After adding a project, you can assign roles to users in the project. These users can then start configuring networking or security objects in the project.
- Project Admin
- Security Admin
- Network Admin
- Security Operator
- Network Operator
A Project Admin has full access to all the networking and security objects inside a project. The other project-specific user roles have limited access to objects inside the project as determined by the permissions of those roles.
If the Project Admin is allowed to do user role assignments, it might be perceived as introducing security risks in some NSX environments because it allows a Project Admin to configure role assignments for any user in the system. Therefore, the default behavior is to allow only an Enterprise Admin to add user role assignments in projects.
- In the Default view, navigate to .
- Next to the Project Admin role, click , and then click Allow Role Assignments.
- Local users (for example, guestuser1, guestuser2)
- VMware Identity Manager
- Lightweight Directory Access Protocol (LDAP)
- OpenID Connect (See the note after this bulleted list)
- Principal Identity (using certificate or Jason Web Token)
To add user role assignments in projects, the following two methods are available:
- Method 1: Add User Role Assignments from the User Management Page
-
The User Management page is available only to the Enterprise Admin. A Project Admin cannot use this page even if an Enterprise Admin has granted permissions to the Project Admin role to do user role assignments in projects.
- Method 2: Add User Role Assignments from the Manage Projects Page
-
The Manage Projects page is available to both the Enterprise Admin and the Project Admin. However, a Project Admin can add user roles from this page only when an Enterprise Admin has granted permissions to the Project Admin role to do user role assignments.