With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

There are four types of permissions:

  • Full access
  • Execute
  • Read
  • None

Full access gives the user all permissions. The execute permission includes the read permission.

NSX-T Data Center has the following built-in roles. You cannot add any new roles.

  • Enterprise Administrator
  • Auditor
  • Network Engineer
  • Network Operations
  • Security Engineer
  • Security Operations
  • Load Balancer Administrator
  • Load Balancer Auditor
  • VPN Administrator
  • Guest Introspection Administrator
  • Network Introspection Administrator

After an Active Directory (AD) user is assigned a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Roles and Permissions

Roles and Permissions and Roles and Permissions for Advanced Networking and Security show the permissions each role has for different operations. The following abbreviations are used:
  • EA - Enterprise Administrator
  • A - Auditor
  • NE - Network Engineer
  • NO - Network Operations
  • SE - Security Engineer
  • SO - Security Operations
  • LB Adm - Load Balancer Administrator
  • LB Aud - Load Balancer Auditor
  • VPN Adm - VPN Administrator
  • GI Adm - Guest Introspection Administrator
  • NI Adm - Network Introspection Administrator
  • FA - Full access
  • E - Execute
  • R - Read
Table 1. Roles and Permissions
Operation EA A NE NO SE SO CS Adm CS Aud LB Adm LB Aud VPN Adm GI Adm NI Adm
Networking > Tier-0 Gateways FA R FA FA R R FA R R R R R R
Networking > Network Interface FA R FA FA R R FA R R R R R R
Networking > Network Static Routes FA R FA FA R R FA R R R R R R
Networking > Locale Services FA R FA FA R R FA R R R R R R
Networking > Static ARP Configuration FA R FA FA R R FA R R R R R R
Networking > Segments FA R FA FA R R FA R R R R R R
Networking > Segments > Segment Profiles FA R FA FA R R FA R R R R R R
Networking > IP Address Pools FA R FA FA R R FA R R R None None None
Networking Forwarding Policies FA R FA R FA R FA R None None None None None
Networking > DNS FA R FA FA R R FA R R R None None None
Networking > Load Balancing FA R None None R None FA R FA R None None None
Networking > NAT FA R FA R FA R FA R R R None None None
Networking > VPN FA R FA R FA R FA R None None FA None None
Networking > IPv6 Profiles
Security > Distributed Firewall FA R R R FA R FA R R R R R R
Security > Gateway Firewall FA R R R FA R FA R None None None None FA
Security > Network Introspection FA R R R R R FA R None None None None FA
Security > Endpoint Protection Rules FA R R R R R FA R None None None FA None
Inventory > Context Profiles FA R FA R FA R FA R R R R R R
Inventory > Virtual Machines R R R R R R R R R R R R R
Plan & Troubleshoot > Port Mirroring FA R FA R R R FA R None None None None None
Plan & Troubleshoot > Port Mirroring Binding FA R FA FA R R FA R R R R R R
Plan & Troubleshoot > Monitoring Profile Binding FA R FA FA R R FA R R R R R R
Plan & Troubleshoot > Firewall IPFIX Profiles FA R FA R FA R FA R R R R R R
Plan & Troubleshoot > Switch IPFIX Profiles FA R FA R R R FA R R R R R R
System > Fabric > Nodes > Hosts FA R R R R R R R None None None None None
System > Fabric > Nodes > Nodes FA R FA R FA R R R R R None None None
System > Fabric > Nodes > Edges FA R FA R R R R R None None None None None
System > Fabric > Nodes > Edge Clusters FA R FA R R R R R None None None None None
System > Fabric > Nodes > Bridges FA R FA R R R None None R R None None None
System > Fabric > Nodes > Transport Nodes FA R R R R R R R R R None None None
System > Fabric > Nodes > Tunnels R R R R R R R R R R None None None
System > Fabric > Profiles > Uplink Profiles FA R R R R R R R R R None None None
System > Fabric > Profiles > Edge Cluster Profiles FA R FA R R R R R R R None None None
System > Fabric > Profiles > Configuration FA R None None None None R R None None None None None
System > Fabric > Transport Zones > Transport Zones FA R R R R R R R R R None None None
System > Fabric > Transport Zones > Transport Zone Profiles FA R R R R R R R None None None None None
System > Fabric > Compute Managers FA R R R R R R R None None None R R
System > Certificates FA R None None FA R None None FA R FA None None
System > Service Deployments > Service Instances FA R R R FA R FA R None None None FA FA
System > Utilities > Support Bundle FA R None None None None None None None None None None None
System > Utilities > Backup FA R None None None None None None None None None None None
System > Utilities > Restore FA R None None None None None None None None None None None
System > Utilities > Upgrade FA R R R R R None None None None None None None
System > Users > Role Assignments FA R None None None None None None None None None None None
System > Active Directory FA R FA R FA FA R R R R R R R
System > Users > Configuration FA R None None None None None None None None None None None
System > Licenses FA R R R R R None None None None None None None
System > System Administration FA R R R R R R R None None None None None
Custom Dashboard Configuration FA R R R R R FA R R R R R R
System > Lifecycle Management > Migrate FA None None None None None None None None None None None None
Table 2. Roles and Permissions for Advanced Networking and Security
Operation EA A NE NO SE SO CS Adm CS Aud LB Adm LB Aud VPN Adm GI Adm NI Adm
Tools > Port Connection E R E E E E E R E E None None None
Tools > Traceflow E R E E E E E R E E None None None
Tools > Port Mirroring FA R FA R R R FA R None None None None None
Tools > IPFIX FA R FA R FA R FA R R R R R R
Firewall > Distributed Firewall > General FA R R R FA R FA R None None None None R
Firewall > Distributed Firewall > Configuration FA R R R FA R FA R None None None None None
Firewall > Edge Firewall FA R R R FA R FA R None None None None FA
Routing > Routers FA R FA FA R R FA R R R R None R
Routing > NAT FA R FA R FA R FA R R R None None None
DHCP > Server Profiles FA R FA R None None FA R None None None None None
DHCP > Servers FA R FA R None None FA R None None None None None
DHCP > Relay Profiles FA R FA R None None FA R None None None None None
DHCP > Relay Services FA R FA R None None FA R None None None None None
DHCP > Metadata Proxies FA R FA R None None None None None None None None None
IPAM FA R FA FA R R None None R R None None None
Switching > Switches FA R FA FA R R FA R R R R None R
Switching > Ports FA R FA FA R R FA R R R R None R
Switching > Switching Profiles FA R FA FA R R FA R R R None None None
Networking > Load Balancers FA R None None R None FA R FA R None None None
Load Balancing > Profiles > SSL Profiles FA R None None FA R FA R FA R None None None
Inventory > Groups FA R FA R FA R FA R R R R R R
Inventory > IP Sets FA R FA R FA R FA R R R R R R
Inventory > IP Pools FA R FA R None None None None R R R R R
Inventory > MAC Sets FA R FA R FA R FA R R R R R R
Inventory > Services FA R FA R FA R FA R R R R R R
Inventory > Virtual Machines R R R R R R R R R R R R R
Inventory > Virtual Machines > Configure Tags FA None None None None None None None None None None None None