When you assign a role to an SSO user, vCenter Server authenticates the user with the identity service configured on the SSO server. If the SSO server is not configured or is not available, the user is authenticated either locally or with Active Directory based on vCenter Server configuration.

When you assign a role to an SSO user, access is granted in the following interfaces:
  • The Networking and Security plug-in in the vSphere Web Client.
  • The NSX Manager appliance, including the API. This access is available only in NSX 6.4 or later.
The Enterprise Administrator role gets the same access to the NSX Manager appliance and the API as the NSX Manager admin user. The other NSX roles get read-only access to the NSX Manager appliance and the API.

Roles can be assigned individually or through a group membership. A user can be assigned an NSX role individually, and this user can also be a member of a group that is assigned a different NSX role. In such cases, the role that is assigned individually to the user is used for logging into the NSX Manager appliance.


  1. In the vSphere Web Client, navigate to Networking & Security > System > Users and Domains.
  2. Ensure that you are in the Users tab.
  3. If multiple IP addresses are available in the NSX Manager drop-down menu, select an IP address, or keep the default selection.
  4. Click the Add icon.
    The Assign Role window opens.
  5. Click Specify a vCenter user or Specify a vCenter group
  6. Type the vCenter Server user details and group details.

    For example:

    Field Example Value
    Domain name corp.vmware.com
    Alias corp
    Group name group1@corp.vmware.com
    User name user1@corp.vmware.com
    User alias user1@corp
    Note: When a group is assigned a role on the NSX Manager, any user from that group can log in to the NSX Manager UI.
  7. Click Next.
  8. Select the role for the user and click Next. For more information about available roles, see Managing User Rights.
  9. Click Finish.
    The user account appears in the Users table.