You can assign roles to users or user groups if VMware Identity Manager™ is integrated with NSX, or if you have LDAP as an authentication provider. You can also assign roles to principal identities.

A principal is a component or a third-party application such as an OpenStack product. With a principal identity, a principal can use the identity name to create an object and ensure that only an entity with the same identity name can modify or delete the object. A principal identity has the following properties:
  • Name
  • Node ID - this can be any alphanumeric value assigned to a principal identity
  • Certificate
  • RBAC role indicating the access rights of this principal

Users (local, remote, or principal identity) with the Enterprise Administrator role can modify or delete objects owned by principal identities. Users (local, remote, or principal identity) without the Enterprise Administrator role cannot modify or delete protected objects owned by principal identities, but can modify or delete unprotected objects.

If a principal identity user's certificate expires, you must import a new certificate and make an API call to update the principal identity user's certificate (see the procedure below). For more information about the NSX API, a link to the API resource is available at https://code.vmware.com.

A principal identity user's certificate must satisfy the following requirements:
  • SHA256 based.
  • RSA/DSA message algorithm with 2048 bits or above key size.
  • It cannot be a root certificate.

You can delete a principal identity using the API. However, deleting a principal identity does not automatically delete the corresponding certificate. You must delete the certificate manually.

Steps to delete a principal identity and its certificate:
  1. Get the details of the principal identity to delete and note the certificate_id value in the response.

    GET /api/v1/trust-management/principal-identities/<principal-identity-id>

  2. Delete the principal identity.

    DELETE /api/v1/trust-management/principal-identities/<principal-identity-id>

  3. Delete the certificate using the certificate_id value obtained in step 1.

    DELETE /api/v1/trust-management/certificates/<certificate_id>

For LDAP, you configure user groups to user roles mapping information; the groups correspond to the user groups specified in the Active Directory (AD). To grant user permissions on NSX, add that user to the mapped group in AD. Starting in NSX 4.2, a single LDAP identity source can add up to 20 groups to NSX. An error will result if more than 20 groups are attempted.

Prerequisites

You must have an authentication provider configured:

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Select System > User Management.
  3. To assign roles to users, select Add > Role Assignment for vIDM.
    1. Select a user or user group.
    2. Select a role.
    3. Click Save.
  4. To add a principal identity, select Add > Principal Identity with Role.
    1. Enter a name for the principal identity.
    2. Select a role.
    3. Enter a node ID.
    4. Enter a certificate in PEM format.
    5. Click Save.
  5. To add a role assignment for LDAP select Add > Role Assignment for LDAP.
    1. Select a domain.
    2. Enter the first few characters of the user's name, login ID, or a group name to search the LDAP directory, then select a user or group from the list that appears.
    3. Select a role.
    4. Click Save.
  6. If the certificate for the principal identity expires, perform the following steps. Do not use this procedure to replace Local Manager or Global Manager principal identity certificates. Instead, to replace those certificates refer to Replace Certificates Through API for details.
    1. Import a new certificate and note the certificate's ID. See Import a Self-signed or CA-signed Certificate.
    2. Call the following API to get the ID of the principal identity.
      GET https://<nsx-mgr>/api/v1/trust-management/principal-identities
    3. Call the following API to update the principal identity's certificate. You must provide the imported certificate's ID and the principal identity user's ID.
      For example,
      POST https://<nsx-mgr>/api/v1/trust-management/principal-identities?action=update_certificate
      {
          "principal_identity_id": "ebd3032d-728e-44d4-9914-d4f81c9972cb",
          "certificate_id" : "abd3032d-728e-44d4-9914-d4f81c9972cc"
      }