vIDM users that are member of multiple groups mapped to NSX RBAC roles don't consume all permissions correctly
search cancel

vIDM users that are member of multiple groups mapped to NSX RBAC roles don't consume all permissions correctly

book

Article ID: 371004

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When users manage their roles through VIDM groups from VIDM UI, then even though a user is member of multiple VIDM groups, RBAC is enforced using only one of the groups.

Environment

NSX 4.1.1.0 with vIDM 3.3.7.0

Cause

In the reported scenario, since VIDM groups are mapped to one NSX Role each, NSX creates two separate internal RoleBindings on root path '/'. While consolidating the Roles for the user, only unique paths are considered along with the roles. Because of this second role entry with root path '/' gets ignored. This issue happens only when role assignment is made through external group
membership.

Resolution

This issue is resolved in VMware NSX 4.2.0

Workaround

Add a user to only one VIDM group and add multiple NSX roles to only this VIDM group

When user manages their roles through VIDM groups from VIDM UI, then even though user is member of multiple VIDM groups, RBAC is enforced using only one of the group. Hence if a user is mapped to a single VIDM group and if that VIDM group has multiple NSX roles, one should be able to workaround this issue.