Role-Based Access Control

With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

To view the built-in and custom roles and their associated permissions, navigate to System > User Management > Roles and expand the row to view details. You can view permissions of all categories from the Permissions window.

After you have assigned an Active Directory (AD) user a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Note: For VMware NSX^® Intelligence™ RBAC information, see the Using and Managing VMware NSX Intelligence documentation.

Roles and Permissions

There are four types of permissions. Included in the list are the abbreviations for the permissions that are used in the Roles and Permissions and Roles and Permissions for Manager Mode tables.

Full access (FA) - All permissions ncluding Create, Read, Update, and Delete
Execute (E) - Includes Read and Update
Read (R)
None

NSX has the following built-in roles. Role names in the UI can be different in the API. In NSX, if you have permission, you can clone an existing role, add a new role, edit newly created roles, or delete newly created roles

The following tables, Roles and Permissions and Roles and Permissions for Manager Mode, show the permissions each built-in role has for different operations. Also included in the list are the abbreviations for the roles that are used.

Auditor (A)
Cloud Admin (CA) (Available in the Cloud environment only)
Cloud Operator (CO) (Available in the Cloud environment only)
Enterprise Admin (EA)
GI (Guest Introspection ) Partner Administrator (GIPA)
LB (Load Balancer) Admin (LBA)
LB Operator (LBO)
Network Admin (NA)
Network Operator (NO)
NETX (Network Introspection) Partner Administrator (NXPA)
Security Admin (SA)
Security Operator (SO)
Support Bundle Collector (SBC)
VPN Admin (VPNA)

Note: Starting in NSX 4.0.1.1, multi-tenancy introduces new roles and offers the ability to restrict roles to tenant scope. For more details, see Users and Roles.

Table 1. Roles and Permissions
Operation	EA	A	NA	NO	SA	SO	CA	CO	LBA	LBO	VPNA	GIPA	NXPA	SBC
Networking > Tier-0 Gateways	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Tier-1 Gateways	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Network Interface	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Network Static Routes	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Locale Services	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Static ARP Configuration	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Segments	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Segments > Segment Profiles	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > IP Address Pools	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Networking > Forwarding Policies	FA	R	FA	R	FA	R	FA	R	None	None	None	None	None	None
Networking > DNS	FA	R	FA	FA	R	R	FA	R	R	R	None	None	None	None
Networking > DHCP	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Networking > Load Balancing	FA	R	None	None	R	None	FA	R	FA	R	None	None	None	None
Networking > NAT	FA	R	FA	R	FA	R	FA	R	R	R	None	None	None	None
Networking > VPN	FA	R	FA	R	FA	R	FA	R	None	None	FA	None	None	None
Networking > IPv6 Profiles	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Security > Distributed Firewall	FA	R	R	R	FA	R	FA	R	R	R	R	R	R	None
Security > Gateway Firewall	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA	None
Security > Identity Firewall AD	FA	R	FA	R	FA	FA	FA	R	R	R	R	R	R	None
Security > Network Introspection	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA	None
Security > Endpoint Protection Rules	FA	R	R	R	FA	R	FA	R	None	None	None	FA	None	None
Inventory > Context Profiles	FA	R	R	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > Virtual Machines	R	R	R	R	R	R	R	R	R	R	R	R	R	None
Inventory > Virtual Machines > Create & Assign Tags to VM	FA	R	R	R	FA	R	FA	R	R	R	R	FA	FA	None
Inventory > Containers	FA	R	R	R	R	R	None	None	None	None	None	None	None	None
Inventory > Physical Servers	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
Plan & Troubleshoot > Port Mirroring	FA	R	FA	R	R	R	FA	R	None	None	None	None	None	None
Plan & Troubleshoot > Port Mirroring Binding	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > Monitoring Profile Binding	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > IPFIX > Firewall IPFIX Profiles	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > IPFIX > Switch IPFIX Profiles	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > Traceflow	FA	FA	FA	FA	FA	FA	FA	FA	FA	FA	None	None	None	None
System > Fabric > Nodes > Hosts	FA	R	R	R	R	R	None	None	None	None	None	None	None	None
System > Fabric > Nodes > Nodes	FA	R	FA	R	FA	R	R	R	R	R	None	None	None	None
System > Fabric > Nodes > Edges	FA	R	FA	R	R	R	R	R	None	None	None	None	None	None
System > Fabric > Nodes > Edge Clusters	FA	R	FA	R	R	R	R	R	None	None	None	None	None	None
System > Fabric > Nodes > Bridges	FA	R	FA	R	R	R	None	None	R	R	None	None	None	None
System > Fabric > Nodes > Transport Nodes	FA	R	R	R	R	R	None	None	R	R	None	Read	Read	R
System > Fabric > Nodes > Tunnels	FA	R	R	R	R	R	None	None	R	R	None	None	None	None
System > Fabric > Profiles > Uplink Profiles	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Profiles > Edge Cluster Profiles	FA	R	FA	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Profiles > Configuration	FA	R	None	None	None	None	R	R	None	None	None	None	None	None
System > Fabric > Transport Zones > Transport Zones	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Transport Zones > Transport Zone Profiles	FA	R	R	R	R	R	R	R	None	None	None	None	None	None
System > Fabric > Compute Managers	FA	R	R	R	R	R	R	R	None	None	None	R	R	None
System > Certificates	FA	R	None	None	FA	R	None	None	FA	R	FA	None	None	None
System > Service Deployments > Service Instances	FA	R	R	R	FA	R	FA	R	None	None	None	FA	FA	None
System > Support Bundle	FA	None	None	None	None	None	None	None	None	None	None	None	None	FA
System > Backup	FA	R	None	None	None	None	None	None	None	None	None	None	None	None
System > Restore	FA	R	None	None	None	None	None	None	None	None	None	None	None	None
System > Upgrade	FA	R	R	R	R	R	None	None	None	None	None	None	None	None
System > Users > Role Assignments	FA	R	None	None	None	None	None	None	None	None	None	None	None	None
System > Active Directory	FA	R	FA	R	FA	FA	R	R	R	R	R	R	R	None
System > Users > Configuration	FA	R	None	None	None	None	None	None	None	None	None	None	None	None
System > Licenses	FA	R	R	R	R	R	None	None	None	None	None	None	None	None
System > System Administration	FA	R	R	R	R	R	R	R	None	None	None	None	None	None
Custom Dashboard Configuration	FA	R	R	R	R	R	FA	R	R	R	R	R	R	None
System > Lifecycle Management > Migrate	FA	None	None	None	None	None	None	None	None	None	None	None	None	None

Table 2. Roles and Permissions for Manager Mode
Operation	EA	A	NA	NO	SA	SO	CA	CO	LBA	LBO	VPNA	GIPA	NXPA	SBC
Plan & Troubleshoot > Port Connection	E	R	E	E	E	E	E	R	E	E	None	None	None	None
Plan & Troubleshoot > Traceflow	FA	R	E	E	E	E	None	None	E	E	None	None	None	None
Plan & Troubleshoot > Port Mirroring	FA	R	FA	R	R	R	FA	R	None	None	None	None	None	None
Plan & Troubleshoot > IPFIX	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Security > Distributed Firewall > General	FA	R	R	R	FA	R	FA	R	None	None	None	None	R	None
Security > Distributed Firewall > Configuration	FA	R	R	R	FA	R	FA	R	None	None	None	None	None	None
Security > Edge Firewall	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA	None
Networking > Routers	FA	R	FA	FA	R	R	FA	R	R	R	R	None	R	None
Networking > NAT	FA	R	FA	R	FA	R	FA	R	R	R	None	None	None	None
Networking > DHCP > Server Profiles	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Servers	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Relay Profiles	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Relay Services	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Metadata Proxies	FA	R	FA	R	None	None	None	None	None	None	None	None	None	None
Networking > IPAM	FA	R	FA	FA	R	R	None	None	R	R	None	None	None	None
Networking > Logical Switches > Switches	FA	R	FA	R	R	R	FA	R	R	R	R	None	R	None
Networking > Logical Switches > Ports	FA	R	FA	R	R	R	FA	R	R	R	R	None	R	None
Networking > Logical Switches > Switching Profiles	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Networking > Load Balancing > Load Balancers	FA	R	None	None	R	None	FA	R	FA	R	None	None	None	None
Networking > Load Balancing > Profiles > SSL Profiles	FA	R	None	None	FA	R	FA	R	FA	R	None	None	None	None
Inventory > Groups	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > Groups > IP Sets	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > IP Pools	FA	R	FA	R	None	None	None	None	R	R	R	R	R	None
Inventory > Groups > MAC Sets	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > Services	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > Virtual Machines	R	R	R	R	R	R	R	R	R	R	R	R	R	None
Inventory > Virtual Machines > Create & Assign Tags to VM	FA	R	R	R	FA	R	FA	R	R	R	R	FA	FA	None
Inventory > Virtual Machines > Configure Tags	FA	None	None	None	None	None	None	None	None	None	None	None	None	None
System > Support Bundle	FA	None	None	None	None	None	None	None	None	None	None	None	None	FA