Organizations create user groups for proper user management. After integration with SSO, NSX Manager can get the details of groups to which a user belongs. Instead of assigning roles to individual users who can belong to the same group, NSX Manager assigns roles to groups. The following scenarios illustrate how NSX Manager assigns roles.

Role-Based Access Control Scenario

This scenario provides an IT network engineer (Sally Moore) access to NSX components in the following environment:
  • AD domain: corp.local
  • vCenter group: neteng@corp.local
  • User name: smoore@corp.local

Prerequisites: vCenter Server must be registered with NSX Manager, and SSO must be configured. Note that SSO is required only for Groups.

  1. Assign a role to Sally.
    1. Log in to the vSphere Web Client.
    2. Navigate to Networking & Security > System > Users and Domains.
    3. Ensure that you are in the Users tab.
    4. Click the Add icon.

      The Assign Role window opens.

    5. Click Specify a vCenter group and type neteng@corp.local in Group.
    6. Click Next.
    7. In Select Roles, click NSX Administrator, and then click Next.
  2. Grant Sally permission to the data center.
    1. Click the Home icon and then click Networking.
    2. Select a data center and click Actions > Add Permission.
    3. Click Add and select the corp.local domain.
    4. In Users and Groups, select Show Groups First.
    5. Select NetEng and click OK.
    6. In Assigned Role, select Read-only, deselect Propagate to children, and click OK.
  3. Log out of the vSphere Web Client and log in again as smoore@corp.local.

    Sally can perform NSX operations only. For example, install virtual appliances, create logical switches, and other operations tasks.

Inherit Permissions Through a User-Group Membership Scenario

In this scenario, John belongs to group G1, which is assigned the auditor role. John inherits the group role and resource permissions.

Group option Example Value
Name G1
Role assigned Auditor (Read only)
Resources Global root
User option Example Value
Name John
Belongs to group G1
Role assigned None

User Member of Multiple Groups Scenario

In this scenario, Joseph belongs to groups G1 and G2 and inherits a combination of the rights and permissions of the auditor and security administrator roles. For example, Joseph has the following permissions:
  • Read, write (security administrator role) for Datacenter1
  • Read only (auditor role) for global root
Group option Example Value
Name G1
Role assigned Auditor (Read only)
Resources Global root
Group option Example Value
Name G2
Role assigned Security Administrator (Read and Write)
Resources Datacenter1
User option Example Value
Name Joseph
Belongs to group G1, G2
Role assigned None

User Member of Multiple Roles Scenario

In this scenario, Bob is assigned the security administrator role, so he does not inherit the group role permissions. Bob has the following permissions:
  • Read, write (security administrator role) for Datacenter1 and its child resources
  • Enterprise administrator role on Datacenter1
Group option Example Value
Name G1
Role assigned Enterprise Administrator
Resources Global root
User option Example Value
Name Bob
Belongs to group G1
Role assigned Security Administrator (Read and Write)
Resources Datacenter1