Roles and Permissions for vCenter and NSX-T Users
Overview
The NSX-T cloud connector interacts with vCenter for Service Engine (SE) lifecycle management, and with NSX-T manager to sync and create objects for networking and security.
For this, the admin needs to configure vCenter and NSX-T user credentials which have required permissions for Avi to be able to perform these operations.
This article discusses the roles and permissions required by the vCenter and NSX-T users and the steps to configure them.
vCenter Roles
This section discusses the roles required to be assigned to the vCenter user.
Create the following roles:
AviRole- Global
This role must apply Global Permissions. It allows the user to upload SE OVF to the content library, allocate space on datastore to create a virtual machine (VM) and assign networks to it.
Role Summary
The AviRole-Global needs the following permissions:
- Content Library
- Add library items
- Delete library items
- Update files
- Update library items
- Datastore
- Allocate space
- Remove files
- Network
- Assign network
- Remove
- vAPP
- Import
- Virtual Machine
- Change Configuration
- Add new disk
- Change Configuration
Creating AviRole-Global
To create AviRole-Global,
-
Log in to the vCenter UI as admin.
-
Navigate to Administration > Roles as shown below:
-
Click on the + sign to create a new role.
-
Click on Content Library and select the permissions as shown below:
-
Click on Datastore and select the permissions as shown below:
-
Click on Network and select the permissions as shown below:
-
Click on Virtual Machine and select the permissions as shown below:
-
Click on vApp and select the permissions as shown below:
-
Click on Next.
-
Enter the Role name as AviRole-Global and enter a Description, if required.
-
Click on Finish.
AviRole-Folder
This role must be applied to the folder where the admin wants the Avi service engine VMs to be created. It contains the permissions to create an SE folder, create SE VM from template, assign it to a resource pool, and perform operations on the VM like adding devices, powering it on/off, and connecting its vNICs to networks. This role restricts the VM operations only to the folder to which the role is applied.
Role Summary
- Folder
- Create folders
- Network
- Assign networks
- Remove networks
- Resource
- Assign virtual machine to resource pool
- Tasks
- Create tasks
- Update tasks
- vApp
- Add virtual machine
- Assign resource pool
- Assign vApp
- Create
- Delete
- Export
- Import
- Power off
- Power on
- vApp application configuration
- vApp instance configuration
- Virtual machine
- Change Configuration
- Add existing disk
- Add new disk
- Add or remove device
- Advanced configuration
- Change CPU count
- Change Memory
- Change Settings
- Change resource
- Display connection settings
- Extend virtual disk
- Modify device settings
- Remove disk
- Edit Inventory
- Create new
- Remove
- Register
- Unregister
- Interaction
- Connect devices
- Install VMware Tools
- Power off
- Power on
- Reset
- Provisioning
- Allow disk access
- Allow file access
- Allow read-only disk access
- Deploy template
- Mark as virtual machine
- Change Configuration
Creating AviRole-Folder
To create AviRole-Folder,
-
Log in to the vCenter UI as admin.
-
Navigate to Administration > Roles as shown below:
-
Click on the + sign to create a new role.
-
Click on Folder and select the permissions as shown below:
-
Click on Network and select the permissions as shown below:
-
Click on Resource and select the permissions as shown below:
-
Click on Tasks and select the permissions as shown below:
-
Click on Virtual Machine and select the permissions as shown below:
-
Click on vApp and select the permissions as shown below:
-
Click on Next.
-
Enter the Role name as AviRole-Folder and enter a Description, if required.
-
Click on Finish.
Combined AviRole
If the vCenter admin does not want to restrict VM operations to a folder and wants to assign the permissions globally, a single AviRole can be created with permissions as shown below and applied as Global Permissions instead of creating AviRole - Global and AviRole - Folder.
Role Summary
- Content Library
- Add library item
- Delete library item
- Update files
- Update library item
- Datastore
- Allocate space
- Remove file
- Folder
- Create folder
- Network
- Assign network
- Remove
- Resource
- Assign virtual machine to resource pool
- Tasks
- Create task
- Update task
- vApp
- Add virtual machine
- Assign resource pool
- Assign vApp
- Create
- Delete
- Export
- Import
- Power off
- Power on
- vApp application configuration
- vApp instance configuration
- Virtual machine
- Change Configuration
- Add existing disk
- Add new disk
- Add or remove device
- Advanced configuration
- Change CPU count
- Change Memory
- Change Settings
- Change resource
- Display connection settings
- Extend virtual disk
- Modify device settings
- Remove disk
- Edit Inventory
- Create new
- Remove inventory
- Register
- Unregister
- Interaction
- Connect devices
- Install VMware Tools
- Power off
- Power on
- Reset
- Provisioning
- Allow disk access
- Allow file access
- Allow read-only disk access
- Deploy template
- Mark as virtual machine
- Change Configuration
Assigning the Roles
Assign the global and folder level roles, as discussed below:
Assigning AviRole - Global
-
Log in to vCenter UI and navigate to Global Permissions.
-
Click on the + sign to add a new permission:
-
Select the Domain.
-
Search for and select the required username (this will be used for authentication in the Avi cloud configuration).
-
Click on Propogate to children. The Add Permission screen is as shown below:
-
Click on OK.
Assigning AviRole - Folder
-
Log in to vCenter UI and navigate to VMs and Templates.
-
Select the VM folder in which the Avi SEs have to be created.
-
Click on the Permissions tab.
-
Click on the + sign to add a new permission.
-
Select the Domain.
-
Search for and select the required username (this will be used for authentication in the Avi cloud configuration).
-
Click on Propogate to children. The Add Permission screen is as shown below:
-
Click on OK.
NSX-T Roles
This section discusses the roles required to be assigned to the NSX-T user. Local user creation is not allowed on NSX-T. The admin can select a VMware Identity Manager (VIDM) or an LDAP user and assign the required roles to it.
Note: Starting with NSX Advanced Load Balancer version 21.1.4, Preserve Client IP for NSX-T Overlay is supported. Additional roles of Netx Partner Admin and Security Admin are required for the Preserve Client IP feature to work.
Consider an example in which the role is assigned to a VIDM user.
To assign the role,
-
Log in to the NSX-T manager UI as an admin user.
-
Navigate to System > Users and Roles > USERS.
-
Click on ADD and select Role Assignment for VIDM.
-
Select the Network Engineer role.
-
Click on Save.
Notes:
-
Customized role creation is not supported in NSX-T 3.0. The user has to be assigned an existing role that has all the permissions required by the Avi NSX-T cloud.
-
In NSX-T 3.1, the Network Engineer role has been renamed as Network Admin. So, use Network Admin instead.
Document Revision History
Date | Change Summary |
---|---|
January 31, 2023 | Added vSphere Tagging details for 22.1.3 release |