A principal can be an NSX-T Data Center component or a third-party application such as an OpenStack product. With a principal identity, a principal can use the identity name to create an object and ensure that only an entity with the same identity name can modify or delete the object.

A principal identity has the following properties:
  • Name
  • Node ID
  • Certificate
  • RBAC role indicating the access rights of this principal
  • Flag indicating whether objects created by this principal are protected

Users (local, remote, or principal identity) with the Enterprise Administrator role can modify or delete objects owned by principal identities. Users (local, remote, or principal identity) without the Enterprise Administrator role cannot modify or delete protected objects owned by principal identities, but can modify or delete unprotected objects. An Enterprise Administrator user can only delete protected objects using the NSX-T Data Center API but not the NSX Manager UI.

A principal identity can only be created or deleted using the NSX-T API. For more information, see the NSX-T Data Center API Reference. However, you can view principal identities through the NSX Manager UI.


  1. From your browser, log in with admin privileges to an NSX Manager at https://nsx-manager-ip-address.
  2. Select System > Users from the navigation panel.
  3. Click the Role Assignments tab.
    Users, user groups, and principal identities are displayed.