After adding an NSX VPC in your project, you can assign roles to users in the NSX VPC. These users can then start configuring networking or security objects as required for the workloads, which are running inside the NSX VPC.
- VPC Admin
- Security Admin
- Network Admin
- Security Operator
- Network Operator
A VPC Admin has full access to all the networking and security objects inside an NSX VPC. The other user roles in an NSX VPC have limited access to objects in the NSX VPC as determined by the permissions of those roles.
If the Project Admin and VPC Admin roles are allowed to do user role assignments, it might be perceived as introducing security risks in some NSX environments because it allows both these roles to configure role assignments for any user in the system. Therefore, the default behavior is to allow only Enterprise Admin to add user role assignments in NSX VPCs.
An Enterprise Admin can do the following steps to grant permissions to the Project and VPC Admin roles for adding user role assignments:
- In the Default view, navigate to .
- Next to the Project Admin role, click , and then click Allow Role Assignments.
- Next to the VPC Admin role, click , and then click Allow Role Assignments.
For user authentication and authorization, NSX multi-tenancy supports the following identity sources:
- Local users (for example, guestuser1, guestuser2)
- VMware Identity Manager
- Lightweight Directory Access Protocol (LDAP)
- OpenID Connect
To add user role assignments in NSX VPCs, the following three methods are available:
- Method 1: Add Role Assignments for an NSX VPC from the User Management Page
-
The User Management page is available only to the Enterprise Admin. Project Admin and VPC Admin cannot use this page even if an Enterprise Admin has granted them permissions to do user role assignments.
- Method 2: Add Role Assignments for an NSX VPC from the VPC Page
-
The VPC page is available to both the Project Admin and the VPC Admin. However, they can add user roles from this page only when an Enterprise Admin has granted them permissions to do user role assignments.
- Method 3: Add Role Assignments for an NSX VPC from the Manage Projects Page
-
The Manage Projects page is available to both the Enterprise Admin and the Project Admin. However, a Project Admin can add user roles from this page only when an Enterprise Admin has granted permissions to the Project Admin role to do user role assignments.
To learn more about this method, see Add Role Assignments for an NSX Project from the Manage Projects Page.
A VPC Admin cannot access the Manage Projects page.