Common Symptoms:

• Recently upgraded to NSX 4.1.X
• VMware Identity Manager (VIDM) is integrated with NSX.
• Users with assigned roles 'Network Admin' or 'Security Admin' are no longer able to assign tags after the upgrade to VMware NSX 4.1.x, whereas prior to the upgrade, this was working.
• VIDM users are assigned to multiple groups.
• These VIDM groups are assigned different NSX roles.
• Role assignment in NSX is made through external group membership.
• VIDM users that are members of these groups may still be able to login, but privileges may be more or less than expected in regards to the assigned roles.

This issue impacts NSX 4.1.X

• Caused by a race condition when VIDM groups were mapped to one NSX Role each. In this scenario, NSX creates two separate, internal RoleBindings on root path '/'. While consolidating the Roles for the user, only unique paths were considered, along with the roles. Because of this, a second role entry with root path '/' is ignored.
• This issue happens only when role assignment is made through external group membership.

The issue is resolved in VMware NSX 4.2.0, available at Broadcom downloads.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround:

If you believe you have encountered this issue, you can add a user to one VIDM group and add multiple NSX roles to this VIDM group.

Admin guide for Role-Based Access Control Role-Based Access Control (vmware.com)