Role-Based Access Control

With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

There are four types of permissions:

Full access (Create, Read, Update, and Delete)
Execute (Read, Update)
Read
None

Full access gives the user all permissions.

NSX-T Data Center has the following built-in roles. You cannot add any new roles.

Enterprise Administrator
Auditor
Network Engineer
Network Operations
Security Engineer
Security Operations
Load Balancer Administrator
Load Balancer Auditor
VPN Administrator
Guest Introspection Administrator
Network Introspection Administrator

To view the built-in roles and the associated permissions, navigate to System > Users and Roles > Roles.

After an Active Directory (AD) user is assigned a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Roles and Permissions

Roles and Permissions and Roles and Permissions for Manager Mode show the permissions each role has for different operations. The following abbreviations are used:

EA - Enterprise Administrator
A - Auditor
NE - Network Engineer
NO - Network Operations
SE - Security Engineer
SO - Security Operations
LB Adm - Load Balancer Administrator
LB Aud - Load Balancer Auditor
VPN Adm - VPN Administrator
GI Adm - Guest Introspection Administrator
NI Adm - Network Introspection Administrator
FA - Full access
E - Execute
R - Read

Table 1. Roles and Permissions
Operation	EA	A	NE	NO	SE	SO	CS Adm	CS Aud	LB Adm	LB Aud	VPN Adm	GI Adm	NI Adm
Networking > Tier-0 Gateways	FA	R	FA	R	R	R	FA	R	R	R	R	R	R
Networking > Tier-1 Gateways	FA	R	FA	R	R	R	FA	R	R	R	R	R	R
Networking > Network Interface	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R
Networking > Network Static Routes	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R
Networking > Locale Services	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R
Networking > Static ARP Configuration	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R
Networking > Segments	FA	R	FA	R	R	R	FA	R	R	R	R	R	R
Networking > Segments > Segment Profiles	FA	R	FA	R	R	R	FA	R	R	R	R	R	R
Networking > IP Address Pools	FA	R	FA	FA	R	R	FA	R	R	R	None	None	None
Networking Forwarding Policies	FA	R	FA	R	FA	R	FA	R	None	None	None	None	None
Networking > DNS	FA	R	FA	FA	R	R	FA	R	R	R	None	None	None
Networking > DHCP	FA	R	FA	R	R	R	FA	R	R	R	None	None	None
Networking > Load Balancing	FA	R	None	None	R	None	FA	R	FA	R	None	None	None
Networking > NAT	FA	R	FA	R	FA	R	FA	R	R	R	None	None	None
Networking > VPN	FA	R	FA	R	FA	R	FA	R	None	None	FA	None	None
Networking > IPv6 Profiles	FA	R	FA	R	R	R	FA	R	R	R	None	None	None
Security > Distributed Firewall	FA	R	R	R	FA	R	FA	R	R	R	R	R	R
Security > Gateway Firewall	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA
Security > Network Introspection	FA	R	R	R	R	R	FA	R	None	None	None	None	FA
Security > Endpoint Protection Rules	FA	R	R	R	R	R	FA	R	None	None	None	FA	None
Inventory > Context Profiles	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R
Inventory > Virtual Machines	R	R	R	R	R	R	R	R	R	R	R	R	R
Inventory > Virtual Machines > Create & Assign Tags to VM	FA	R	R	R	FA	R	FA	R	R	R	R	FA	FA
Inventory > Containers	FA	R	R	R	R	R	None	None	None	None	None	None	None
Inventory > Physical Servers	FA	R	R	R	R	R	R	R	R	R	None	None	None
Plan & Troubleshoot > Port Mirroring	FA	R	FA	R	R	R	FA	R	None	None	None	None	None
Plan & Troubleshoot > Port Mirroring Binding	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R
Plan & Troubleshoot > Monitoring Profile Binding	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R
Plan & Troubleshoot > IPFIX > Firewall IPFIX Profiles	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R
Plan & Troubleshoot > IPFIX > Switch IPFIX Profiles	FA	R	FA	R	R	R	FA	R	R	R	R	R	R
System > Fabric > Nodes > Hosts	FA	R	R	R	R	R	R	R	None	None	None	None	None
System > Fabric > Nodes > Nodes	FA	R	FA	R	FA	R	R	R	R	R	None	None	None
System > Fabric > Nodes > Edges	FA	R	FA	R	R	R	R	R	None	None	None	None	None
System > Fabric > Nodes > Edge Clusters	FA	R	FA	R	R	R	R	R	None	None	None	None	None
System > Fabric > Nodes > Bridges	FA	R	FA	R	R	R	None	None	R	R	None	None	None
System > Fabric > Nodes > Transport Nodes	FA	R	R	R	R	R	R	R	R	R	None	None	None
System > Fabric > Nodes > Tunnels	R	R	R	R	R	R	R	R	R	R	None	None	None
System > Fabric > Profiles > Uplink Profiles	FA	R	R	R	R	R	R	R	R	R	None	None	None
System > Fabric > Profiles > Edge Cluster Profiles	FA	R	FA	R	R	R	R	R	R	R	None	None	None
System > Fabric > Profiles > Configuration	FA	R	None	None	None	None	R	R	None	None	None	None	None
System > Fabric > Transport Zones > Transport Zones	FA	R	R	R	R	R	R	R	R	R	None	None	None
System > Fabric > Transport Zones > Transport Zone Profiles	FA	R	R	R	R	R	R	R	None	None	None	None	None
System > Fabric > Compute Managers	FA	R	R	R	R	R	R	R	None	None	None	R	R
System > Certificates	FA	R	None	None	FA	R	None	None	FA	R	FA	None	None
System > Service Deployments > Service Instances	FA	R	R	R	FA	R	FA	R	None	None	None	FA	FA
System > Utilities > Support Bundle	FA	R	None	None	None	None	None	None	None	None	None	None	None
System > Utilities > Backup	FA	R	None	None	None	None	None	None	None	None	None	None	None
System > Utilities > Restore	FA	R	None	None	None	None	None	None	None	None	None	None	None
System > Utilities > Upgrade	FA	R	R	R	R	R	None	None	None	None	None	None	None
System > Users > Role Assignments	FA	R	None	None	None	None	None	None	None	None	None	None	None
System > Active Directory	FA	R	FA	R	FA	FA	R	R	R	R	R	R	R
System > Users > Configuration	FA	R	None	None	None	None	None	None	None	None	None	None	None
System > Licenses	FA	R	R	R	R	R	None	None	None	None	None	None	None
System > System Administration	FA	R	R	R	R	R	R	R	None	None	None	None	None
Custom Dashboard Configuration	FA	R	R	R	R	R	FA	R	R	R	R	R	R
System > Lifecycle Management > Migrate	FA	None	None	None	None	None	None	None	None	None	None	None	None

Table 2. Roles and Permissions for Manager Mode
Operation	EA	A	NE	NO	SE	SO	CS Adm	CS Aud	LB Adm	LB Aud	VPN Adm	GI Adm	NI Adm
Plan & Troubleshoot > Port Connection	E	R	E	E	E	E	E	R	E	E	None	None	None
Plan & Troubleshoot > Traceflow	E	R	E	E	E	E	E	R	E	E	None	None	None
Plan & Troubleshoot > Port Mirroring	FA	R	FA	R	R	R	FA	R	None	None	None	None	None
Plan & Troubleshoot > IPFIX	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R
Security > Distributed Firewall > General	FA	R	R	R	FA	R	FA	R	None	None	None	None	R
Security > Distributed Firewall > Configuration	FA	R	R	R	FA	R	FA	R	None	None	None	None	None
Security > Edge Firewall	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA
Networking > Routers	FA	R	FA	FA	R	R	FA	R	R	R	R	None	R
Networking > NAT	FA	R	FA	R	FA	R	FA	R	R	R	None	None	None
Networking > DHCP > Server Profiles	FA	R	FA	R	None	None	FA	R	None	None	None	None	None
Networking > DHCP > Servers	FA	R	FA	R	None	None	FA	R	None	None	None	None	None
Networking > DHCP > Relay Profiles	FA	R	FA	R	None	None	FA	R	None	None	None	None	None
Networking > DHCP > Relay Services	FA	R	FA	R	None	None	FA	R	None	None	None	None	None
Networking > DHCP > Metadata Proxies	FA	R	FA	R	None	None	None	None	None	None	None	None	None
Networking > IPAM	FA	R	FA	FA	R	R	None	None	R	R	None	None	None
Networking > Logical Switches > Switches	FA	R	FA	FA	R	R	FA	R	R	R	R	None	R
Networking > Logical Switches > Ports	FA	R	FA	FA	R	R	FA	R	R	R	R	None	R
Networking > Logical Switches > Switching Profiles	FA	R	FA	FA	R	R	FA	R	R	R	None	None	None
Networking > Load Balancing > Load Balancers	FA	R	None	None	R	None	FA	R	FA	R	None	None	None
Networking > Load Balancing > Profiles > SSL Profiles	FA	R	None	None	FA	R	FA	R	FA	R	None	None	None
Inventory > Groups	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R
Inventory > Groups > IP Sets	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R
Inventory > Groups > IP Pools	FA	R	FA	R	None	None	None	None	R	R	R	R	R
Inventory > Groups > MAC Sets	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R
Inventory > Services	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R
Inventory > Virtual Machines	R	R	R	R	R	R	R	R	R	R	R	R	R
Inventory > Virtual Machines > Create & Assign Tags to VM	FA	R	R	R	FA	R	FA	R	R	R	R	FA	FA
Inventory > Virtual Machines > Configure Tags	FA	None	None	None	None	None	None	None	None	None	None	None	None