Group-Based Role Assignments

Organizations create user groups for proper user management. After integration with SSO, NSX Manager can get the details of groups to which a user belongs. Instead of assigning roles to individual users who can belong to the same group, NSX Manager assigns roles to groups. The following scenarios illustrate how NSX Manager assigns roles.

Role-Based Access Control Scenario

This scenario provides an IT network engineer (Sally Moore) access to NSX components in the following environment:

AD domain: corp.local
vCenter group: [email protected]
User name: [email protected]

Prerequisites: vCenter Server must be registered with NSX Manager, and SSO must be configured. Note that SSO is required only for Groups.

Assign a role to Sally.
1. Log in to the vSphere Web Client.
2. Navigate to Networking & Security > System > Users and Domains.
3. Ensure that you are in the Users tab.
4. Click the Add icon.
  The Assign Role window opens.
5. Click Specify a vCenter group and type [email protected] in Group.
6. Click Next.
7. In Select Roles, click NSX Administrator, and then click Next.
Grant Sally permission to the data center.
1. Click the Home icon and then click Networking.
2. Select a data center and click Actions > Add Permission.
3. Click Add and select the corp.local domain.
4. In Users and Groups, select Show Groups First.
5. Select NetEng and click OK.
6. In Assigned Role, select Read-only, deselect Propagate to children, and click OK.
Log out of the vSphere Web Client and log in again as [email protected].
Sally can perform NSX operations only. For example, install virtual appliances, create logical switches, and other operations tasks.

Inherit Permissions Through a User-Group Membership Scenario

In this scenario, John belongs to group G1, which is assigned the auditor role. John inherits the group role and resource permissions.

Group option	Example Value
Name	G1
Role assigned	Auditor (Read only)
Resources	Global root

User option	Example Value
Name	John
Belongs to group	G1
Role assigned	None

User Member of Multiple Groups Scenario

In this scenario, Joseph belongs to groups G1 and G2 and inherits a combination of the rights and permissions of the auditor and security administrator roles. For example, Joseph has the following permissions:

Read, write (security administrator role) for Datacenter1
Read only (auditor role) for global root

Group option	Example Value
Name	G1
Role assigned	Auditor (Read only)
Resources	Global root

Group option	Example Value
Name	G2
Role assigned	Security Administrator (Read and Write)
Resources	Datacenter1

User option	Example Value
Name	Joseph
Belongs to group	G1, G2
Role assigned	None

User Member of Multiple Roles Scenario

In this scenario, Bob is assigned the security administrator role, so he does not inherit the group role permissions. Bob has the following permissions:

Read, write (security administrator role) for Datacenter1 and its child resources
Enterprise administrator role on Datacenter1

Group option	Example Value
Name	G1
Role assigned	Enterprise Administrator
Resources	Global root

User option	Example Value
Name	Bob
Belongs to group	G1
Role assigned	Security Administrator (Read and Write)
Resources	Datacenter1