With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

There are four types of permissions. :

  • Full access (FA includes Create, Read, Update, and Delete)
  • Execute (Read, Update)
  • Read
  • None

Full access gives the user all permissions.

NSX-T Data Center has the following built-in roles. Role names in the UI may be different in the API. In NSX-T Data Center 3.1, if you have permission, you can clone an existing role or add a new role. Starting in NSX-T Data Center 3.1.1, you can also edit newly created roles or delete newly created roles.

  • Auditor
  • Cloud Admin (available in the Cloud environment only)
  • Cloud Operator (available in the Cloud environment only)
  • Enterprise Admin
  • GI Partner Admin (Guest Introspection)
  • LB Admin (Load Balancer)
  • LB Operator
  • Network Admin
  • Network Operator
  • Netx Partner Admin (Network Introspection)
  • Security Admin
  • Security Operator
  • VPN Admin

To view the built-in and custom roles and their associated permissions, navigate to System > User Management > Roles and expand the row to view details. You can view permissions of all categories from the Permissions window.

After an Active Directory (AD) user is assigned a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Note: For VMware NSX® Intelligence™ RBAC information, see the Using and Managing VMware NSX Intelligence documentation.

Roles and Permissions

The tables below, Roles and Permissions and Roles and Permissions for Manager Mode, show the permissions each role has for different operations. The following abbreviations are used:
  • A - Auditor
  • CA - Cloud Admin (available in the Cloud environment only)
  • CO - Cloud Operator (available in the Cloud environment only)
  • EA - Enterprise Admin
  • GIPA - GI Partner Admin (Guest Introspection Partner Administrator)
  • LBA - LB Admin (Load Balancer)
  • LBO - LB Operator
  • NA - Network Admin
  • NO - Network Operator
  • NXPA - Netx Partner Admin (Network Introspection Administrator)
  • SA - Security Admin
  • SO - Security Operator
  • VPNA - VPN Admin
  • FA - Full access
  • E - Execute
  • R - Read
Table 1. Roles and Permissions
Operation EA A NA NO SA SO CA CO LBA LBO VPNA GIPA NXPA
Networking > Tier-0 Gateways FA R FA R R R FA R R R R R R
Networking > Tier-1 Gateways FA R FA R R R FA R R R R R R
Networking > Network Interface FA R FA R R R FA R R R R R R
Networking > Network Static Routes FA R FA R R R FA R R R R R R
Networking > Locale Services FA R FA R R R FA R R R R R R
Networking > Static ARP Configuration FA R FA R R R FA R R R R R R
Networking > Segments FA R FA R R R FA R R R R R R
Networking > Segments > Segment Profiles FA R FA R R R FA R R R R R R
Networking > IP Address Pools FA R FA R R R FA R R R None None None
Networking Forwarding Policies FA R FA R FA R FA R None None None None None
Networking > DNS FA R FA FA R R FA R R R None None None
Networking > DHCP FA R FA R R R FA R R R None None None
Networking > Load Balancing FA R None None R None FA R FA R None None None
Networking > NAT FA R FA R FA R FA R R R None None None
Networking > VPN FA R FA R FA R FA R None None FA None None
Networking > IPv6 Profiles FA R FA R R R FA R R R None None None
Security > Distributed Firewall FA R R R FA R FA R R R R R R
Security > Gateway Firewall FA R R R FA R FA R None None None None FA
Security > Network Introspection FA R R R FA R FA R None None None None FA
Security > Endpoint Protection Rules FA R R R FA R FA R None None None FA None
Inventory > Context Profiles FA R R R FA R FA R R R R R R
Inventory > Virtual Machines R R R R R R R R R R R R R
Inventory > Virtual Machines > Create & Assign Tags to VM FA R R R FA R FA R R R R FA FA
Inventory > Containers FA R R R R R None None None None None None None
Inventory > Physical Servers FA R R R R R R R R R None None None
Plan & Troubleshoot > Port Mirroring FA R FA R R R FA R None None None None None
Plan & Troubleshoot > Port Mirroring Binding FA R FA FA R R FA R R R R R R
Plan & Troubleshoot > Monitoring Profile Binding FA R FA FA R R FA R R R R R R
Plan & Troubleshoot > IPFIX > Firewall IPFIX Profiles FA R FA R FA R FA R R R R R R
lan & Troubleshoot > IPFIX > Switch IPFIX Profiles FA R FA R R R FA R R R R R R
Plan & Troubleshoot > Traceflow FA None FA FA FA FA FA FA FA FA None None None
System > Fabric > Nodes > Hosts FA R R R R R R R None None None None None
System > Fabric > Nodes > Nodes FA R FA R FA R R R R R None None None
System > Fabric > Nodes > Edges FA R FA R R R R R None None None None None
System > Fabric > Nodes > Edge Clusters FA R FA R R R R R None None None None None
System > Fabric > Nodes > Bridges FA R FA R R R None None R R None None None
System > Fabric > Nodes > Transport Nodes FA R R R R R R R R R None None None
System > Fabric > Nodes > Tunnels R R R R R R R R R R None None None
System > Fabric > Profiles > Uplink Profiles FA R R R R R R R R R None None None
System > Fabric > Profiles > Edge Cluster Profiles FA R FA R R R R R R R None None None
System > Fabric > Profiles > Configuration FA R None None None None R R None None None None None
System > Fabric > Transport Zones > Transport Zones FA R R R R R R R R R None None None
System > Fabric > Transport Zones > Transport Zone Profiles FA R R R R R R R None None None None None
System > Fabric > Compute Managers FA R R R R R R R None None None R R
System > Certificates FA R None None FA R None None FA R FA None None
System > Service Deployments > Service Instances FA R R R FA R FA R None None None FA FA
System > Utilities > Support Bundle FA R None None None None None None None None None None None
System > Utilities > Backup FA R None None None None None None None None None None None
System > Utilities > Restore FA R None None None None None None None None None None None
System > Utilities > Upgrade FA R R R R R None None None None None None None
System > Users > Role Assignments FA R None None None None FA None None None None None None
System > Active Directory FA R FA R FA FA R R R R R R R
System > Users > Configuration FA R None None None None None None None None None None None
System > Licenses FA R R R R R None None None None None None None
System > System Administration FA R R R R R R R None None None None None
Custom Dashboard Configuration FA R R R R R FA R R R R R R
System > Lifecycle Management > Migrate FA None None None None None None None None None None None None
Table 2. Roles and Permissions for Manager Mode
Operation EA A NA NO SA SO CA CO LBA LBO VPNA GIPA NXPA
Plan & Troubleshoot > Port Connection E R E E E E E R E E None None None
Plan & Troubleshoot > Traceflow FA Read E E E E None None E E None None None
Plan & Troubleshoot > Port Mirroring FA R FA R R R FA R None None None None None
Plan & Troubleshoot > IPFIX FA R FA R FA R FA R R R R R R
Security > Distributed Firewall > General FA R R R FA R FA R None None None None R
Security > Distributed Firewall > Configuration FA R R R FA R FA R None None None None None
Security > Edge Firewall FA R R R FA R FA R None None None None FA
Networking > Routers FA R FA FA R R FA R R R R None R
Networking > NAT FA R FA R FA R FA R R R None None None
Networking > DHCP > Server Profiles FA R FA R None None FA R None None None None None
Networking > DHCP > Servers FA R FA R None None FA R None None None None None
Networking > DHCP > Relay Profiles FA R FA R None None FA R None None None None None
Networking > DHCP > Relay Services FA R FA R None None FA R None None None None None
Networking > DHCP > Metadata Proxies FA R FA R None None None None None None None None None
Networking > IPAM FA R FA FA R R None None R R None None None
Networking > Logical Switches > Switches FA R FA R R R FA R R R R None R
Networking > Logical Switches > Ports FA R FA R R R FA R R R R None R
Networking > Logical Switches > Switching Profiles FA R FA R R R FA R R R None None None
Networking > Load Balancing > Load Balancers FA R None None R None FA R FA R None None None
Networking > Load Balancing > Profiles > SSL Profiles FA R None None FA R FA R FA R None None None
Inventory > Groups FA R FA R FA R FA R R R R R R
Inventory > Groups > IP Sets FA R FA R FA R FA R R R R R R
Inventory > IP Pools FA R FA R None None None None R R R R R
Inventory > Groups > MAC Sets FA R FA R FA R FA R R R R R R
Inventory > Services FA R FA R FA R FA R R R R R R
Inventory > Virtual Machines R R R R R R R R R R R R R
Inventory > Virtual Machines > Create & Assign Tags to VM FA R R R FA R FA R R R R FA FA
Inventory > Virtual Machines > Configure Tags FA None None None None None None None None None None None None