With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

There are four types of permissions:

  • Full access (Create, Read, Update, and Delete)
  • Execute (Read, Update)
  • Read
  • None

Full access gives the user all permissions.

NSX-T Data Center has the following built-in roles. In NSX-T Data Center 3.1, if you have permission, you can clone an existing role or add a new role. Starting in NSX-T Data Center 3.1.1, you can also edit newly created roles or delete newly created roles.

  • Enterprise Admin
  • Auditor
  • Network Engineer
  • Network Operations
  • Security Engineer
  • Security Operations
  • Cloud Admin (available in the Cloud environment only)
  • Cloud Operator (available in the Cloud environment only)
  • Load Balancer Administrator
  • Load Balancer Auditor
  • VPN Administrator
  • Guest Introspection Partner Administrator
  • Netx Partner Administrator

To view the built-in roles and the associated permissions, navigate to System > Users and Roles > Roles.

After an Active Directory (AD) user is assigned a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Note: For VMware NSX® Intelligence™ RBAC information, see the Using and Managing VMware NSX Intelligence documentation.

Roles and Permissions

Roles and Permissions and Roles and Permissions for Manager Mode show the permissions each role has for different operations. The following abbreviations are used:
  • EA - Enterprise Administrator
  • A - Auditor
  • NE - Network Engineer
  • NO - Network Operations
  • SE - Security Engineer
  • SO - Security Operations
  • Cld Adm - Cloud Administrator (available in the Cloud environment only)
  • Cld Aud - Cloud Auditor (available in the Cloud environment only)
  • LB Adm - Load Balancer Administrator
  • LB Aud - Load Balancer Auditor
  • VPN Adm - VPN Administrator
  • GI Adm - Guest Introspection Partner Administrator
  • NI Adm - Netx Partner Administrator
  • FA - Full access
  • E - Execute
  • R - Read
Table 1. Roles and Permissions
Operation EA A NE NO SE SO Cld Adm Cld Aud LB Adm LB Aud VPN Adm GI Adm NI Adm
Networking > Tier-0 Gateways FA R FA R R R FA R R R R R R
Networking > Tier-1 Gateways FA R FA R R R FA R R R R R R
Networking > Network Interface FA R FA FA R R FA R R R R R R
Networking > Network Static Routes FA R FA FA R R FA R R R R R R
Networking > Locale Services FA R FA FA R R FA R R R R R R
Networking > Static ARP Configuration FA R FA FA R R FA R R R R R R
Networking > Segments FA R FA R R R FA R R R R R R
Networking > Segments > Segment Profiles FA R FA R R R FA R R R R R R
Networking > IP Address Pools FA R FA FA R R FA R R R None None None
Networking Forwarding Policies FA R FA R FA R FA R None None None None None
Networking > DNS FA R FA FA R R FA R R R None None None
Networking > DHCP FA R FA R R R FA R R R None None None
Networking > Load Balancing FA R None None R None FA R FA R None None None
Networking > NAT FA R FA R FA R FA R R R None None None
Networking > VPN FA R FA R FA R FA R None None FA None None
Networking > IPv6 Profiles FA R FA R R R FA R R R None None None
Security > Distributed Firewall FA R R R FA R FA R R R R R R
Security > Gateway Firewall FA R R R FA R FA R None None None None FA
Security > Network Introspection FA R R R R R FA R None None None None FA
Security > Endpoint Protection Rules FA R R R R R FA R None None None FA None
Inventory > Context Profiles FA R FA R FA R FA R R R R R R
Inventory > Virtual Machines R R R R R R R R R R R R R
Inventory > Virtual Machines > Create & Assign Tags to VM FA R R R FA R FA R R R R FA FA
Inventory > Containers FA R R R R R None None None None None None None
Inventory > Physical Servers FA R R R R R R R R R None None None

Plan & Troubleshoot > Port Mirroring

FA R FA R R R FA R None None None None None
Plan & Troubleshoot > Port Mirroring Binding FA R FA FA R R FA R R R R R R
Plan & Troubleshoot > Monitoring Profile Binding FA R FA FA R R FA R R R R R R

Plan & Troubleshoot > IPFIX > Firewall IPFIX Profiles

FA R FA R FA R FA R R R R R R

Plan & Troubleshoot > IPFIX > Switch IPFIX Profiles

FA R FA R R R FA R R R R R R
System > Fabric > Nodes > Hosts FA R R R R R R R None None None None None
System > Fabric > Nodes > Nodes FA R FA R FA R R R R R None None None
System > Fabric > Nodes > Edges FA R FA R R R R R None None None None None
System > Fabric > Nodes > Edge Clusters FA R FA R R R R R None None None None None
System > Fabric > Nodes > Bridges FA R FA R R R None None R R None None None
System > Fabric > Nodes > Transport Nodes FA R R R R R R R R R None None None
System > Fabric > Nodes > Tunnels R R R R R R R R R R None None None
System > Fabric > Profiles > Uplink Profiles FA R R R R R R R R R None None None
System > Fabric > Profiles > Edge Cluster Profiles FA R FA R R R R R R R None None None
System > Fabric > Profiles > Configuration FA R None None None None R R None None None None None
System > Fabric > Transport Zones > Transport Zones FA R R R R R R R R R None None None
System > Fabric > Transport Zones > Transport Zone Profiles FA R R R R R R R None None None None None
System > Fabric > Compute Managers FA R R R R R R R None None None R R
System > Certificates FA R None None FA R None None FA R FA None None
System > Service Deployments > Service Instances FA R R R FA R FA R None None None FA FA
System > Utilities > Support Bundle FA R None None None None None None None None None None None
System > Utilities > Backup FA R None None None None None None None None None None None
System > Utilities > Restore FA R None None None None None None None None None None None
System > Utilities > Upgrade FA R R R R R None None None None None None None
System > Users > Role Assignments FA R None None None None None None None None None None None
System > Active Directory FA R FA R FA FA R R R R R R R
System > Users > Configuration FA R None None None None None None None None None None None
System > Licenses FA R R R R R None None None None None None None
System > System Administration FA R R R R R R R None None None None None
Custom Dashboard Configuration FA R R R R R FA R R R R R R
System > Lifecycle Management > Migrate FA None None None None None None None None None None None None
Table 2. Roles and Permissions for Manager Mode
Operation EA A NE NO SE SO Cld Adm Cld Aud LB Adm LB Aud VPN Adm GI Adm NI Adm
Plan & Troubleshoot > Port Connection E R E E E E E R E E None None None
Plan & Troubleshoot > Traceflow E R E E E E E R E E None None None
Plan & Troubleshoot > Port Mirroring FA R FA R R R FA R None None None None None
Plan & Troubleshoot > IPFIX FA R FA R FA R FA R R R R R R
Security > Distributed Firewall > General FA R R R FA R FA R None None None None R
Security > Distributed Firewall > Configuration FA R R R FA R FA R None None None None None
Security > Edge Firewall FA R R R FA R FA R None None None None FA
Networking > Routers FA R FA FA R R FA R R R R None R
Networking > NAT FA R FA R FA R FA R R R None None None
Networking > DHCP > Server Profiles FA R FA R None None FA R None None None None None
Networking > DHCP > Servers FA R FA R None None FA R None None None None None
Networking > DHCP > Relay Profiles FA R FA R None None FA R None None None None None
Networking > DHCP > Relay Services FA R FA R None None FA R None None None None None
Networking > DHCP > Metadata Proxies FA R FA R None None None None None None None None None
Networking > IPAM FA R FA FA R R None None R R None None None
Networking > Logical Switches > Switches FA R FA R R R FA R R R R None R
Networking > Logical Switches > Ports FA R FA R R R FA R R R R None R
Networking > Logical Switches > Switching Profiles FA R FA R R R FA R R R None None None
Networking > Load Balancing > Load Balancers FA R None None R None FA R FA R None None None
Networking > Load Balancing > Profiles > SSL Profiles FA R None None FA R FA R FA R None None None
Inventory > Groups FA R FA R FA R FA R R R R R R
Inventory > Groups > IP Sets FA R FA R FA R FA R R R R R R
Inventory > IP Pools FA R FA R None None None None R R R R R
Inventory > Groups > MAC Sets FA R FA R FA R FA R R R R R R
Inventory > Services FA R FA R FA R FA R R R R R R
Inventory > Virtual Machines R R R R R R R R R R R R R
Inventory > Virtual Machines > Create & Assign Tags to VM FA R R R FA R FA R R R R FA FA
Inventory > Virtual Machines > Configure Tags FA None None None None None None None None None None None None