• After creating a custom role and assigning it to users, these users are unable to run management APIs to NSX.
  
  
• Roles cloned from system roles (such as the system auditor) or manually created roles will face the same issue.
  
  
• Roles are made up of different features, these decide the permissions for APIs. These can be seen on the API guide within the specific page of the API. Below is two examples of the APIs for fetching logical-switches/segments via policy or management calls.

Management API - Get Logical Switches

Management API - GET /api/v1/logical-switches
This falls under the feature set "switching_switches".

Policy API - Get Segments

Policy API - GET /policy/api/v1/infra/segments
This falls under the feature set "policy_segment".

• If attempting to edit the feature permissions of a role via API, the change will be accepted with a 200 http status however subsequent GET of the role will show all management API feature permissions reverted to none. 
  
  
  • Eg. passing the below value for switching_switches to a role as per the API guide (PUT /policy/api/v1/aaa/roles/<role>) will give a 200 success message..

• • However if the equivalent GET is done immediately after the permission field will have reverted to none.
    
    "feature": "switching_switches",
"feature_name": "Switching Switches",
"feature_description": "Switching LogicalSwitches",
"permission": "none",
"is_internal": true,
"is_execute_recommended": false

• When trying to run an API call without the correct permissions the API will return with a 401 Forbidden error relating to permissions and the error below:

    "httpStatus": "FORBIDDEN",
    "error_code": 401,
    "module_name": "common-services",
    "error_message": "User is not authorized to perform this operation on the application. Please contact the system administrator to get access."

VMware NSX
VMware NSX-T Data Center

This is expected behaviour as non system users can not have any permissions granted for manager API based features.

Any attempt to set permissions for the features required by management APIs will always revert to none. This includes editing of the permissions directly or a clone of an existing system role.

If a user requires the use of management APIs then a system role must be used, there is no way to have permissions available on a custom role that will allow management APIs to be used.

Create and Manage Custom Roles - Admin guide

Excerpt from above admin guide page:

You can create custom roles only for features available in the Policy mode. If you clone a role with access to features in the Manager mode, the cloned role provides access only to the Policy mode features. For example, features like Upgrade, Migrate, Fabric, TraceFlow, NSX Intelligence, and Inventory of Physical Servers and Containers are only available in Manager mode and therefore not supported. Most features are supported. The unsupported features for users with a custom role include:

System>Configuration>Fabric>Profiles
System>Configuration>Fabric>Transport Zones
System>Configuration>Fabric>Settings>Tunnel/Remote and Tunnel Endpoint
System>Configuration>Identity Firewall AD
System>Lifecycle Management>Upgrade and Migrate
System>Settings>User Management, Support Bundle, Proxy Settings, and User Interface Settings