You can configure NSX Federation role-based access control (RBAC) to restrict system access to authorized users. NSX Federation RBAC works similarly to NSX RBAC for authorized users. This topic provides some optional configuration information for RBAC on NSX Federation when it is used with specific authentication providers.
Most authentication and authorization tasks use the same procedures as described under the Authentication and Authorization section of the NSX Administration Guide. One exception is that the VMware Identity Manager™ (vIDM) and LDAP configuration is not synchronized from the active or the standby Global Managers (GM) to the Local Managers (LM). This requires that you configure each GM or LM (NSX cluster) separately for vIDM and LDAP. It also requires that users have the same role bindings on each NSX Federation server for seamless access.
Task | Go To |
---|---|
Configure VIDM or LDAP on both the active and the standby Global Manager servers separately. | |
Configure VIDM or LDAP on each Local Manager server. | |
Ensure that users that want to switch between the GM and LM servers using the Location drop-down menu have the same user roles on both GM and LM servers. If the user has a role on GM, but no role on LM, users might see a permission error such as "The user does not have permission on any feature." |
To ensure that the Location drop-down menu allows your user to switch between the GM and the LM servers, after you update the user roles on the LM server from read only to write or mirror the GM roles, verify that the task completes. For details, go to Using the Global and Local Manager Web Interfaces and Monitoring NSX Federation Locations.