When you assign a role to an SSO user, vCenter authenticates the user with the identity service configured on the SSO server. If the SSO server is not configured or is not available, the user is authenticated either locally or with Active Directory based on vCenter configuration.

  1. Log in to the vSphere Web Client.

  2. Click Networking & Security and then click NSX Managers.

  3. Click an NSX Manager in the Name column and then click the Manage tab.

  4. Click Users.

  5. Click Add.

    The Assign Role window opens.

  6. Click Specify a vCenter user or Specify a vCenter group.

  7. Type the vCenter User or Group name for the user.

    Refer to the example below for more information.

    Domain name: corp.vmware.com

    Alias: corp

    Group name: group1@corp.vmware.com

    User name : user1@corp.vmware.com

    When a group is assigned a role on the NSX Manager any user from that group can be logged in to the NSX Manager user interface.

    When assigning a role to a user, type the user alias. For example, user1@corp.

  8. Click Next.

  9. Select the role for the user and click Next. For more information on the available roles, see Managing User Rights.

  10. Click Finish.

    The user account appears in the Users table.

Understanding Group-Based Role Assignments

Organizations create user groups for proper user management. After integration with SSO, NSX Manager can get the details of groups to which a user belongs. Instead of assigning roles to individual users who may belong to the same group, NSX Manager assigns roles to groups. The following scenarios illustrate how NSX Manager assigns roles.

Role-Based Access Control Scenario

This scenario provides an IT network engineer (Sally Moore) access to NSX components in the following environment.

AD domain: corp.local, vCenter group: neteng@corp.local, user name: smoore@corp.local

Prerequisites: vCenter Server has been registered with NSX Manager, and SSO has been configured.

  1. Assign a role to Sally.

    1. Log in to the vSphere Web Client.

    2. Click Networking & Security and then click NSX Managers.

    3. Click an NSX Manager in the Name column and then click the Manage tab.

    4. Click Users and then click Add.

      The Assign Role window opens.

    5. Click Specify a vCenter group and type neteng@corp.local in Group.

    6. Click Next.

    7. In Select Roles, click NSX Administrator and then click Next.

  2. Grant Sally permission to the datacenter.

    1. Click the Home icon and then click vCenter Home > Datacenters.

    2. Select a datacenter and click Actions > All vCenter Actions > Add Permission.

    3. Click Add and select the domain CORP.

    4. In Users and Groups, select Show Groups First.

    5. Select NetEng and click OK.

    6. In Assigned Role, select Read-only and un-select Propagate to children and click OK.

  3. Log out of vSphere Web Client and log back in as smoore@corp.local.

    Sally can perform NSX operations only. For example, install virtual appliances, create logical switches, and so on..

Inherit Permissions Through a User-Group Membership Scenario

Group option

Value

Name

G1

Role assigned

Auditor (Read only)

Resources

Global root

User option

Value

Name

John

Belongs to group

G1

Role assigned

None

John belongs to group G1, which has been assigned the auditor role. John inherits the group role and resource permissions.

User Member of Multiple Groups Scenario

Group option

Value

Name

G1

Role assigned

Auditor (Read only)

Resources

Global root

Group option

Value

Name

G2

Role assigned

Security Administrator (Read and Write)

Resources

Datacenter1

User option

Value

Name

Joseph

Belongs to group

G1, G2

Role assigned

None

Joseph belongs to groups G1 and G2 and inherits a combination of the rights and permissions of the Auditor and Security Administrator roles. For example, John has the following permissions:

  • Read, write (Security Administrator role) for Datacenter1

  • Read only (Auditor) for global root

User Member of Multiple Roles Scenario

Group option

Value

Name

G1

Role assigned

Enterprise Administrator

Resources

Global root

User option

Value

Name

Bob

Belongs to group

G1

Role assigned

Security Administrator (Read and Write)

Resources

Datacenter1

Bob has been assigned the Security Administrator role, so he does not inherit the group role permissions. Bob has the following permissions

  • Read, write (Security Administrator role) for Datacenter1 and its child resources

  • Enterprise Administrator role on Datacenter1