Extend the RBAC capabilities provided by NSX-T Data Center and create custom roles that suit your operational requirements. You can clone an existing role and customize it or you can create a role afresh. Starting in NSX-T Data Center 3.1.1, you can also edit and delete user-created roles.

  • You can create custom roles only for features available in the Policy mode. If you clone a role with access to features in the Manager mode, the cloned role provides access only to the Policy mode features. For example, features like Upgrade, Migrate, Fabric, TraceFlow, NSX Intelligence, and Inventory of Physical Servers and Containers are only available in Manager mode and therefore not supported. Most features are supported. The unsupported features for users with a custom role include:
    • System > Configuration > Fabric > Profiles
    • System > Configuration > Fabric > Transport Zones
    • System > Configuration > Fabric > Settings > Tunnel/Remote and Tunnel Endpoint
    • System > Configuration > Identity Firewall AD
    • System > Lifecycle Management > Upgrade and Migrate
    • System > Settings > User Management, Support Bundle, Proxy Settings, and User Interface Settings
    For more information on the Manager and Policy modes, see NSX Manager.
  • Only an Enterprise Administrator can assign the role management feature's permission to a custom role. An Enterprise Administrator can create a custom role to delegate further custom role creation and user role assignment.
  • A user assigned with a custom role can only create other custom roles with equal or lower permission sets. A user with a custom role cannot create or assign roles with permissions higher than their own.
  • A user assigned with a custom role cannot modify or delete the role assigned to them.
Note: Custom roles are not supported on Global Manager (Federation).

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Users and Roles > Roles.
  3. Clone an existing role or create one.
    • To clone a role, click Action menu for that role and select Clone. Enter a name for the cloned role and specify permissions as per your operational requirements.
    • To create a role, click Add Role. Enter a name for the role and update the permissions as per your operational requirements.
    Note:

    Based on the features you select, NSX-T Data Center might suggest additional permissions for the new role definition to be valid. Review the recommendations and click Apply.

    When creating a custom role, NSX-T Data Center checks for feature interdependencies. The interdependency check ensures that the user has a minimum of read access to the additional features that are required for the role to be valid.

    For example, if a user creates a role with full access permissions to Gateway Firewall and the None access permission to the Networking Gateway feature, the role is invalid. NSX-T Data Center then suggests that the user assign at least read access to the additionally required Networking Gateway feature.

  4. (Optional) Edit or delete a user-created role.
    • To edit a user-created role, for example, if you wanted to extend access, click Action menu for that role and select Edit. Change the role name, description, and permissions as per your operational requirements.
    • To delete a user-created role, for example, if it was for temporary access, click Action menu for that role and select Delete.