10.3 Role-Based Access Control
NSX for vSphere utilizes a role-based access control (RBAC) approach to granting permissions to users or groups. Pre-existing roles are present in the NSX for vSphere environment and users are then assigned to roles to inherit the associated permissions. The default roles are described in the following table.
Table 5. NSX for vSphere Roles and Permissions
Role | Permissions |
Enterprise Administrator | NSX for vSphere operations and security. |
NSX for vSphere Administrator | NSX for vSphere operations only (for operations such as install virtual appliances, and configure port groups). |
Security Administrator | NSX for vSphere security only (for operations such as defining data security policies, creating port groups, and creating reports for NSX for vSphere modules). |
Auditor | Read-only rights. |
In addition to granting permissions using roles, it is also necessary to specify the scope of access that the user or group will have to the system. The scope levels are shown in the following table.
Table 6. NSX for vSphere Permissions Scopes
Scope | Description |
No restriction | Full access to the NSX for vSphere system. |
Limit access scope | Access only to a specified NSX Edge device. |
Both the Enterprise Administrator and VMware NSX Administrator roles can be assigned only to vCenter Server resources. Their scope is global, so it is not possible to apply restrictions.