To deploy and administer NSX Data Center for vSphere, certain vCenter permissions are required. NSX Data Center for vSphere provides extensive read and read/write permissions for various users and roles.

Feature List with Roles and Permissions

Note:
  • Security Engineer and Network Engineer roles are available in NSX 6.4.2 and later.
  • Security & Role Administrator role is available in NSX 6.4.5 and later.
Feature Description Roles
Auditor Security Admin Security Engineer NSX Admin Network Engineer Security & Role Admin Enterprise Admin
Administrator
Configuration vCenter and SSO Configuration with NSX R R R R, W R, W R R, W
Update No Access No Access No Access R, W R, W No Access R, W
System events System Events R R, W R, W R, W R, W R, W R, W
Audit Logs Audit Logs R R R R R R R
Debug No Access No Access No Access No Access No Access No Access No Access
Housekeeping tasks R R R R, W R, W R R, W
Basic auth disable R R R R R R R, W
User Account Management (URM)
User account management User Management

R in API

No Access in NSX plug-in

No Access No Access R R R, W R, W
Object access control No Access No Access No Access R R R R
Feature access control No Access No Access No Access R R R R
Edge
System System refers to general system parameters R R R R, W R, W R R, W
Advanced services R R, W R, W R R R, W R, W
Appliance Different form factors of NSX Edge (Compact /Large/X-Large/QuadLarge) R R R R, W R, W R R, W
High availability R R R R, W R, W R R, W
vNic Interface configuration on NSX Edge R R, W R R, W R, W R R, W
DNS R R, W R R R, W R R, W
SSH SSH configuration on NSX Edge R R, W R R, W R, W R R, W
Auto plumbing R R, W R, W R R R, W R, W
Statistics R R R R R R R, W
NAT NAT configuration on NSX Edge R R, W R R R, W R R, W
DHCP R R, W R R R, W R R, W
Load balance R R, W R R R, W R R, W
L3 VPN L3 VPN R R, W R R R, W R R, W
VPN L2 VPN, SSL VPN R R, W R R R, W R R, W
Syslog Syslog configuration on NSX Edge R R, W R R, W R, W R R, W
Support Bundle R (Download access) R, W R, W R, W R, W R, W R, W
Routing All routing static and dynamic routing (BGP/OSPF) on NSX Edge R R, W R R R, W R R, W
Firewall Firewall configuration on NSX Edge R R, W R, W R R R, W R, W
Bridging R R, W R R R, W R R, W
Certificate R R, W R, W R R R, W R, W
System control System control refers to system kernel parameters such as maximum limits, IP forwarding, networking, and system settings. For example:

ysctl.net.ipv4.conf.vNic_1.rp_filter

sysctl.net.netfilter.nf_conntrack_tcp_timeout_established

R R, W R, W R, W R, W R, W R, W
Distributed Firewall
Firewall config
  • Layer 3 - 7 (General) firewall rules
  • Layer 2 (Ethernet) firewall rules
R R, W R, W R, W No Access R, W R, W
Flows Flow monitoring is for monitoring traffic flows in the system. Live Flows can also be monitored R R, W R, W No Access R, W R, W R, W
IPFix config IPFix enable/disable and assigning collectors R R, W R, W No Access R, W R, W R, W
ForceSync ForceSync does full sync from the Installation and Upgrade > Host Preparation page R R R, W R, W No Access R, W R, W
Install DFW (host preparation) Install VIBS on clusters R R R R, W R, W R R, W
Saved configurations (drafts) Every publish will automatically save existing DFW configuration as a draft R R, W R, W No Access No Access R, W R, W
Exclusion list Add VMs to exclusion list to be NOT protected by DFW or to remove them R R, W R, W No Access No Access R, W R, W
DFW tech support Collecting DFW Tech Support bundle from a host (only NSX config shell) No Access R, W R, W R, W No Access R, W R, W
DFW session timers Configure TCP/UDP/Other protocol connection timeout configuration R R , W R, W No Access No Access R , W R, W
IP Discovery (DHCP/ARP Snooping) IP discovery when VMware Tools are not running on Guest VMs R R, W R, W R No Access R, W R, W
Application Rule Manager Flows are collected for selected set of applications. Firewall rules are then created based on the collected flows. R R, W R, W No Access No Access R, W R, W
app.syslog R R No Access R, W No Access No Access R, W
Packet capture R R, W R, W R, W R, W R, W R, W
NameSpace
Config R R R R, W R,W R R, W
SpoofGuard
Config SpoofGuard publish in TOFU or Manual Mode R R, W R, W No Access No Access R, W R, W
Endpoint Security (EPSEC)
Reports R R R R, W R R R, W
Registration Manage [Register, Unregister, Query registered solutions, Activate] Solutions R No Access No Access R, W R, W No Access R, W
Health monitoring Retrieve health status of VM, SVM to the NSX Manager No Access R R R R R R
Policy Manage security policies [Create, Read,Update, Delete] R R, W R, W R, W R R, W R, W
Scan scheduling R No Access R, W R, W R R, W R, W
Library
Host preparation Host preparation action on cluster No Access No Access No Access R, W R, W No Access R, W
Grouping IP Set, MAC Set, Security Group, Service, Service Group R R, W R, W R R R, W R, W
Tagging Security tag (for example, attach or detach VMs) R R, W R, W R R R, W R, W
Install
App No Access R R R, W R, W R R, W
EPSEC No Access R R R, W R, W R R, W
DLP No Access R R R, W R, W R R, W
VDN
Config NSM Configure Network Security Manager R R R R, W R, W R R, W
Provision R R R R, W R, W R R, W
ESX Agent Manager (EAM)
Install ESX Agent Manager No Access R R R, W R, W R R, W
Service Insertion
Service R R, W R, W R, W R R, W R, W
Service profile R R R, W R, W R R, W R, W
Trust Store
trustentity_management NSX certificate management R R, W R, W R, W R, W R, W R, W
IP Address Management (IPAM)
Configuration Configuration of IP pool R R, W R R, W R, W R R, W
IP allocation IP allocation and release R R, W R R, W R, W R R, W
Security Fabric
Deploy Deploy service or security VM on cluster using the Service Deployment page R R R R, W R R R, W
Alarms From the Service Deployment page, manage alarms that are generated by security VM R R, W R R, W R, W R R, W
Agent health status Managing agent health status alarm over rest call, mainly used by partner VMs R R, W R, W R, W R, W R, W R, W
Messaging
Messaging Messaging framework used by NSX Edge and Guest Introspection to communicate with NSX Manager R R, W R, W R, W R, W R, W R, W
Replicator (Multi vCenter setup with secondary NSX Manager)
Configuration Select or deselect Primary role for NSX Manager, and add or remove Secondary NSX Manager R R R R, W R, W R R, W
blueprint_sam.featurelist
blueprint_sam.ad_config Used for Active Directory domain configuration R R R R, W R, W R R, W
Security Policy
Configuration Configure security policy to create, update, edit, or delete R R, W R, W No Access No Access R, W R, W
Security group binding Associate security group with a security policy R R,W R,W No Access No Access R,W R, W
Apply policy R R, W R, W No Access No Access R, W R, W
Policy sync Sync security policy with DFW R Can Sync Can Sync No Access No Access Can Sync R, W
NSX Appliance Management (In NSX 6.4 and later)
NSX Appliance Management NSX Appliance Management R R R R R R R, W
IP Repository/IP Discovery
Configuration R R,W R, W R No Access R,W R, W
Dashboard
Widget configuration R R, W R R, W R R R, W
System configuration R R, W R R, W R R R, W
Upgrade Coordinator
Upgrade No Access No Access R R, W R R R, W
Upgrade Plan R R R R, W R R R, W
Tech Support Bundle
Config Endpoint R, W R, W R, W R, W R, W R, W R, W
Token Based Authentication
Invalidation No Access No Access No Access No Access No Access No Access R, W
Ops
Config R R R R, W R R R, W