This article provides steps to create an NSX CLI user which can be used only for running API calls against the NSX Manager.
By Default, in a standard NSX installation, the only account which only has API privileges (no vSphere Web Client privileges) is the NSX Manager admin account. It is possible to use the vSphere SSO accounts to interact with the NSX API, however, this will also allow vSphere Web Client access (although they would not be able to view or access anything once logged in without granting specific vCenter Server rights).
When an API is run from an SSO user, the audit logs will show that the admin account has completed the API (not the specific user). By creating a specific API roles, users can audit their environment and know exactly where APIs were ran from.
To create an NSX CLI user: