You can assign roles to users or user groups if VMware Identity Manager is integrated with NSX-T Data Center, or if you have LDAP as an authentication provider. You can also assign roles to principal identities.

A principal is an NSX-T Data Center component or a third-party application such as an OpenStack product. With a principal identity, a principal can use the identity name to create an object and ensure that only an entity with the same identity name can modify or delete the object. A principal identity has the following properties:
  • Name
  • Node ID - this can be any alphanumeric value assigned to a principal identity
  • Certificate
  • RBAC role indicating the access rights of this principal

Users (local, remote, or principal identity) with the Enterprise Administrator role can modify or delete objects owned by principal identities. Users (local, remote, or principal identity) without the Enterprise Administrator role cannot modify or delete protected objects owned by principal identities, but can modify or delete unprotected objects.

If a principal identity user's certificate expires, you must import a new certificate and make an API call to update the principal identity user's certificate (see the procedure below). For more information about the NSX-T Data Center API, a link to the API resource is available at

A principal identity user's certificate must satisfy the following requirements:
  • SHA256 based.
  • RSA/DSA message algorithm with 2048 bits or above key size.
  • Cannot be a root certificate.

You can delete a principal identity using the API. However, deleting a principal identity does not automatically delete the corresponding certificate. You must delete the certificate manually.

Steps to delete a principal identity and its certificate:
  1. Get the details of the principal identity to delete and note the certificate_id value in the response.

    GET /api/v1/trust-management/principal-identities/<principal-identity-id>

  2. Delete the principal identity.

    DELETE /api/v1/trust-management/principal-identities/<principal-identity-id>

  3. Delete the certificate using the certificate_id value obtained in step 1.

    DELETE /api/v1/trust-management/certificates/<certificate_id>

For LDAP, you configure user groups to user roles mapping information; the groups correspond to the user groups specified in the Active Directory (AD). To grant a user permissions on NSX, add that user to the mapped group in AD.


You must have an authentication provider configured:


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Users and Roles.
  3. To assign roles to users, select Add > Role Assignment for vIDM.
    1. Select a user or user group.
    2. Select a role.
    3. Click Save.
  4. To add a principal identity, select Add > Principal Identity with Role.
    1. Enter a name for the principal identity.
    2. Select a role.
    3. Enter a node ID.
    4. Enter a certificate in PEM format.
    5. Click Save.
  5. To add a role assignment for LDAP select Add > Role Assignment for LDAP.
    1. Select a domain.
    2. Enter the first few characters of the user's name, login ID, or a group name to search the LDAP directory, then select a user or group from the list that appears.
    3. Select a role.
    4. Click Save.
  6. (Optional) If using NSX Cloud, log in to the CSM appliance instead of NSX Manager and repeat steps 1 through 4.
  7. If the certificate for the principal identity expires, perform the following steps:
    1. Import a new certificate and note the certificate's ID. See Import a Self-signed or CA-signed Certificate.
    2. Call the following API to get the ID of the principal identity.
      GET https://<nsx-mgr>/api/v1/trust-management/principal-identities
    3. Call the following API to update the principal identity's certificate. You must provide the imported certificate's ID and the principal identity user's ID.
      For example,
      POST https://<nsx-mgr>/api/v1/trust-management/principal-identities?action=update_certificate
          "principal_identity_id": "ebd3032d-728e-44d4-9914-d4f81c9972cb",
          "certificate_id" : "abd3032d-728e-44d4-9914-d4f81c9972cc"