To deploy and administer NSX, certain vCenter permissions are required. NSX provides extensive read and read/write permissions for various users and roles.

Feature List with Roles and Permissions

Feature

Description

Roles

Auditor

Security Admin

NSX Admin

Enterprise Admin

Administrator

Configuration

VC and SSO Configuration with NSX

No Access

No Access

R, W

R, W

Update

No Access

No Access

R, W

R, W

System Events

System Events

R

R, W

R, W

R, W

Audit Logs

Audit Logs

R

R

R

R

User Account Management (URM)

User Account Management

User Management

No Access

No Access

R

R, W

Object Access Control

No Access

No Access

R

R

Feature Access Control

No Access

No Access

R

R

Edge

System

System refers to general system parameters

R

R

R, W

R, W

Appliance

Different form factors of NSX Edge (Compact /Large/X-Large/QuadLarge)

R

R

R, W

R, W

High availability

R

R

R, W

R, W

vNic

Interface configuration on NSX Edge

R

R, W

R, W

R, W

DNS

R

R, W

R

R, W

SSH

SSH configuration on NSX Edge

R

R, W

R, W

R, W

Auto plumbing

R

R, W

R

R, W

Statistics

R

R

R

R, W

NAT

NAT configuration on NSX Edge

R

R, W

R

R, W

DHCP

R

R, W

R

R, W

Load balance

R

R, W

R

R, W

VPN

R

R, W

R

R, W

Syslog

Syslog configuration on NSX Edge

R

R, W

R, W

R, W

Support

No Access

R, W

R, W

R, W

Routing

All routing static and dynamic routing (BGP/OSPF) on NSX Edge

R

R, W

R

R, W

Firewall

Firewall configuration on NSX Edge

R

R, W

R

R, W

Bridging

R

R, W

R

R, W

Certificate

R

R, W

R

R, W

System control

System control refers to system kernel parameters such as maximum limits, IP forwarding, networking, and system settings. For example:

ysctl.net.ipv4.conf.vNic_1.rp_filter

sysctl.net.netfilter.nf_conntrack_tcp_timeout_established

R

R, W

R, W

R, W

Distributed Firewall

Firewall config

Layer3 (General) and Layer2 (Ethernet) firewall rules

R

R, W

No Access

R, W

Flows

Flow monitoring is for monitoring traffic flows in the system. Live Flows can also be monitored

R

R, W

No Access

R, W

IPFix config

IPFix enable/disable and assigning collectors

R

R, W

No Access

R, W

ForceSync

ForceSync does full sync from the Installation > Host Preparation page

R

R

No Access

R, W

Install DFW (host preparation)

Install VIBS on clusters

R

R

R, W

R, W

Saved Configurations (drafts)

Every publish will automatically save existing DFW configuration as a draft

R

R, W

No Access

R, W

Exclusion List

Add VMs to exclusion list to be NOT protected by DFW or to remove them

R

R, W

No Access

R, W

DFW Tech Support

Collecting DFW Tech Support bundle from a host (only NSX config shell)

No Access

R, W

No Access

R, W

DFW Session Timers

Configure TCP/UDP/Other protocol connection timeout configuration

R

R , W

No Access

R, W

IP Discovery (DHCP/ARP Snooping)

IP discovery when VMware Tools are not running on Guest VMs

R

R , W

No Access

R, W

Application Rule Manager

Flows are collected for selected set of applications. Firewall rules are then created based on the collected flows.

R

R , W

No Access

R, W

NameSpace

Config

R

R

R, W

R, W

SpoofGuard

Config

SpoofGuard publish in TOFU or Manual Mode

R

R, W

No Access

R, W

Endpoint Security (EPSEC)

Reports

R

R

R, W

R, W

Registration

Manage [Register, Unregister, Query registered solutions, Activate] Solutions

R

No Access

R, W

R, W

Health monitoring

Retrieve health status of VM, SVM to the NSX Manager

No Access

R

R

R

Policy

Manage security policies [Create, Read,Update, Delete]

R

R, W

R, W

R, W

Scan scheduling

R

No Access

R, W

R, W

Library

Host preparation

Host preparation action on cluster

No Access

No Access

R, W

R, W

Grouping

IP Set, MAC Set, Security Group, Service, Service Group

R

R, W

R

R, W

Tagging

Security tag (for example, attach or detach VMs)

R

R, W

R

R, W

Install

App

No Access

R

R, W

R, W

EPSEC

No Access

R

R, W

R, W

DLP

No Access

R

R, W

R, W

VDN

Config NSM

Configure Network Security Manager

R

R

R, W

R, W

Provision

R

R

R, W

R, W

ESX Agent Manager (EAM)

Install

ESX Agent Manager

No Access

R

R, W

R, W

Service Insertion

Service

R

R, W

R, W

R, W

Service profile

R

R

R, W

R, W

Trust Store

trustentity_management

NSX certificate management

R

R, W

R, W

R, W

IP Address Management (IPAM)

Configuration

Configuration of IP pool

R

R, W

R, W

R, W

IP allocation

IP allocation and release

R

R, W

R, W

R, W

Security Fabric

Deploy

Deploy service or security VM on cluster using the Service Deployment page

R

R

R, W

R, W

Alarms

From the Service Deployment page, manage alarms that are generated by security VM

R

R

R, W

R, W

Agent health status

Managing agent health status alarm over rest call, mainly used by partner VMs

R

R, W

R, W

R, W

Messaging

Messaging

Messaging framework used by NSX Edge and Guest Introspection to communicate with NSX Manager

R

R, W

R, W

R, W

Replicator (Multi vCenter setup with secondary NSX Manager)

Configuration

Select or deselect Primary role for NSX Manager, and add or remove Secondary NSX Manager

R

R

R, W

R, W

Security Policy

Configuration

Configure security policy to create, update, edit, or delete

R

R, W

No Access

R, W

Security group binding

Associate security group with a security policy

R

R, W

No Access

R, W