You can assign roles to users or user groups if VMware Identity Manager is integrated with NSX-T Data Center. You can also assign roles to principal identities.

A principal is an NSX-T Data Center component or a third-party application such as an OpenStack product. With a principal identity, a principal can use the identity name to create an object and ensure that only an entity with the same identity name can modify or delete the object. A principal identity has the following properties:
  • Name
  • Node ID
  • Certificate
  • RBAC role indicating the access rights of this principal

Users (local, remote, or principal identity) with the Enterprise Administrator role can modify or delete objects owned by principal identities. Users (local, remote, or principal identity) without the Enterprise Administrator role cannot modify or delete protected objects owned by principal identities, but can modify or delete unprotected objects.

If a principal identity user's certificate expires, you must import a new certificate and make an API call to update the principal identity user's certificate (see the procedure below). For more information about the NSX-T Data Center API, a link to the API resource is available at https://docs.vmware.com/en/VMware-NSX-T-Data-Center.

A principal identity user's certificate must satisfy the following requirements:
  • SHA256 based.
  • RSA/DSA message algorithm with 2048 bits or above key size.
  • Cannot be a root certificate.

Prerequisites

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Users.
  3. To assign roles to users, select Add > Role Assignment.
    1. Select a user or user group.
    2. Select a role.
    3. Click Save.
  4. To add a principal identity, select Add > Principal Identity with Role.
    1. Enter a name for the principal identity.
    2. Select a role.
    3. Enter a node ID.
    4. Enter a certificate in PEM format.
    5. Click Save.
  5. (Optional) If using NSX Cloud, log in to the CSM appliance instead of NSX Manager and repeat steps 1 through 4.
  6. If the certificate for the principal identity expires, perform the following steps:
    1. Import a new certificate and note the certificate's ID. See Import a Certificate.
    2. Call the following API to get the ID of the principal identity.
      GET https://<nsx-mgr>/api/v1/trust-management/principal-identities
    3. Call the following API to update the principal identity's certificate. You must provide the imported certificate's ID and the principal identity user's ID.
      For example,
      POST https://<nsx-mgr>/api/v1/trust-management/principal-identities?action=update_certificate
      {
          "principal_identity_id": "ebd3032d-728e-44d4-9914-d4f81c9972cb",
          "certificate_id" : "abd3032d-728e-44d4-9914-d4f81c9972cc"
      }