Managing User Rights

A user’s role defines the actions the user is allowed to perform on a given resource. The role determines the user’s authorized activities on the given resource, ensuring that a user has access only to the functions necessary to complete applicable operations. This allows domain control over specific resources, or system-wide control if your right has no restrictions.

A user can have only one role. The following table lists the permissions of each user role.

Table 1. NSX Manager User Roles
Role	Permissions
Enterprise Administrator	Users in this role can perform all tasks related to deployment and configuration of NSX products and administration of this NSX Manager instance.
NSX Administrator	Users in this role can perform all tasks related to deployment and administration of this NSX Manager instance. For example, install virtual appliances, configure port groups.
Security Administrator	Users in this role can configure security compliance policies in addition to viewing the reporting and auditing information in the system. For example, define distributed firewall rules, configure NAT and load balancer services.
Auditor	Users in this role can only view system settings, auditing, events, and reporting information and cannot make any configuration changes.
Security Engineer (introduced in NSX Data Center for vSphere 6.4.2).	Users in this role can perform all security tasks, such as configuring policies, firewall rules. Users have read access to some networking features, but no access to host preparation and user account management.
Network Engineer (introduced in NSX Data Center for vSphere 6.4.2).	Users in this role can perform all networking tasks, such as routing, DHCP, bridging. Users have read access to endpoint security features, but no access to other security features.
Security & Role Administrator (introduced in NSX Data Center for vSphere 6.4.5).	Users in this role have all the feature permissions that a Security Engineer has, and they can also perform user management tasks.

When you assign a role to an SSO user, access is granted in the following interfaces:

The Networking and Security plug-in in the vSphere Web Client.
The NSX Manager appliance, including the API. This access is available only in NSX 6.4 or later.

The Enterprise Administrator role gets the same access to the NSX Manager appliance and the API as the NSX Manager admin user. The other NSX roles get read-only access to the NSX Manager appliance and the API.

For example:

SSO users with any role other than the Enterprise Administrator role can access the NSX Manager UI and run API requests in read-only mode. Users can access NSX APIs with the GET API request, but they cannot run the PUT, POST, and DELETE API requests. In addition, these SSO users cannot perform actions such as stop, configure, edit, and so on, in the NSX Manager UI.