feature, or a set of fields within the object. When a sub-resource is configured on a resource with write access, it will allow update to the object only if those sub-resources are the only fields updated. Read access is allowed for the full object, but delete and create are not allowed from that permission. Sub-resources can be combined to allow users to configure multiple fields or features in an object.

To define access for sub-resources, the flags allow edit to only [subresource(s)] and allow edit of entire object except for [subresource(s)] are introduced.

For example, configure a role with sub-resources as shown below.

[admin:10]: > configure role Pool-Enabled-Role
[admin:10]: role> privileges 
New object being created
[admin:10]: role:privileges> type write_access 
[admin:10]: role:privileges> resource permission_pool
[admin:10]: role:privileges> subresource 
[admin:10]: role:privileges:subresource> subresources subresource_pool_enabled 
[admin:10]: role:privileges:subresource> save
[admin:10]: role:privileges> save
[admin:10]: role> save

The pool is configured as shown below.

| Field                    | Value                                     |
| uuid                     | role-c5d28445-995c-44b8-9677-610bb20cb2e7 |
| name                     | Pool-Enabled-Role                         |
| privileges[1]            |                                           |
|   type                   | WRITE_ACCESS                              |
|   resource               | PERMISSION_POOL                           |
|   subresource            |                                           |
|     exclude_subresources | False                                     |
|     subresources[1]      | SUBRESOURCE_POOL_ENABLED                  |
| tenant_ref               | admin                                     |

Sub-resources enable the user to execute a specific function within the object.

All available sub-resources are listed below.




Add/update/disable pool servers


Add/update/remove pool servers


Enable/disable pool servers


Enable/disable virtual servers


Enable/disable GSLB service objects


Update GSLBservice groups


Enable/disable GSLBservice groups


Update GSLBservice group members


Enable/disable GSLBservice group members


Enable/ disable Auto allocate floating IP


Prior to NSX Advanced Load Balancer version 22.1.1, it was only possible to control the update (PUT) action on any resource field. Starting with NSX Advanced Load Balancer version 22.1.1, if the access is not allowed for any field, creation of objects is not permitted as well.