To deploy and administer NSX Data Center for vSphere, certain vCenter permissions are required. NSX Data Center for vSphere provides extensive read and read/write permissions for various users and roles.

Feature List with Roles and Permissions

Note:
  • Security Engineer and Network Engineer roles are available in NSX 6.4.2 and later.

  • Security & Role Administrator role is available in NSX 6.4.5 and later.

Feature

Description

Roles

Auditor

Security Admin

Security Engineer

NSX Admin

Network Engineer

Security & Role Admin

Enterprise Admin

Administrator

Configuration

vCenter and SSO Configuration with NSX

R

R

R

R, W

R, W

R

R, W

Update

No Access

No Access

No Access

R, W

R, W

No Access

R, W

System events

System Events

R

R, W

R, W

R, W

R, W

R, W

R, W

Audit Logs

Audit Logs

R

R

R

R

R

R

R

Debug

No Access

No Access

No Access

No Access

No Access

No Access

No Access

Housekeeping tasks

R

R

R

R, W

R, W

R

R, W

Basic auth disable

R

R

R

R

R

R

R, W

User Account Management (URM)

User account management

User Management

R in API

No Access in NSX plug-in

No Access

No Access

R

R

R, W

R, W

Object access control

No Access

No Access

No Access

R

R

R

R

Feature access control

No Access

No Access

No Access

R

R

R

R

Edge

System

System refers to general system parameters

R

R

R

R, W

R, W

R

R, W

Advanced services

R

R, W

R, W

R

R

R, W

R, W

Appliance

Different form factors of NSX Edge (Compact /Large/X-Large/QuadLarge)

R

R

R

R, W

R, W

R

R, W

High availability

R

R

R

R, W

R, W

R

R, W

vNic

Interface configuration on NSX Edge

R

R, W

R

R, W

R, W

R

R, W

DNS

R

R, W

R

R

R, W

R

R, W

SSH

SSH configuration on NSX Edge

R

R, W

R

R, W

R, W

R

R, W

Auto plumbing

R

R, W

R, W

R

R

R, W

R, W

Statistics

R

R

R

R

R

R

R, W

NAT

NAT configuration on NSX Edge

R

R, W

R

R

R, W

R

R, W

DHCP

R

R, W

R

R

R, W

R

R, W

Load balance

R

R, W

R

R

R, W

R

R, W

L3 VPN

L3 VPN

R

R, W

R

R

R, W

R

R, W

VPN

L2 VPN, SSL VPN

R

R, W

R

R

R, W

R

R, W

Syslog

Syslog configuration on NSX Edge

R

R, W

R

R, W

R, W

R

R, W

Support

No Access

R, W

R, W

R, W

R, W

R, W

R, W

Routing

All routing static and dynamic routing (BGP/OSPF) on NSX Edge

R

R, W

R

R

R, W

R

R, W

Firewall

Firewall configuration on NSX Edge

R

R, W

R, W

R

R

R, W

R, W

Bridging

R

R, W

R

R

R, W

R

R, W

Certificate

R

R, W

R, W

R

R

R, W

R, W

System control

System control refers to system kernel parameters such as maximum limits, IP forwarding, networking, and system settings. For example:

ysctl.net.ipv4.conf.vNic_1.rp_filter

sysctl.net.netfilter.nf_conntrack_tcp_timeout_established

R

R, W

R, W

R, W

R, W

R, W

R, W

Distributed Firewall

Firewall config

  • Layer 3 - 7 (General) firewall rules

  • Layer 2 (Ethernet) firewall rules

R

R, W

R, W

R, W

No Access

R, W

R, W

Flows

Flow monitoring is for monitoring traffic flows in the system. Live Flows can also be monitored

R

R, W

R, W

No Access

R, W

R, W

R, W

IPFix config

IPFix enable/disable and assigning collectors

R

R, W

R, W

No Access

R, W

R, W

R, W

ForceSync

ForceSync does full sync from the Installation and Upgrade > Host Preparation page

R

R

R, W

R, W

No Access

R, W

R, W

Install DFW (host preparation)

Install VIBS on clusters

R

R

R

R, W

R, W

R

R, W

Saved configurations (drafts)

Every publish will automatically save existing DFW configuration as a draft

R

R, W

R, W

No Access

No Access

R, W

R, W

Exclusion list

Add VMs to exclusion list to be NOT protected by DFW or to remove them

R

R, W

R, W

No Access

No Access

R, W

R, W

DFW tech support

Collecting DFW Tech Support bundle from a host (only NSX config shell)

No Access

R, W

R, W

R, W

No Access

R, W

R, W

DFW session timers

Configure TCP/UDP/Other protocol connection timeout configuration

R

R , W

R, W

No Access

No Access

R , W

R, W

IP Discovery (DHCP/ARP Snooping)

IP discovery when VMware Tools are not running on Guest VMs

R

R, W

R, W

R

No Access

R, W

R, W

Application Rule Manager

Flows are collected for selected set of applications. Firewall rules are then created based on the collected flows.

R

R, W

R, W

No Access

No Access

R, W

R, W

app.syslog

R

R

No Access

R, W

No Access

No Access

R, W

Packet capture

R

R, W

R, W

R, W

R, W

R, W

R, W

NameSpace

Config

R

R

R

R, W

R,W

R

R, W

SpoofGuard

Config

SpoofGuard publish in TOFU or Manual Mode

R

R, W

R, W

No Access

No Access

R, W

R, W

Endpoint Security (EPSEC)

Reports

R

R

R

R, W

R

R

R, W

Registration

Manage [Register, Unregister, Query registered solutions, Activate] Solutions

R

No Access

No Access

R, W

R, W

No Access

R, W

Health monitoring

Retrieve health status of VM, SVM to the NSX Manager

No Access

R

R

R

R

R

R

Policy

Manage security policies [Create, Read,Update, Delete]

R

R, W

R, W

R, W

R

R, W

R, W

Scan scheduling

R

No Access

R, W

R, W

R

R, W

R, W

Library

Host preparation

Host preparation action on cluster

No Access

No Access

No Access

R, W

R, W

No Access

R, W

Grouping

IP Set, MAC Set, Security Group, Service, Service Group

R

R, W

R, W

R

R

R, W

R, W

Tagging

Security tag (for example, attach or detach VMs)

R

R, W

R, W

R

R

R, W

R, W

Install

App

No Access

R

R

R, W

R, W

R

R, W

EPSEC

No Access

R

R

R, W

R, W

R

R, W

DLP

No Access

R

R

R, W

R, W

R

R, W

VDN

Config NSM

Configure Network Security Manager

R

R

R

R, W

R, W

R

R, W

Provision

R

R

R

R, W

R, W

R

R, W

ESX Agent Manager (EAM)

Install

ESX Agent Manager

No Access

R

R

R, W

R, W

R

R, W

Service Insertion

Service

R

R, W

R, W

R, W

R

R, W

R, W

Service profile

R

R

R, W

R, W

R

R, W

R, W

Trust Store

trustentity_management

NSX certificate management

R

R, W

R, W

R, W

R, W

R, W

R, W

IP Address Management (IPAM)

Configuration

Configuration of IP pool

R

R, W

R

R, W

R, W

R

R, W

IP allocation

IP allocation and release

R

R, W

R

R, W

R, W

R

R, W

Security Fabric

Deploy

Deploy service or security VM on cluster using the Service Deployment page

R

R

R

R, W

R

R

R, W

Alarms

From the Service Deployment page, manage alarms that are generated by security VM

R

R, W

R

R, W

R, W

R

R, W

Agent health status

Managing agent health status alarm over rest call, mainly used by partner VMs

R

R, W

R, W

R, W

R, W

R, W

R, W

Messaging

Messaging

Messaging framework used by NSX Edge and Guest Introspection to communicate with NSX Manager

R

R, W

R, W

R, W

R, W

R, W

R, W

Replicator (Multi vCenter setup with secondary NSX Manager)

Configuration

Select or deselect Primary role for NSX Manager, and add or remove Secondary NSX Manager

R

R

R

R, W

R, W

R

R, W

blueprint_sam.featurelist

blueprint_sam.ad_config

Used for Active Directory domain configuration

R

R

R

R, W

R, W

R

R, W

Security Policy

Configuration

Configure security policy to create, update, edit, or delete

R

R, W

R, W

No Access

No Access

R, W

R, W

Security group binding

Associate security group with a security policy

R

R,W

R,W

No Access

No Access

R,W

R, W

Apply policy

R

R, W

R, W

No Access

No Access

R, W

R, W

Policy sync

Sync security policy with DFW

R

Can Sync

Can Sync

No Access

No Access

Can Sync

R, W

NSX Appliance Management (In NSX 6.4 and later)

NSX Appliance Management

NSX Appliance Management

R

R

R

R

R

R

R, W

IP Repository/IP Discovery

Configuration

R

R,W

R, W

R

No Access

R,W

R, W

Dashboard

Widget configuration

R

R, W

R

R, W

R

R

R, W

System configuration

R

R, W

R

R, W

R

R

R, W

Upgrade Coordinator

Upgrade

No Access

No Access

R

R, W

R

R

R, W

Upgrade Plan

R

R

R

R, W

R

R

R, W

Tech Support Bundle

Config

Endpoint

R, W

R, W

R, W

R, W

R, W

R, W

R, W

Token Based Authentication

Invalidation

No Access

No Access

No Access

No Access

No Access

No Access

R, W

Ops

Config

R

R

R

R, W

R

R

R, W