This section discusses the roles required to be assigned to the vCenter user.

AviRole- Global

This role applies global permissions. It allows the user to upload the SE OVF to the content library, allocate space on the datastore to create a virtual machine, and assign networks to it. Similarly, other vCenter roles can be created with relevant permissions.

The AviRole- Global requires the following permissions:

  • Content Library

    • Add library items

    • Delete library items

    • Update files

    • Update library items

  • Datastore

    • Allocate space

    • Remove space

  • Network

    • Assign network

    • Remove network

  • vApp

    • Import

  • Virtual Machine

    • Change configuration

      • Add new disk

Creating AviRole-Global

To create AviRole-Global,

  1. Login to the vCenter UI as admin.

  2. Navigate to Administration > Roles.

  3. Click the + sign to create a new role.

  4. Click Content Library and select the following permissions:

    1. Add library item

    2. Delete library item

    3. Update files

    4. Update library item

  5. Click Datastore and select the following permissions:

    1. Allocate space

    2. Remove file

  6. Click Network and select the following permissions:

    1. Assign network

    2. Remove

  7. Click Virtual Machine and select Add new disk.

  8. Click vApp and select Import.

  9. Click Next.

  10. Enter the Role name as AviRole-Global and enter a Description, if required.

  11. Click Finish.

AviRole-Folder

This role must be applied to the folder where the admin wants the NSX Advanced Load Balancer service engine VMs to be created. It contains the permissions to create an SE folder, create SE VM from template, assign it to a resource pool, and perform operations on the VM like adding devices, powering it on or off, and connecting its vNICs to networks. This role restricts the VM operations only to the folder to which the role is applied.

The AviRole- Folder requires the following permissions:

  • Folder

    • Create folders

  • Network

    • Assign networks

    • Remove networks

  • Resource

    • Assign virtual machine to resource pool

  • Tasks

    • Create tasks

    • Update tasks

  • vApp

    • Add virtual machine

    • Assign resource pool

    • Assign vApp

    • Create

    • Delete

    • Export

    • Import

    • Power off

    • Power on

    • vApp application configuration

    • vApp instance configuration

  • Virtual machine

    • Change Configuration

      • Add existing disk

      • Add new disk

      • Add or remove device

      • Advanced configuration

      • Change CPU count

      • Change Memory

      • Change Settings

      • Change resource

      • Display connection settings

      • Extend virtual disk

      • Modify device settings

      • Remove disk

    • Edit Inventory

      • Create new

      • Remove

      • Register

      • Unregister

    • Interaction

      • Connect devices

      • Install VMware Tools

      • Power off

      • Power on

      • Reset

    • Provisioning

      • Allow disk access

      • Allow file access

      • Allow read-only disk access

      • Deploy template

      • Mark as virtual machine

Creating AviRole-Folder

To create AviRole-Folder,

  1. Login to the vCenter UI as admin.

  2. Navigate to Administration > Roles.

  3. Click + sign to create a new role.

  4. Click Folder and select Create folder.

  5. Click Network and select the following permissions:

    1. Assign network

    2. Remove

  6. Click Resource and select Assign virtual machine to resource pool.

  7. Click Tasks and select the following permissions:

    1. All Tasks Privileges

    2. Create task

    3. Update task

  8. Click Virtual machine and select the following permissions:







  9. Click vApp and select Import.





  10. Click Next

  11. Enter the Role name as AviRole-Folder and enter a Description, if required

  12. Click Finish.

Combined AviRole

If the vCenter admin does not want to restrict VM operations to a folder and wants to assign the permissions globally, a single AviRole can be created with permissions as shown below and applied as Global Permissions instead of creating AviRole - Global and AviRole - Folder.

Combined AviRole requires the following permissions:

  • Content Library

    • Add library item

    • Delete library item

    • Update files

    • Update library item

  • Datastore

    • Allocate space

    • Remove file

  • Folder

    • Create folder

  • Network

    • Assign network

    • Remove network

  • Resource

    • Assign virtual machine to resource pool

  • Tasks

    • Create task

    • Update task

  • vApp

    • Add virtual machine

    • Assign resource pool

    • Assign vApp

    • Create

    • Delete

    • Export

    • Import

    • Power off

    • Power on

    • vApp application configuration

    • vApp instance configuration

  • Virtual machine

    • Change Configuration

      • Add existing disk

      • Add new disk

      • Add or remove device

      • Advanced configuration

      • Change CPU count

      • Change Memory

      • Change Settings

      • Change resource

      • Display connection settings

      • Extend virtual disk

      • Modify device settings

      • Remove disk

    • Edit Inventory

      • Create new

      • Remove

      • Register

      • Unregister

    • Interaction

      • Connect devices

      • Install VMware Tools

      • Power off

      • Power on

      • Reset

    • Provisioning

      • Allow disk access

      • Allow file access

      • Allow read-only disk access

      • Deploy template

      • Mark as virtual machine