Role-Based Access Control

With role-based access control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions.

To view the built-in and custom roles and their associated permissions, navigate to System > User Management > Roles and expand the row to view details. You can view permissions of all categories by expanding the role's permissions details.

After you have assigned an Active Directory (AD) user a role, if the username is changed on the AD server, you need to assign the role again using the new username.

Note: For Security Intelligence RBAC information, see the Using and Managing Security Intelligence documentation.

Roles and Permissions

There are four types of permissions. Included in the list are the abbreviations for the permissions that are used in the Roles and Permissions and Roles and Permissions for Manager Mode tables.

Full access (FA) - All permissions including Create, Read, Update, and Delete (CRUD)
Execute (E) - Includes Read and Update
Read (R)
None

NSX has the following built-in roles. Role names in the UI can be different in the API. In NSX, if you have permission, you can clone an existing role, add a new role, edit newly created roles, or delete newly created roles.

The following tables, Roles and Permissions and Roles and Permissions for Manager Mode, show the permissions that each built-in role has for different operations. Also included in the list are the abbreviations for the roles that are used.

Auditor (A)
Cloud Admin (CA) (Available in the Cloud environment only)
Cloud Operator (CO) (Available in the Cloud environment only)
Enterprise Admin (EA)
GI (Guest Introspection ) Partner Administrator (GIPA)
LB (Load Balancer) Admin (LBA)
LB Operator (LBO)
Network Admin (NA)
Network Operator (NO)
NETX (Network Introspection) Partner Administrator (NXPA)
Project Admin (PA) (Refer to note)
Security Admin (SA)
Security Operator (SO)
Support Bundle Collector (SBC)
VPN Admin (VPNA)

The Roles and Permissions tables do not include the Project Admin role. The Project Admin role has full access to all configurations in a project. The Network Admin, Network Operator, Security Admin, and Security Operator roles in a project have RBAC permissions only within the scope of the project, and not for the entire NSX system.

Table 1. Roles and Permissions
Operation	EA	A	NA	NO	SA	SO	CA	CO	LBA	LBO	VPNA	GIPA	NXPA	SBC
Networking > Tier-0 Gateways	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Tier-1 Gateways	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Network Interface	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Network Static Routes	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Locale Services	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Static ARP Configuration	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Segments	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > Segments > Segment Profiles	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Networking > IP Address Pools	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Networking Forwarding Policies	FA	R	FA	R	FA	R	FA	R	NonE	None	None	None	None	None
Networking > DNS	FA	R	FA	FA	R	R	FA	R	R	R	None	None	None	None
Networking > DHCP	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Networking > Load Balancing	FA	R	None	None	R	None	FA	R	FA	R	None	None	None	None
Networking > NAT	FA	R	FA	R	FA	R	FA	R	R	R	None	None	None	None
Networking > VPN	FA	R	FA	R	FA	R	FA	R	None	None	FA	None	None	None
Networking > IPv6 Profiles	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Security > Distributed Firewall	FA	R	R	R	FA	R	FA	R	R	R	R	R	R	None
Security > Gateway Firewall	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA	None
Security > Identity Firewall AD	FA	R	FA	R	FA	FA	FA	R	R	R	R	R	R	None
Security > Network Introspection	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA	None
Security > Endpoint Protection Rules	FA	R	R	R	FA	R	FA	R	None	None	None	FA	None	None
Inventory > Context Profiles	FA	R	R	R	FA	R	R	R	R	R	R	R	R	None
Inventory > Virtual Machines	R	R	R	R	R	R	R	R	R	R	R	R	R	None
Inventory > Virtual Machines > Create & Assign Tags to VM	FA	R	R	R	FA	R	FA	R	R	R	R	FA	FA	None
Inventory > Containers	FA	R	R	R	R	R	None	None	None	None	None	None	None	None
Inventory > Physical Servers	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
Plan & Troubleshoot > Port Mirroring	FA	R	FA	R	R	R	FA	R	None	None	None	None	None	None
Plan & Troubleshoot > Port Mirroring Binding	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > Monitoring Profile Binding	FA	R	FA	FA	R	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > IPFIX > Firewall IPFIX Profiles	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > IPFIX > Switch IPFIX Profiles	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > Collectors	FA	R	FA	R	R	R	FA	R	R	R	R	R	R	None
Plan & Troubleshoot > Traceflow	FA	FA	FA	FA	FA	FA	FA	FA	FA	FA	None	None	None	None
System > Fabric > Hosts > Clusters	FA	R	R	R	R	R	R	R	R	R	None	None	None	R
System > Fabric > Hosts > Other Nodes	FA	R	R	R	R	R	R	R	R	R	None	None	None	R
System > Fabric > Hosts > Standalone	FA	R	R	R	R	R	R	R	R	R	None	None	None	R
System > Fabric > Hosts > Transport Node Profile	FA	R	R	R	R	R	R	R	R	R	None	None	None	R
System > Fabric >Nodes Hosts	FA	R	R	R	R	R	R	R	None	None	None	None	None	None
System > Fabric > Nodes	FA	R	FA	R	FA	R	R	R	R	R	None	None	None	None
System > Fabric > Nodes > Edge Transport Nodes	FA	R	R	R	R	R	R	R	None	None	None	None	None	None
System > Fabric > Nodes > Edge Clusters	FA	R	FA	R	R	R	R	R	None	None	None	None	None	None
System > Fabric > Nodes > Container Clusters	FA	R	FA	R	R	R	None	None	R	R	None	None	None	None
System > Fabric > Nodes > Transport Nodes	FA	R	R	R	R	R	R	R	R	R	None	None	None	R
System > Fabric > Nodes > Tunnels	R	R	R	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Profiles > Uplink Profiles	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Profiles > Edge Cluster Profiles	FA	R	FA	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Profiles > Configuration	FA	R	None	None	None	None	R	R	None	None	None	None	None	None
System > Fabric > Profiles > Node Profiles	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Transport Zones > Add Zones	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Transport Zones > Health Configuration	FA	R	R	R	R	R	R	R	R	R	None	None	None	None
System > Fabric > Compute Managers	FA	R	R	R	R	R	R	R	None	None	None	R	R	None
System > Fabric > Settings	FA	None	None	None	None	None	None	None	None	None	None	None	None	None
System > Certificates	FA	R	None	None	FA	R	None	None	FA	R	FA	None	None	None
System > Service Deployments > Service Instances	FA	R	R	R	FA	R	FA	R	None	None	None	FA	FA	None
System > Support Bundle	FA	None	None	None	None	None	None	None	None	None	None	None	None	FA
System > Backup	FA	R	None	None	None	None	None	None	None	None	None	None	None	None
System > Restore	FA	R	None	None	None	None	None	None	None	None	None	None	None	None
System > Upgrade	FA	R	R	R	R	R	None	None	None	None	None	None	None	None
System > Migrate	FA	None	None	None	None	None	None	None	None	None	None	None	None	FA
System > User Mgt > User Role Assignments	FA	R	None	None	None	None	FA	R	None	None	None	None	None	None
System > Local Users	FA	R	None	None	None	None	None	None	None	None	None	None	None	None
System > Roles	FA	R	FA	R	FA	FA	FA	R	R	R	R	R	R	None
System > Authentication Providers	FA	R	FA	R	FA	FA	R	R	R	R	R	R	R	None
System > Licenses	FA	R	R	R	R	R	None	None	None	None	None	None	None	None
System > System Administration	FA	R	R	R	R	R	R	R	None	None	None	None	None	None
Custom Dashboard Configuration	FA	R	R	R	R	R	FA	R	R	R	R	R	R	None

Table 2. Roles and Permissions for Manager Mode
Operation	EA	A	NA	NO	SA	SO	CA	CO	LBA	LBO	VPNA	GIPA	NXPA	SBC
Plan & Troubleshoot > Port Connection	E	R	E	E	E	E	E	R	E	E	None	None	None	None
Plan & Troubleshoot > Traceflow	FA	R	E	E	E	E	None	None	E	E	None	None	None	None
Plan & Troubleshoot > Live Traffic Analysis	FA	R	E	E	E	E	None	None	E	E	None	None	None	None
Plan & Troubleshoot > Port Mirroring	FA	R	FA	R	R	R	FA	R	None	None	None	None	None	None
Plan & Troubleshoot > IPFIX	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Security > Distributed Firewall > General	FA	R	R	R	FA	R	FA	R	None	None	None	None	R	None
Security > Distributed Firewall > Configuration	FA	R	R	R	FA	R	FA	R	None	None	None	None	None	None
Security > Edge Firewall	FA	R	R	R	FA	R	FA	R	None	None	None	None	FA	None
Networking > Routers	FA	R	FA	FA	R	R	FA	R	R	R	R	None	R	None
Networking > NAT	FA	R	FA	R	FA	R	FA	R	R	R	None	None	None	None
Networking > DHCP > Server Profiles	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Servers	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Relay Profiles	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Relay Services	FA	R	FA	R	None	None	FA	R	None	None	None	None	None	None
Networking > DHCP > Metadata Proxies	FA	R	FA	R	None	None	None	None	None	None	None	None	None	None
Networking > IPAM	FA	R	FA	FA	R	R	None	None	R	R	None	None	None	None
Networking > Logical Switches > Switches	FA	R	FA	R	R	R	FA	R	R	R	R	None	R	None
Networking > Logical Switches > Ports	FA	R	FA	R	R	R	FA	R	R	R	R	None	R	None
Networking > Logical Switches > Switching Profiles	FA	R	FA	R	R	R	FA	R	R	R	None	None	None	None
Networking > Load Balancing > Load Balancers	FA	R	None	None	R	None	FA	R	FA	R	None	None	None	None
Networking > Load Balancing > Profiles > SSL Profiles	FA	R	None	None	FA	R	FA	R	FA	R	None	None	None	None
Inventory > Groups	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > Groups > IP Sets	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > IP Pools	FA	R	FA	R	None	None	None	None	R	R	R	R	R	None
Inventory > Groups > MAC Sets	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > Services	FA	R	FA	R	FA	R	FA	R	R	R	R	R	R	None
Inventory > Virtual Machines	R	R	R	R	R	R	R	R	R	R	R	R	R	None
Inventory > Virtual Machines > Create & Assign Tags to VM	FA	R	R	R	FA	R	FA	R	R	R	R	FA	FA	None
Inventory > Virtual Machines > Configure Tags	FA	None	None	None	None	None	None	None	None	None	None	None	None	None
System > Support Bundle	FA	None	None	None	None	None	None	None	None	None	None	None	None	FA