With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

There are four types of permissions:

  • Full access
  • Execute
  • Read
  • None

Full access gives the user all permissions. The execute permission includes the read permission.

NSX-T Data Center has the following built-in roles. You cannot add any new roles.

  • Enterprise Administrator
  • Auditor
  • Network Engineer
  • Network Operations
  • Security Engineer
  • Security Operations
  • Cloud Service Administrator
  • Cloud Service Auditor
  • Load Balancer Administrator
  • Load Balancer Auditor
  • VPN Administrator
  • Guest Introspection Administrator
  • Network Introspection Administrator

After an Active Directory (AD) user is assigned a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Roles and Permissions

Table 1 shows the permissions each role has for different operations. The following abbreviations are used:
  • EA - Enterprise Administrator
  • A - Auditor
  • NE - Network Engineer
  • NO - Network Operations
  • SE - Security Engineer
  • SO - Security Operations
  • CS Adm - Cloud Service Administrator
  • CS Aud - Cloud Service Auditor
  • LB Adm - Load Balancer Administrator
  • LB Aud - Load Balancer Auditor
  • VPN Adm - VPN Administrator
  • GI Adm - Guest Introspection Administrator
  • NI Adm - Network Introspection Administrator
  • FA - Full access
  • E - Execute
  • R - Read
Table 1. Roles and Permissions
Operation EA A NE NO SE SO CS Adm CS Aud LB Adm LB Aud VPN Adm GI Adm NI Adm
Tools > Port Connection E R E E E E E R E E None None None
Tools > Traceflow E R E E E E E R E E None None None
Tools > Port Mirroring FA R FA FA FA FA FA R None None None None None
Tools > IPFIX FA R FA R FA R FA R None None R R R
Firewall > General FA R R R FA R FA R None None None None R
Firewall > Configuration FA R R R FA R FA R None None None None None
Routing > Routers FA R FA R R R FA R R R None None None
Routing > NAT FA R FA R FA R FA R R R None None None
DHCP > Server Profiles FA R FA R FA None FA R None None None None None
DHCP > Servers FA R FA R FA None FA R None None None None None
DHCP > Relay Profiles FA R FA R FA None FA R None None None None None
DHCP > Relay Services FA R FA R FA None FA R None None None None None
DHCP > Metadata Proxies FA R FA R FA None None None None None None None None
IPAM FA R FA R FA None None None None None None None None
Switching > Switches FA R FA FA R R FA R R R None None None
Switching > Ports FA R FA FA R R FA R R R None None None
Switching > Switching Profiles FA R FA FA FA FA FA R R R None None None
Policy > Networking > Load Balancers FA R None None None None FA R FA R None None None
Load Balancing > Virtual Servers FA R None None None None FA R FA R None None None
Load Balancing > Profiles > Application Profiles FA R None None None None FA R FA R None None None
Load Balancing > Profiles > Persistence Profiles FA R None None None None FA R FA R None None None
Load Balancing > Profiles > SSL Profiles FA R None None FA R FA R FA R None None None
Load Balancing > Server Pools FA R None None None None FA R FA R None None None
Load Balancing > Monitors FA R None None None None FA R FA R None None None
Inventory > Groups FA R FA R FA R FA R R R R R R
Inventory > IP Sets FA R FA R FA R FA R R R R R R
Inventory > IP Pools FA R FA R None R None None R R R R R
Inventory > MAC Sets FA R FA R FA R FA R R R R R R
Inventory > Services FA R FA R FA R FA R R R R R R
Inventory > Virtual Machines R R R R R R R R R R R R R
Inventory > VM > Create & Assign Tags FA R FA FA FA FA FA R R R R FA FA
Inventory > VM > Configure Tags FA None None None FA None None None None None None None None
Fabric > Nodes > Hosts FA R R R R R R R None None None None None
Fabric > Nodes > Nodes FA R FA R FA R R R None None None None None
Fabric > Nodes > Edges FA R FA R R R R R None None None None None
Fabric > Nodes > Edge Clusters FA R FA R R R R R None None None None None
Fabric > Nodes > Bridges FA R FA R R R None None R R None None None
Fabric > Nodes > Transport Nodes FA R R R R R R R R R None None None
Fabric > Nodes > Tunnels R R R R R R R R R R None None None
Fabric > Profiles > Uplink Profiles FA R R R R R R R R R None None None
Fabric > Profiles > Edge Cluster Profiles FA R FA R R R R R R R None None None
Fabric > Profiles > Configuration FA R None None None None R R None None None None None
Fabric > Transport Zones > Transport Zones FA R R R R R R R R R None None None
Fabric > Transport Zones > Transport Zone Profiles FA R R R R R R R R R None None None
Fabric > Compute Managers FA R R R R R R R None None None R R
System > Trust FA R None None FA R None None FA R FA None None
System > Configuration FA R None None None None None None None None None None None
System > Utilities > Support Bundle FA R R R R R R R None None None None None
System > Utilities > Backup FA R None None None None None None None None None None None
System > Utilities > Restore FA R None None None None None None None None None None None
System > Utilities > Upgrade FA R R R R R None None None None None None None
System > Users > Role Assignments FA R None None None None None None None None None None None
System > Users > Configuration FA R None None None None None None None None None None None