You can control the cross-tenancy availability of NSX security objects in vRealize Automation.

When you create an NSX security object in vRealize Automation, its default availability can be either global, meaning available in all tenants for which the associated endpoint has a reservation, or hidden to all users except the administrator.

Availability of security objects across tenants is also relative to whether the associated endpoint has a reservation or reservation policy in the tenant.

NSX does not tenant security groups. However, you can control security group availability in vRealize Automation by using the VMware.Endpoint.NSX.HideDiscoveredSecurityObjects custom property.

By default, new security objects are available to all tenants for the associated NSX endpoints in which you have a reservation. If the endpoint does not have a reservation in the active tenant, the security objects are not available in the active tenant.

If you have not set the VMware.Endpoint.NSX.HideDiscoveredSecurityObjects custom property on NSX endpoints, new security objects are set to global by default. Security objects that existed prior to upgrading to this release of vRealize Automation are set to global regardless of the custom property.


When you upgrade to this vRealize Automation release, security groups from the previous release are set to global by default. Existing security groups and security tags are available in all tenants in which the associated endpoint has a reservation.

You can hide new security groups by default by adding the VMware.Endpoint.NSX.HideDiscoveredSecurityObjects custom property to the associated NSX endpoint. This setting takes effect the next time the NSX endpoint is data-collected and applied only to new security objects.

For more information about the VMware.Endpoint.NSX.HideDiscoveredSecurityObjects custom property, see Custom Properties for Networking and Security.

You can also change the tenancy setting of an existing security object programmatically. For example, if a security group is set to global, you can change the tenant availability of a security object by using the associated NSX endpoint's Tenant ID setting in the vRealize Automation REST API or vRealize CloudClient. The available Tenant ID settings for the NSX endpoint are as follows:

  • "<global>" - the security object is available to all tenants. This is the default setting for existing security objects after upgrade to this release and for all new security objects that you create.

  • "<unscoped>" - the security object is not available to any tenants. Only the system administrator can access the security object. This is an ideal setting when defining security objects that are to eventually be assigned to a specific tenant.

  • "tenant_id_name" - the security object is only available to a single, named tenant.

You can use the vRealize Automation REST API or vRealize CloudClient tools to assign the Tenant ID parameter (tenantId) of security objects that are associated to a specific endpoint to a named tenant. For related information, see and For information about vRealize CloudClient, see For additional information, see the vRealize Automation Programming Guide at