You can assign roles to users or user groups if VMware Identity Manager™ is integrated with NSX, or if you have LDAP as an authentication provider. You can also assign roles to principal identities.
- Name
- Node ID - this can be any alphanumeric value assigned to a principal identity
- Certificate
- RBAC role indicating the access rights of this principal
Users (local, remote, or principal identity) with the Enterprise Administrator role can modify or delete objects owned by principal identities. Users (local, remote, or principal identity) without the Enterprise Administrator role cannot modify or delete protected objects owned by principal identities, but can modify or delete unprotected objects.
If a principal identity user's certificate expires, you must import a new certificate and make an API call to update the principal identity user's certificate (see the procedure below). For more information about the NSX API, a link to the API resource is available at https://code.vmware.com.
- SHA256 based.
- RSA/DSA message algorithm with 2048 bits or above key size.
- It cannot be a root certificate.
You can delete a principal identity using the API. However, deleting a principal identity does not automatically delete the corresponding certificate. You must delete the certificate manually.
- Get the details of the principal identity to delete and note the certificate_id value in the response.
GET /api/v1/trust-management/principal-identities/<principal-identity-id>
- Delete the principal identity.
DELETE /api/v1/trust-management/principal-identities/<principal-identity-id>
- Delete the certificate using the certificate_id value obtained in step 1.
DELETE /api/v1/trust-management/certificates/<certificate_id>
For LDAP, you configure user groups to user roles mapping information; the groups correspond to the user groups specified in the Active Directory (AD). To grant user permissions on NSX, add that user to the mapped group in AD. Starting in NSX 4.2, a single LDAP identity source can add up to 20 groups to NSX. An error will result if more than 20 groups are attempted.
Prerequisites
You must have an authentication provider configured:
- For role assignment for vIDM, verify that a vIDM host is associated with NSX. For more information, see Configure VMware Identity Manager/Workspace ONE Access Integration.
- For role assignment for LDAP, verify that you have an LDAP identity source. For more information, see LDAP Identity Source.
Procedure
- With admin privileges, log in to NSX Manager.
- Select .
- To assign roles to users, select
.
- Select a user or user group.
- Select a role.
- Click Save.
- To add a principal identity, select
.
- Enter a name for the principal identity.
- Select a role.
- Enter a node ID.
- Enter a certificate in PEM format.
- Click Save.
- To add a role assignment for LDAP select
.
- Select a domain.
- Enter the first few characters of the user's name, login ID, or a group name to search the LDAP directory, then select a user or group from the list that appears.
- Select a role.
- Click Save.
- If the certificate for the principal identity expires, perform the following steps. Do not use this procedure to replace Local Manager or Global Manager principal identity certificates. Instead, to replace those certificates refer to Replace Certificates Through API for details.
- Import a new certificate and note the certificate's ID. See Import a Self-signed or CA-signed Certificate.
- Call the following API to get the ID of the principal identity.
GET https://<nsx-mgr>/api/v1/trust-management/principal-identities
- Call the following API to update the principal identity's certificate. You must provide the imported certificate's ID and the principal identity user's ID.
For example,
POST https://<nsx-mgr>/api/v1/trust-management/principal-identities?action=update_certificate { "principal_identity_id": "ebd3032d-728e-44d4-9914-d4f81c9972cb", "certificate_id" : "abd3032d-728e-44d4-9914-d4f81c9972cc" }