With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

To view the built-in and custom roles and their associated permissions, navigate to System > User Management > Roles and expand the row to view details. You can view permissions of all categories from the Permissions window.

After you have assigned an Active Directory (AD) user a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Note: For VMware NSX® Intelligence™ RBAC information, see the Using and Managing VMware NSX Intelligence documentation.

Roles and Permissions

There are four types of permissions. Included in the list are the abbreviations for the permissions that are used in the Roles and Permissions and Roles and Permissions for Manager Mode tables.

  • Full access (FA) - All permissions ncluding Create, Read, Update, and Delete
  • Execute (E) - Includes Read and Update
  • Read (R)
  • None

NSX has the following built-in roles. Role names in the UI can be different in the API. In NSX, if you have permission, you can clone an existing role, add a new role, edit newly created roles, or delete newly created roles

The following tables, Roles and Permissions and Roles and Permissions for Manager Mode, show the permissions each built-in role has for different operations. Also included in the list are the abbreviations for the roles that are used.
  • Auditor (A)
  • Cloud Admin (CA) (Available in the Cloud environment only)
  • Cloud Operator (CO) (Available in the Cloud environment only)
  • Enterprise Admin (EA)
  • GI (Guest Introspection ) Partner Administrator (GIPA)
  • LB (Load Balancer) Admin (LBA)
  • LB Operator (LBO)
  • Network Admin (NA)
  • Network Operator (NO)
  • NETX (Network Introspection) Partner Administrator (NXPA)
  • Security Admin (SA)
  • Security Operator (SO)
  • Support Bundle Collector (SBC)
  • VPN Admin (VPNA)
Note: Starting in NSX 4.0.1.1, multi-tenancy introduces new roles and offers the ability to restrict roles to tenant scope. For more details, see Users and Roles.
Table 1. Roles and Permissions
Operation EA A NA NO SA SO CA CO LBA LBO VPNA GIPA NXPA SBC
Networking > Tier-0 Gateways FA R FA R R R FA R R R R R R None
Networking > Tier-1 Gateways FA R FA R R R FA R R R R R R None
Networking > Network Interface FA R FA R R R FA R R R R R R None
Networking > Network Static Routes FA R FA R R R FA R R R R R R None
Networking > Locale Services FA R FA R R R FA R R R R R R None
Networking > Static ARP Configuration FA R FA R R R FA R R R R R R None
Networking > Segments FA R FA R R R FA R R R R R R None
Networking > Segments > Segment Profiles FA R FA R R R FA R R R R R R None
Networking > IP Address Pools FA R FA R R R FA R R R None None None None
Networking > Forwarding Policies FA R FA R FA R FA R None None None None None None
Networking > DNS FA R FA FA R R FA R R R None None None None
Networking > DHCP FA R FA R R R FA R R R None None None None
Networking > Load Balancing FA R None None R None FA R FA R None None None None
Networking > NAT FA R FA R FA R FA R R R None None None None
Networking > VPN FA R FA R FA R FA R None None FA None None None
Networking > IPv6 Profiles FA R FA R R R FA R R R None None None None
Security > Distributed Firewall FA R R R FA R FA R R R R R R None
Security > Gateway Firewall FA R R R FA R FA R None None None None FA None
Security > Identity Firewall AD FA R FA R FA FA FA R R R R R R None
Security > Network Introspection FA R R R FA R FA R None None None None FA None
Security > Endpoint Protection Rules FA R R R FA R FA R None None None FA None None
Inventory > Context Profiles FA R R R FA R FA R R R R R R None
Inventory > Virtual Machines R R R R R R R R R R R R R None
Inventory > Virtual Machines > Create & Assign Tags to VM FA R R R FA R FA R R R R FA FA None
Inventory > Containers FA R R R R R None None None None None None None None
Inventory > Physical Servers FA R R R R R R R R R None None None None
Plan & Troubleshoot > Port Mirroring FA R FA R R R FA R None None None None None None
Plan & Troubleshoot > Port Mirroring Binding FA R FA FA R R FA R R R R R R None
Plan & Troubleshoot > Monitoring Profile Binding FA R FA FA R R FA R R R R R R None
Plan & Troubleshoot > IPFIX > Firewall IPFIX Profiles FA R FA R FA R FA R R R R R R None
Plan & Troubleshoot > IPFIX > Switch IPFIX Profiles FA R FA R R R FA R R R R R R None
Plan & Troubleshoot > Traceflow FA FA FA FA FA FA FA FA FA FA None None None None
System > Fabric > Nodes > Hosts FA R R R R R None None None None None None None None
System > Fabric > Nodes > Nodes FA R FA R FA R R R R R None None None None
System > Fabric > Nodes > Edges FA R FA R R R R R None None None None None None
System > Fabric > Nodes > Edge Clusters FA R FA R R R R R None None None None None None
System > Fabric > Nodes > Bridges FA R FA R R R None None R R None None None None
System > Fabric > Nodes > Transport Nodes FA R R R R R None None R R None Read Read R
System > Fabric > Nodes > Tunnels FA R R R R R None None R R None None None None
System > Fabric > Profiles > Uplink Profiles FA R R R R R R R R R None None None None
System > Fabric > Profiles > Edge Cluster Profiles FA R FA R R R R R R R None None None None
System > Fabric > Profiles > Configuration FA R None None None None R R None None None None None None
System > Fabric > Transport Zones > Transport Zones FA R R R R R R R R R None None None None
System > Fabric > Transport Zones > Transport Zone Profiles FA R R R R R R R None None None None None None
System > Fabric > Compute Managers FA R R R R R R R None None None R R None
System > Certificates FA R None None FA R None None FA R FA None None None
System > Service Deployments > Service Instances FA R R R FA R FA R None None None FA FA None
System > Support Bundle FA None None None None None None None None None None None None FA
System > Backup FA R None None None None None None None None None None None None
System > Restore FA R None None None None None None None None None None None None
System > Upgrade FA R R R R R None None None None None None None None
System > Users > Role Assignments FA R None None None None None None None None None None None None
System > Active Directory FA R FA R FA FA R R R R R R R None
System > Users > Configuration FA R None None None None None None None None None None None None
System > Licenses FA R R R R R None None None None None None None None
System > System Administration FA R R R R R R R None None None None None None
Custom Dashboard Configuration FA R R R R R FA R R R R R R None
System > Lifecycle Management > Migrate FA None None None None None None None None None None None None None
Table 2. Roles and Permissions for Manager Mode
Operation EA A NA NO SA SO CA CO LBA LBO VPNA GIPA NXPA SBC
Plan & Troubleshoot > Port Connection E R E E E E E R E E None None None None
Plan & Troubleshoot > Traceflow FA R E E E E None None E E None None None None
Plan & Troubleshoot > Port Mirroring FA R FA R R R FA R None None None None None None
Plan & Troubleshoot > IPFIX FA R FA R FA R FA R R R R R R None
Security > Distributed Firewall > General FA R R R FA R FA R None None None None R None
Security > Distributed Firewall > Configuration FA R R R FA R FA R None None None None None None
Security > Edge Firewall FA R R R FA R FA R None None None None FA None
Networking > Routers FA R FA FA R R FA R R R R None R None
Networking > NAT FA R FA R FA R FA R R R None None None None
Networking > DHCP > Server Profiles FA R FA R None None FA R None None None None None None
Networking > DHCP > Servers FA R FA R None None FA R None None None None None None
Networking > DHCP > Relay Profiles FA R FA R None None FA R None None None None None None
Networking > DHCP > Relay Services FA R FA R None None FA R None None None None None None
Networking > DHCP > Metadata Proxies FA R FA R None None None None None None None None None None
Networking > IPAM FA R FA FA R R None None R R None None None None
Networking > Logical Switches > Switches FA R FA R R R FA R R R R None R None
Networking > Logical Switches > Ports FA R FA R R R FA R R R R None R None
Networking > Logical Switches > Switching Profiles FA R FA R R R FA R R R None None None None
Networking > Load Balancing > Load Balancers FA R None None R None FA R FA R None None None None
Networking > Load Balancing > Profiles > SSL Profiles FA R None None FA R FA R FA R None None None None
Inventory > Groups FA R FA R FA R FA R R R R R R None
Inventory > Groups > IP Sets FA R FA R FA R FA R R R R R R None
Inventory > IP Pools FA R FA R None None None None R R R R R None
Inventory > Groups > MAC Sets FA R FA R FA R FA R R R R R R None
Inventory > Services FA R FA R FA R FA R R R R R R None
Inventory > Virtual Machines R R R R R R R R R R R R R None
Inventory > Virtual Machines > Create & Assign Tags to VM FA R R R FA R FA R R R R FA FA None
Inventory > Virtual Machines > Configure Tags FA None None None None None None None None None None None None None
System > Support Bundle FA None None None None None None None None None None None None FA