NSX-V Users and Permissions by Feature
search cancel

NSX-V Users and Permissions by Feature

book

Article ID: 303235

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

NSX-V users need to know what vCenter permissions are required to deploy and administer NSX-V.

Environment

VMware NSX Data Center for vSphere (NSX-V)

Resolution

NSX-V provides extensive read and read/write permissions for various users and roles.
 
 
Roles Definition
 
The available roles are as follows:
 
roles = system_write, system_urm, super_user, vshield_admin, security_admin, auditor, dlp_svm, epsec_host, enterprise_admin, component_manager_user, replicator
 
local_user_roles = system_write, system_urm, super_user, security_admin, auditor, dlp_svm, epsec_host, component_manager_user, replicator
 
system_roles = system_write, system_urm, dlp_svm, epsec_host, replicator
 
 
Permission Types
 
The permission types are read and write.
 
 
Roles Access Definition
 
The role access definitions determine whether a role has read or read/write permission.
 
super_user.object_permission = read, write
vshield_admin.object_permission = read, write
security_admin.object_permission = read, write
auditor.object_permission = read
system_write.object_permission = read, write
system_urm.object_permission = read
dlp_svm.object_permission = read, write
epsec_host.object_permission = read, write
enterprise_admin.object_permission = read, write
replicator.object_permission = read, write
 

Root Definition

The root definition describes the superuser roles.
 
super_user.superuser = true
system_write.superuser = true
 
 
Role to Object Access for Global Scope
 
vshield_admin.object_access_scope.global = true
super_user.object_access_scope.global = true
system_write.object_access_scope.global = true
system_urm.object_access_scope.global = true
dlp_svm.object_access_scope.global = true
epsec_host.object_access_scope.global = true
enterprise_admin.object_access_scope.global = true
 
 
Role to Object Access for Universal Scope
 
replicator.object_access_scope.universal=true
system_write.object_access_scope.universal=true
 
 
Services
 
The following services are available in NSX:
administration, urm, edge, app, namespace, spoofguard, dlp, epsec, library, install, vdn, eam, si, truststore, component_manager, ipam, secfabric, security_policy, messaging, replicator
 
 
Feature Definitions
 
The feature definitions within each service are as follows:
 
administration.featurelist = administration.configuration, administration.update,
administration.system_events, administration.audit_logs, administration.debug
urm.featurelist = urm.user_account_management, urm.object_access_control, urm.feature_access_control
edge.featurelist = edge.system, edge.nat, edge.firewall, edge.dhcp, edge.loadbalancer, edge.vpn,
edge.syslog, edge.support, edge.routing, edge.certificate, edge.appliance, edge.highavailability, edge.dns, edge.vnic, edge.ssh, edge.autoplumbing, edge.statistics, edge.bridging, edge.systemcontrol
app.featurelist = app.config, app.firewall, app.flow, app.forcesync, app.syslog, app.techsupport
pgi.featurelist = pgi.switch, pgi.portgroup, pgi.lkm
namespace.featurelist = namespace.config
spoofguard.featurelist = spoofguard.config
dlp.featurelist = dlp.scan_scheduling, dlp.reports, dlp.policy, dlp.svm_interaction
epsec.featurelist = epsec.registration, epsec.health_monitoring, epsec.manager, epsec.policy, epsec.svm_priv, epsec.scan, epsec.reports
library.featurelist = library.grouping, library.host_preparation, library.tagging
install.featurelist = install.app, install.epsec, install.dlp
vdn.featurelist = vdn.config_nsm, vdn.provision
eam.featurelist = eam.install
si.featurelist = si.service, si.serviceprofile
truststore.featurelist = truststore.trustentity_management
component_manager.featurelist = healthstatus
ipam.featurelist = ipam.configuration, ipam.ipallocation
secfabric.featurelist = secfabric.deploy, secfabric.alarms
security_policy.featurelist = security_policy.configuration, security_policy.security_group_binding
blueprint_sam.featurelist = blueprint_sam.reports, blueprint_sam.ad_config,
blueprint_sam.control_data_collection, blueprint_sam.techsupport, blueprint_sam.db_maintain
messaging.featurelist = messaging.messaging
replicator.featurelist = replicator.configuration
 
 
Feature Access Definitions
 
For each feature and role combination, the feature access definition denotes whether the user has read-only or read/write permissions.
 
When a feature and role combination is not listed, this means the user with that role has no access to this feature.
 
For example:
auditor.app.firewall = read
security_admin.app.firewall = read, write
 
This means the auditor role on the app.firewall feature has read-only access, whereas the security_admin role on the app.firewall feature has read/write access.
 
 
Feature Access Definitions - system_urm
 
system_urm.urm.user_account_management = read
 
 
Feature Access Definitions - vshield_admin
vshield_admin.administration.configuration = read, write
vshield_admin.administration.update = read, write
vshield_admin.administration.system_events = read, write
vshield_admin.administration.audit_logs = read
vshield_admin.urm.user_account_management = read, write
vshield_admin.urm.object_access_control = read
vshield_admin.urm.feature_access_control = read
vshield_admin.edge.system = read, write
vshield_admin.edge.appliance = read, write
vshield_admin.edge.highavailability = read, write
vshield_admin.edge.vnic = read, write
vshield_admin.edge.dns = read
vshield_admin.edge.ssh = read, write
vshield_admin.edge.autoplumbing = read
vshield_admin.edge.statistics = read
vshield_admin.edge.nat = read
vshield_admin.edge.dhcp = read
vshield_admin.edge.loadbalancer = read
vshield_admin.edge.vpn = read
vshield_admin.edge.syslog = read, write
vshield_admin.edge.support = read, write
vshield_admin.edge.routing = read
vshield_admin.edge.firewall = read
vshield_admin.edge.bridging = read
vshield_admin.edge.certificate = read
vshield_admin.edge.systemcontrol = read, write
vshield_admin.library.grouping = read
vshield_admin.app.config = read, write
vshield_admin.app.forcesync = read, write
vshield_admin.app.syslog = read, write
vshield_admin.app.techsupport = read, write
vshield_admin.namespace.config = read, write
vshield_admin.dlp.scan_scheduling = read, write
vshield_admin.epsec.reports = read, write
vshield_admin.epsec.registration = read, write
vshield_admin.epsec.health_monitoring = read
vshield_admin.epsec.policy = read, write
vshield_admin.epsec.scan_scheduling = read, write
vshield_admin.library.host_preparation = read, write
vshield_admin.library.tagging = read
vshield_admin.install.app = read, write
vshield_admin.install.epsec = read, write
vshield_admin.install.dlp = read, write
vshield_admin.vdn.config_nsm = read, write
vshield_admin.vdn.provision = read, write
vshield_admin.eam.install = read, write
vshield_admin.si.service = read, write
vshield_admin.si.serviceprofile = read, write
vshield_admin.truststore.trustentity_management = read, write
vshield_admin.ipam.configuration = read, write
vshield_admin.ipam.ipallocation = read, write
vshield_admin.secfabric.deploy = read, write
vshield_admin.secfabric.alarms = read_write
vshield_admin.blueprint_sam.ad_config = read, write
vshield_admin.blueprint_sam.control_data_collection = read, write
vshield_admin.blueprint_sam.techsupport = read, write
vshield_admin.blueprint_sam.db_maintain = read, write
vshield_admin.messaging.messaging = read, write
vshield_admin.replicator.configuration = read, write
 
 
Feature Access Definitions - security_admin
security_admin.administration.system_events = read, write
security_admin.administration.audit_logs = read
security_admin.edge.system = read
security_admin.edge.appliance = read
security_admin.edge.highavailability = read
security_admin.edge.vnic = read, write
security_admin.edge.dns = read, write
security_admin.edge.ssh = read, write
security_admin.edge.autoplumbing = read, write
security_admin.edge.statistics = read
security_admin.edge.nat = read, write
security_admin.edge.dhcp = read, write
security_admin.edge.loadbalancer = read, write
security_admin.edge.vpn = read, write
security_admin.edge.syslog = read, write
security_admin.edge.support = read, write
security_admin.edge.routing = read, write
security_admin.edge.firewall = read, write
security_admin.edge.bridging = read, write
security_admin.edge.certificate = read, write
security_admin.edge.systemcontrol = read, write
security_admin.app.firewall = read, write
security_admin.app.flow = read, write
security_admin.app.forcesync = read
security_admin.app.syslog = read
security_admin.namespace.config = read
security_admin.spoofguard.config = read, write
security_admin.dlp.reports = read, write
security_admin.dlp.policy = read, write
security_admin.epsec.policy = read, write
security_admin.epsec.reports = read
security_admin.epsec.health_monitoring = read
security_admin.library.grouping = read, write
security_admin.library.tagging = read, write
security_admin.install.app = read
security_admin.install.epsec = read
security_admin.install.dlp = read
security_admin.vdn.config_nsm = read
security_admin.vdn.provision = read
security_admin.eam.install = read
security_admin.si.service = read, write
security_admin.si.serviceprofile = read
security_admin.truststore.trustentity_management = read, write
security_admin.ipam.configuration = read, write
security_admin.ipam.ipallocation = read, write
security_admin.secfabric.alarms = read
security_admin.secfabric.deploy = read
security_admin.security_policy.configuration = read, write
security_admin.security_policy.security_group_binding = read, write
security_admin.blueprint_sam.reports = read
security_admin.blueprint_sam.ad_config = read
security_admin.blueprint_sam.control_data_collection = read
security_admin.blueprint_sam.db_maintain = read
security_admin.messaging.messaging = read, write
security_admin.replicator.configuration = read
 
 
Feature Access Definitions - auditor
auditor.administration.system_events = read
auditor.administration.audit_logs = read
auditor.edge.appliance = read
auditor.edge.highavailability = read
auditor.edge.vnic = read
auditor.edge.dns = read
auditor.edge.ssh = read
auditor.edge.autoplumbing = read
auditor.edge.statistics = read
auditor.edge.nat = read
auditor.edge.dhcp = read
auditor.edge.loadbalancer = read
auditor.edge.vpn = read
auditor.edge.syslog = read
auditor.edge.routing = read
auditor.edge.firewall = read
auditor.edge.bridging = read
auditor.edge.system = read
auditor.edge.certificate = read
auditor.edge.systemcontrol = read
auditor.app.firewall = read
auditor.app.flow = read
auditor.app.forcesync = read
auditor.app.syslog = read
auditor.namespace.config = read
auditor.spoofguard.config = read
auditor.dlp.scan_scheduling = read
auditor.dlp.policy = read
auditor.dlp.reports = read
auditor.library.grouping = read
auditor.epsec_host.health_monitoring = read
auditor.epsec.policy = read
auditor.epsec.reports = read
auditor.epsec.registration = read
auditor.vdn.config_nsm = read
auditor.epsec.scan_scheduling = read
auditor.vdn.provision = read
auditor.si.service = read
auditor.si.serviceprofile = read
auditor.truststore.trustentity_management = read
auditor.secfabric.alarms = read
auditor.secfabric.deploy = read
auditor.security_policy.configuration = read
auditor.security_policy.security_group_binding = read
auditor.blueprint_sam.reports = read
auditor.blueprint_sam.ad_config = read
auditor.blueprint_sam.control_data_collection = read
auditor.blueprint_sam.db_maintain = read
auditor.library.tagging = read
auditor.ipam.configuration = read
auditor.ipam.ipallocation = read
auditor.messaging.messaging = read
auditor.replicator.configuration = read
 
 
Feature Access Definitions - dlp_svm
dlp_svm.dlp.svm_interaction = read, write
dlp_svm.epsec.svm_priv = read, write
dlp_svm.epsec.registration = read
dlp_svm.epsec.policy = read
dlp_svm.epsec.scan_scheduling = read
dlp_svm.library.host_preparation = read, write
dlp_svm.library.tagging = read, write
 
 
Feature Access Definitions - epsec_host
epsec_host.epsec.registration = read
epsec_host.epsec.health_monitoring = write
 
 
Feature Access Definitions - enterprise_admin
enterprise_admin.administration.configuration = read, write
enterprise_admin.administration.update = read, write
enterprise_admin.administration.system_events = read, write
enterprise_admin.administration.audit_logs = read
enterprise_admin.urm.user_account_management = read, write
enterprise_admin.urm.object_access_control = read
enterprise_admin.urm.feature_access_control = read
enterprise_admin.edge.system = read, write
enterprise_admin.edge.appliance = read, write
enterprise_admin.edge.highavailability = read, write
enterprise_admin.edge.vnic = read, write
enterprise_admin.edge.dns = read, write
enterprise_admin.edge.ssh = read, write
enterprise_admin.edge.autoplumbing = read, write
enterprise_admin.edge.statistics = read, write
enterprise_admin.edge.nat = read, write
enterprise_admin.edge.dhcp = read, write
enterprise_admin.edge.loadbalancer = read, write
enterprise_admin.edge.vpn = read, write
enterprise_admin.edge.syslog = read, write
enterprise_admin.edge.support = read, write
enterprise_admin.edge.routing = read, write
enterprise_admin.edge.firewall = read, write
enterprise_admin.edge.bridging = read, write
enterprise_admin.edge.certificate = read, write
enterprise_admin.edge.systemcontrol = read, write
enterprise_admin.library.grouping = read, write
enterprise_admin.library.host_preparation = read, write
enterprise_admin.library.tagging = read, write
enterprise_admin.app.config = read, write
enterprise_admin.app.forcesync = read, write
enterprise_admin.app.syslog = read, write
enterprise_admin.app.techsupport = read, write
enterprise_admin.app.firewall = read, write
enterprise_admin.app.flow = read, write
enterprise_admin.namespace.config = read, write
enterprise_admin.dlp.scan_scheduling = read, write
enterprise_admin.dlp.reports = read, write
enterprise_admin.dlp.policy = read, write
enterprise_admin.epsec.registration = read, write
enterprise_admin.epsec.health_monitoring = read
enterprise_admin.epsec.scan_scheduling = read, write
enterprise_admin.epsec.reports = read, write
enterprise_admin.epsec.policy = read, write
enterprise_admin.install.app = read, write
enterprise_admin.install.epsec = read, write
enterprise_admin.install.dlp = read, write
enterprise_admin.eam.install = read, write
enterprise_admin.spoofguard.config = read, write
enterprise_admin.vdn.config_nsm = read, write
enterprise_admin.vdn.provision = read, write
enterprise_admin.si.service = read, write
enterprise_admin.si.serviceprofile = read, write
enterprise_admin.truststore.trustentity_management = read, write
enterprise_admin.ipam.configuration = read, write
enterprise_admin.ipam.ipallocation = read, write
enterprise_admin.secfabric.deploy = read, write
enterprise_admin.secfabric.alarms = read, write
enterprise_admin.security_policy.configuration = read, write
enterprise_admin.security_policy.security_group_binding = read, write
enterprise_admin.blueprint_sam.reports = read
enterprise_admin.blueprint_sam.ad_config = read, write
enterprise_admin.blueprint_sam.control_data_collection = read, write
enterprise_admin.blueprint_sam.techsupport = read, write
enterprise_admin.blueprint_sam.db_maintain = read, write
enterprise_admin.messaging.messaging = read, write
enterprise_admin.replicator.configuration = read, write
 
 
Feature Access Definitions - component_manager_user
component_manager_user.component_manager.healthstatus = read
 
 
Feature Access Definitions - replicator
replicator.administration.configuration = read, write
replicator.administration.update = read, write
replicator.administration.system_events = read, write
replicator.administration.audit_logs = read
replicator.urm.user_account_management = read, write
replicator.urm.object_access_control = read
replicator.urm.feature_access_control = read
replicator.edge.system = read, write
replicator.edge.appliance = read, write
replicator.edge.highavailability = read
replicator.edge.vnic = read, write
replicator.edge.dns = read
replicator.edge.ssh = read
replicator.edge.autoplumbing = read, write
replicator.edge.statistics = read
replicator.edge.nat = read
replicator.edge.dhcp = read, write
replicator.edge.loadbalancer = read
replicator.edge.vpn = read
replicator.edge.syslog = read
replicator.edge.support = read
replicator.edge.routing = read, write
replicator.edge.firewall = read
replicator.edge.bridging = read
replicator.edge.certificate = read
replicator.edge.systemcontrol = read
replicator.library.grouping = read, write
replicator.library.host_preparation = read, write
replicator.library.tagging = read, write
replicator.app.config = read, write
replicator.app.forcesync = read, write
replicator.app.syslog = read, write
replicator.app.techsupport = read, write
replicator.app.firewall = read, write
replicator.app.flow = read, write
replicator.namespace.config = read, write
replicator.dlp.scan_scheduling = read, write
replicator.dlp.reports = read, write
replicator.dlp.policy = read, write
replicator.epsec.registration = read, write
replicator.epsec.health_monitoring = read
replicator.epsec.scan_scheduling = read, write
replicator.epsec.reports = read, write
replicator.epsec.policy = read, write
replicator.install.app = read, write
replicator.install.epsec = read, write
replicator.install.dlp = read, write
replicator.eam.install = read, write
replicator.spoofguard.config = read, write
replicator.vdn.config_nsm = read, write
replicator.vdn.provision = read, write
replicator.si.service = read, write
replicator.si.serviceprofile = read, write
replicator.truststore.trustentity_management = read, write
replicator.ipam.configuration = read, write
replicator.ipam.ipallocation = read, write
replicator.secfabric.deploy = read, write
replicator.secfabric.alarms = read, write
replicator.security_policy.configuration = read, write
replicator.security_policy.security_group_binding = read, write
replicator.blueprint_sam.reports = read
replicator.blueprint_sam.ad_config = read, write
replicator.blueprint_sam.control_data_collection = read, write
replicator.blueprint_sam.techsupport = read, write
replicator.blueprint_sam.db_maintain = read, write
replicator.messaging.messaging = read, write
replicator.replicator.configuration = read, write
 
 
Overwrite Role Feature Permissions on Secondary Node on Universal Objects
secondary.super_user.edge.highavailability = read, write
secondary.enterprise_admin.edge.highavailability = read, write
secondary.vshield_admin.edge.highavailability = read, write
secondary.super_user.edge.ssh = read, write
secondary.enterprise_admin.edge.ssh = read, write
secondary.security_admin.edge.ssh = read, write
secondary.vshield_admin.edge.ssh = read, write
secondary.super_user.edge.syslog = read, write
secondary.enterprise_admin.edge.syslog = read, write
secondary.security_admin.edge.syslog = read, write
secondary.vshield_admin.edge.syslog = read, write
secondary.super_user.edge.support = read, write
secondary.enterprise_admin.edge.support = read, write
secondary.security_admin.edge.support = read, write
secondary.vshield_admin.edge.support = read, write
secondary.super_user.edge.routing = read, write
secondary.security_admin.edge.routing = read, write
secondary.enterprise_admin.edge.routing = read, write
secondary.super_user.edge.appliance = read, write
secondary.vshield_admin.edge.appliance = read, write
secondary.enterprise_admin.edge.appliance = read, write
secondary.super_user.edge.vnic = read, write
secondary.vshield_admin.edge.vnic = read, write
secondary.enterprise_admin.edge.vnic = read, write
secondary.super_user.edge.firewall = read, write
secondary.vshield_admin.edge.firewall = read, write
secondary.enterprise_admin.edge.firewall = read, write

Additional Information

For NSX-T Data Center an NSX (not NSX-V), see Role-Based Access Control