To deploy and administer NSX, certain vCenter permissions are required. NSX provides extensive read and read/write permissions for various users and roles.

Roles Definition

The available roles are as follows:

roles = system_write, system_urm, super_user, vshield_admin, security_admin, auditor, dlp_svm, epsec_host, enterprise_admin, component_manager_user, replicator

local_user_roles = system_write, system_urm, super_user, security_admin, auditor, dlp_svm, epsec_host, component_manager_user, replicator

system_roles = system_write, system_urm, dlp_svm, epsec_host, replicator

Permission Types

The permission types are read and write.

Roles Access Definition

The role access definitions determine whether a role has read or read/write permission.

super_user.object_permission = read, write

vshield_admin.object_permission = read, write

security_admin.object_permission = read, write

auditor.object_permission = read

system_write.object_permission = read, write

system_urm.object_permission = read

dlp_svm.object_permission = read, write

epsec_host.object_permission = read, write

enterprise_admin.object_permission = read, write

replicator.object_permission = read, write

Root Definition

The root definition describes the superuser roles.

super_user.superuser = true

system_write.superuser = true

Role to Object Access for Global Scope

vshield_admin.object_access_scope.global = true

super_user.object_access_scope.global = true

system_write.object_access_scope.global = true

system_urm.object_access_scope.global = true

dlp_svm.object_access_scope.global = true

epsec_host.object_access_scope.global = true

enterprise_admin.object_access_scope.global = true

Role to Object Access for Universal Scope

replicator.object_access_scope.universal=true

system_write.object_access_scope.universal=true

Services

The following services are available in NSX:

administration, urm, edge, app, namespace, spoofguard, dlp, epsec, library, install, vdn, eam, si, truststore, component_manager, ipam, secfabric, security_policy, messaging, replicator

Feature Definitions

The feature definitions within each service are as follows:

administration.featurelist = administration.configuration, administration.update, administration.system_events, administration.audit_logs, administration.debug

urm.featurelist = urm.user_account_management, urm.object_access_control, urm.feature_access_control

edge.featurelist = edge.system, edge.nat, edge.firewall, edge.dhcp, edge.loadbalancer, edge.vpn, edge.syslog, edge.support, edge.routing, edge.certificate, edge.appliance, edge.highavailability, edge.dns, edge.vnic, edge.ssh, edge.autoplumbing, edge.statistics, edge.bridging, edge.systemcontrol

app.featurelist = app.config, app.firewall, app.flow, app.forcesync, app.syslog, app.techsupport

pgi.featurelist = pgi.switch, pgi.portgroup, pgi.lkm

namespace.featurelist = namespace.config

spoofguard.featurelist = spoofguard.config

dlp.featurelist = dlp.scan_scheduling, dlp.reports, dlp.policy, dlp.svm_interaction

epsec.featurelist = epsec.registration, epsec.health_monitoring, epsec.manager, epsec.policy, epsec.svm_priv, epsec.scan, epsec.reports

library.featurelist = library.grouping, library.host_preparation, library.tagging

install.featurelist = install.app, install.epsec, install.dlp

vdn.featurelist = vdn.config_nsm, vdn.provision

eam.featurelist = eam.install

si.featurelist = si.service, si.serviceprofile

truststore.featurelist = truststore.trustentity_management

component_manager.featurelist = healthstatus

ipam.featurelist = ipam.configuration, ipam.ipallocation

secfabric.featurelist = secfabric.deploy, secfabric.alarms

security_policy.featurelist = security_policy.configuration, security_policy.security_group_binding

blueprint_sam.featurelist = blueprint_sam.reports, blueprint_sam.ad_config, blueprint_sam.control_data_collection, blueprint_sam.techsupport, blueprint_sam.db_maintain

messaging.featurelist = messaging.messaging

replicator.featurelist = replicator.configuration

Feature Access Definitions

For each feature and role combination, the feature access definition denotes whether the user has read-only or read/write permissions.

When a feature and role combination is not listed, this means the user with that role has no access to this feature.

For example:

auditor.app.firewall = read

security_admin.app.firewall = read, write

This means the auditor role on the app.firewall feature has read-only access, whereas the security_admin role on the app.firewall feature has read/write access.

Feature Access Definitions - system_urm

system_urm.urm.user_account_management = read

Feature Access Definitions - vshield_admin

vshield_admin.administration.configuration = read, write

vshield_admin.administration.update = read, write

vshield_admin.administration.system_events = read, write

vshield_admin.administration.audit_logs = read

vshield_admin.urm.user_account_management = read, write

vshield_admin.urm.object_access_control = read

vshield_admin.urm.feature_access_control = read

vshield_admin.edge.system = read, write

vshield_admin.edge.appliance = read, write

vshield_admin.edge.highavailability = read, write

vshield_admin.edge.vnic = read, write

vshield_admin.edge.dns = read

vshield_admin.edge.ssh = read, write

vshield_admin.edge.autoplumbing = read

vshield_admin.edge.statistics = read

vshield_admin.edge.nat = read

vshield_admin.edge.dhcp = read

vshield_admin.edge.loadbalancer = read

vshield_admin.edge.vpn = read

vshield_admin.edge.syslog = read, write

vshield_admin.edge.support = read, write

vshield_admin.edge.routing = read

vshield_admin.edge.firewall = read

vshield_admin.edge.bridging = read

vshield_admin.edge.certificate = read

vshield_admin.edge.systemcontrol = read, write

vshield_admin.library.grouping = read

vshield_admin.app.config = read, write

vshield_admin.app.forcesync = read, write

vshield_admin.app.syslog = read, write

vshield_admin.app.techsupport = read, write

vshield_admin.namespace.config = read, write

vshield_admin.dlp.scan_scheduling = read, write

vshield_admin.epsec.reports = read, write

vshield_admin.epsec.registration = read, write

vshield_admin.epsec.health_monitoring = read

vshield_admin.epsec.policy = read, write

vshield_admin.epsec.scan_scheduling = read, write

vshield_admin.library.host_preparation = read, write

vshield_admin.library.tagging = read

vshield_admin.install.app = read, write

vshield_admin.install.epsec = read, write

vshield_admin.install.dlp = read, write

vshield_admin.vdn.config_nsm = read, write

vshield_admin.vdn.provision = read, write

vshield_admin.eam.install = read, write

vshield_admin.si.service = read, write

vshield_admin.si.serviceprofile = read, write

vshield_admin.truststore.trustentity_management = read, write

vshield_admin.ipam.configuration = read, write

vshield_admin.ipam.ipallocation = read, write

vshield_admin.secfabric.deploy = read, write

vshield_admin.secfabric.alarms = read_write

vshield_admin.blueprint_sam.ad_config = read, write

vshield_admin.blueprint_sam.control_data_collection = read, write

vshield_admin.blueprint_sam.techsupport = read, write

vshield_admin.blueprint_sam.db_maintain = read, write

vshield_admin.messaging.messaging = read, write

vshield_admin.replicator.configuration = read, write

Feature Access Definitions - security_admin

security_admin.administration.system_events = read, write

security_admin.administration.audit_logs = read

security_admin.edge.system = read

security_admin.edge.appliance = read

security_admin.edge.highavailability = read

security_admin.edge.vnic = read, write

security_admin.edge.dns = read, write

security_admin.edge.ssh = read, write

security_admin.edge.autoplumbing = read, write

security_admin.edge.statistics = read

security_admin.edge.nat = read, write

security_admin.edge.dhcp = read, write

security_admin.edge.loadbalancer = read, write

security_admin.edge.vpn = read, write

security_admin.edge.syslog = read, write

security_admin.edge.support = read, write

security_admin.edge.routing = read, write

security_admin.edge.firewall = read, write

security_admin.edge.bridging = read, write

security_admin.edge.certificate = read, write

security_admin.edge.systemcontrol = read, write

security_admin.app.firewall = read, write

security_admin.app.flow = read, write

security_admin.app.forcesync = read

security_admin.app.syslog = read

security_admin.namespace.config = read

security_admin.spoofguard.config = read, write

security_admin.dlp.reports = read, write

security_admin.dlp.policy = read, write

security_admin.epsec.policy = read, write

security_admin.epsec.reports = read

security_admin.epsec.health_monitoring = read

security_admin.library.grouping = read, write

security_admin.library.tagging = read, write

security_admin.install.app = read

security_admin.install.epsec = read

security_admin.install.dlp = read

security_admin.vdn.config_nsm = read

security_admin.vdn.provision = read

security_admin.eam.install = read

security_admin.si.service = read, write

security_admin.si.serviceprofile = read

security_admin.truststore.trustentity_management = read, write

security_admin.ipam.configuration = read, write

security_admin.ipam.ipallocation = read, write

security_admin.secfabric.alarms = read

security_admin.secfabric.deploy = read

security_admin.security_policy.configuration = read, write

security_admin.security_policy.security_group_binding = read, write

security_admin.blueprint_sam.reports = read

security_admin.blueprint_sam.ad_config = read

security_admin.blueprint_sam.control_data_collection = read

security_admin.blueprint_sam.db_maintain = read

security_admin.messaging.messaging = read, write

security_admin.replicator.configuration = read

Feature Access Definitions - auditor

auditor.administration.system_events = read

auditor.administration.audit_logs = read

auditor.edge.appliance = read

auditor.edge.highavailability = read

auditor.edge.vnic = read

auditor.edge.dns = read

auditor.edge.ssh = read

auditor.edge.autoplumbing = read

auditor.edge.statistics = read

auditor.edge.nat = read

auditor.edge.dhcp = read

auditor.edge.loadbalancer = read

auditor.edge.vpn = read

auditor.edge.syslog = read

auditor.edge.routing = read

auditor.edge.firewall = read

auditor.edge.bridging = read

auditor.edge.system = read

auditor.edge.certificate = read

auditor.edge.systemcontrol = read

auditor.app.firewall = read

auditor.app.flow = read

auditor.app.forcesync = read

auditor.app.syslog = read

auditor.namespace.config = read

auditor.spoofguard.config = read

auditor.dlp.scan_scheduling = read

auditor.dlp.policy = read

auditor.dlp.reports = read

auditor.library.grouping = read

auditor.epsec_host.health_monitoring = read

auditor.epsec.policy = read

auditor.epsec.reports = read

auditor.epsec.registration = read

auditor.vdn.config_nsm = read

auditor.epsec.scan_scheduling = read

auditor.vdn.provision = read

auditor.si.service = read

auditor.si.serviceprofile = read

auditor.truststore.trustentity_management = read

auditor.secfabric.alarms = read

auditor.secfabric.deploy = read

auditor.security_policy.configuration = read

auditor.security_policy.security_group_binding = read

auditor.blueprint_sam.reports = read

auditor.blueprint_sam.ad_config = read

auditor.blueprint_sam.control_data_collection = read

auditor.blueprint_sam.db_maintain = read

auditor.library.tagging = read

auditor.ipam.configuration = read

auditor.ipam.ipallocation = read

auditor.messaging.messaging = read

auditor.replicator.configuration = read

Feature Access Definitions - dlp_svm

dlp_svm.dlp.svm_interaction = read, write

dlp_svm.epsec.svm_priv = read, write

dlp_svm.epsec.registration = read

dlp_svm.epsec.policy = read

dlp_svm.epsec.scan_scheduling = read

dlp_svm.library.host_preparation = read, write

dlp_svm.library.tagging = read, write

Feature Access Definitions - epsec_host

epsec_host.epsec.registration = read

epsec_host.epsec.health_monitoring = write

Feature Access Definitions - enterprise_admin

enterprise_admin.administration.configuration = read, write

enterprise_admin.administration.update = read, write

enterprise_admin.administration.system_events = read, write

enterprise_admin.administration.audit_logs = read

enterprise_admin.urm.user_account_management = read, write

enterprise_admin.urm.object_access_control = read

enterprise_admin.urm.feature_access_control = read

enterprise_admin.edge.system = read, write

enterprise_admin.edge.appliance = read, write

enterprise_admin.edge.highavailability = read, write

enterprise_admin.edge.vnic = read, write

enterprise_admin.edge.dns = read, write

enterprise_admin.edge.ssh = read, write

enterprise_admin.edge.autoplumbing = read, write

enterprise_admin.edge.statistics = read, write

enterprise_admin.edge.nat = read, write

enterprise_admin.edge.dhcp = read, write

enterprise_admin.edge.loadbalancer = read, write

enterprise_admin.edge.vpn = read, write

enterprise_admin.edge.syslog = read, write

enterprise_admin.edge.support = read, write

enterprise_admin.edge.routing = read, write

enterprise_admin.edge.firewall = read, write

enterprise_admin.edge.bridging = read, write

enterprise_admin.edge.certificate = read, write

enterprise_admin.edge.systemcontrol = read, write

enterprise_admin.library.grouping = read, write

enterprise_admin.library.host_preparation = read, write

enterprise_admin.library.tagging = read, write

enterprise_admin.app.config = read, write

enterprise_admin.app.forcesync = read, write

enterprise_admin.app.syslog = read, write

enterprise_admin.app.techsupport = read, write

enterprise_admin.app.firewall = read, write

enterprise_admin.app.flow = read, write

enterprise_admin.namespace.config = read, write

enterprise_admin.dlp.scan_scheduling = read, write

enterprise_admin.dlp.reports = read, write

enterprise_admin.dlp.policy = read, write

enterprise_admin.epsec.registration = read, write

enterprise_admin.epsec.health_monitoring = read

enterprise_admin.epsec.scan_scheduling = read, write

enterprise_admin.epsec.reports = read, write

enterprise_admin.epsec.policy = read, write

enterprise_admin.install.app = read, write

enterprise_admin.install.epsec = read, write

enterprise_admin.install.dlp = read, write

enterprise_admin.eam.install = read, write

enterprise_admin.spoofguard.config = read, write

enterprise_admin.vdn.config_nsm = read, write

enterprise_admin.vdn.provision = read, write

enterprise_admin.si.service = read, write

enterprise_admin.si.serviceprofile = read, write

enterprise_admin.truststore.trustentity_management = read, write

enterprise_admin.ipam.configuration = read, write

enterprise_admin.ipam.ipallocation = read, write

enterprise_admin.secfabric.deploy = read, write

enterprise_admin.secfabric.alarms = read, write

enterprise_admin.security_policy.configuration = read, write

enterprise_admin.security_policy.security_group_binding = read, write

enterprise_admin.blueprint_sam.reports = read

enterprise_admin.blueprint_sam.ad_config = read, write

enterprise_admin.blueprint_sam.control_data_collection = read, write

enterprise_admin.blueprint_sam.techsupport = read, write

enterprise_admin.blueprint_sam.db_maintain = read, write

enterprise_admin.messaging.messaging = read, write

enterprise_admin.replicator.configuration = read, write

Feature Access Definitions - component_manager_user

component_manager_user.component_manager.healthstatus = read

Feature Access Definitions - replicator

replicator.administration.configuration = read, write

replicator.administration.update = read, write

replicator.administration.system_events = read, write

replicator.administration.audit_logs = read

replicator.urm.user_account_management = read, write

replicator.urm.object_access_control = read

replicator.urm.feature_access_control = read

replicator.edge.system = read, write

replicator.edge.appliance = read, write

replicator.edge.highavailability = read

replicator.edge.vnic = read, write

replicator.edge.dns = read

replicator.edge.ssh = read

replicator.edge.autoplumbing = read, write

replicator.edge.statistics = read

replicator.edge.nat = read

replicator.edge.dhcp = read, write

replicator.edge.loadbalancer = read

replicator.edge.vpn = read

replicator.edge.syslog = read

replicator.edge.support = read

replicator.edge.routing = read, write

replicator.edge.firewall = read

replicator.edge.bridging = read

replicator.edge.certificate = read

replicator.edge.systemcontrol = read

replicator.library.grouping = read, write

replicator.library.host_preparation = read, write

replicator.library.tagging = read, write

replicator.app.config = read, write

replicator.app.forcesync = read, write

replicator.app.syslog = read, write

replicator.app.techsupport = read, write

replicator.app.firewall = read, write

replicator.app.flow = read, write

replicator.namespace.config = read, write

replicator.dlp.scan_scheduling = read, write

replicator.dlp.reports = read, write

replicator.dlp.policy = read, write

replicator.epsec.registration = read, write

replicator.epsec.health_monitoring = read

replicator.epsec.scan_scheduling = read, write

replicator.epsec.reports = read, write

replicator.epsec.policy = read, write

replicator.install.app = read, write

replicator.install.epsec = read, write

replicator.install.dlp = read, write

replicator.eam.install = read, write

replicator.spoofguard.config = read, write

replicator.vdn.config_nsm = read, write

replicator.vdn.provision = read, write

replicator.si.service = read, write

replicator.si.serviceprofile = read, write

replicator.truststore.trustentity_management = read, write

replicator.ipam.configuration = read, write

replicator.ipam.ipallocation = read, write

replicator.secfabric.deploy = read, write

replicator.secfabric.alarms = read, write

replicator.security_policy.configuration = read, write

replicator.security_policy.security_group_binding = read, write

replicator.blueprint_sam.reports = read

replicator.blueprint_sam.ad_config = read, write

replicator.blueprint_sam.control_data_collection = read, write

replicator.blueprint_sam.techsupport = read, write

replicator.blueprint_sam.db_maintain = read, write

replicator.messaging.messaging = read, write

replicator.replicator.configuration = read, write

Overwrite Role Feature Permissions on Secondary Node on Universal Objects

secondary.super_user.edge.highavailability = read, write

secondary.enterprise_admin.edge.highavailability = read, write

secondary.vshield_admin.edge.highavailability = read, write

secondary.super_user.edge.ssh = read, write

secondary.enterprise_admin.edge.ssh = read, write

secondary.security_admin.edge.ssh = read, write

secondary.vshield_admin.edge.ssh = read, write

secondary.super_user.edge.syslog = read, write

secondary.enterprise_admin.edge.syslog = read, write

secondary.security_admin.edge.syslog = read, write

secondary.vshield_admin.edge.syslog = read, write

secondary.super_user.edge.support = read, write

secondary.enterprise_admin.edge.support = read, write

secondary.security_admin.edge.support = read, write

secondary.vshield_admin.edge.support = read, write

secondary.super_user.edge.routing = read, write

secondary.security_admin.edge.routing = read, write

secondary.enterprise_admin.edge.routing = read, write

secondary.super_user.edge.appliance = read, write

secondary.vshield_admin.edge.appliance = read, write

secondary.enterprise_admin.edge.appliance = read, write

secondary.super_user.edge.vnic = read, write

secondary.vshield_admin.edge.vnic = read, write

secondary.enterprise_admin.edge.vnic = read, write

secondary.super_user.edge.firewall = read, write

secondary.vshield_admin.edge.firewall = read, write

secondary.enterprise_admin.edge.firewall = read, write