Cloned enterprise admin role privileges in NSX are not functioning as expected
search cancel

Cloned enterprise admin role privileges in NSX are not functioning as expected

book

Article ID: 435871

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Cloned enterprise admin role privileges in NSX are not functioning as expected

  • Users assigned to this cloned custom role experience restricted privileges that do not match the original Enterprise Admin role.

  • Navigating to System > Fabric, only the Compute Manager option is visible (Transport Zones, Profiles, etc., are missing).

  • The Compute Manager settings are grayed out, preventing any modifications or additions.

  • Navigating to System > Settings, the Support Bundle option is completely missing.

  • Users interacting with the NSX API using this cloned role may receive a 401 Forbidden error when calling management-level API endpoints.

Environment

VMware NSX 

Cause

This behavior is expected, as non-system users cannot be granted permissions for Manager API–based features.

Any attempt to assign permissions for features required by the Management APIs will automatically revert to “None.” This applies to both direct permission modifications and cloned roles derived from existing system roles.

Resolution

This is an expected behavior. To resolve the issue, use the built-in Enterprise Admin system role for any tasks requiring access to Manager mode features or Management APIs.

 There is no way to grant the necessary permissions through a custom role to enable the use of Management APIs.

Additional Information

You can create custom roles only for features available in the Policy mode. If you clone a role with access to features in the Manager mode, the cloned role provides access only to the Policy mode features. For example, features like Upgrade, Migrate, Fabric, TraceFlow, Security Intelligence, and Inventory of Physical Servers and Containers are only available in Manager mode and therefore not supported. Most features are supported. The unsupported features for users with a custom role include:

System > Configuration > Fabric > Profiles
System > Configuration > Fabric > Transport Zones
System > Configuration > Fabric > Settings > Tunnel/Remote and Tunnel Endpoint
System > Configuration > Identity Firewall AD
System > Lifecycle Management > Upgrade and Migrate
System > Settings > User Management, Support Bundle, Proxy Settings, and User Interface Settings

 


For more details, refer to Create or Manage Custom Roles

Powered by Wolken Software