This post is part of my VMware VCIX-NV Study Guide and covers role based access control (RBAC) in the NSX interface.
Documentation
Index
- Implement identity service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)
- Configure/Modify/Delete user accounts
- Configure/Modify/Delete user roles
- Assign roles to user accounts
- Disable/Enable user accounts
Role Based Access Control
The NSX Manager has its own authentication database and permission roles you can assign to users. When installing NSX and linking the NSX Manager to vCenter, the NSX Manager gets access to the vCenter authentication database and single sign on is achieved for the vSphere Web Client. The vCenter user you registered the NSX Manager will get the administrator role, but you will need to grant additional users permission roles manually.
NSX Manager has four roles:
- Auditor: This role can view settings, events and reports. A read-only role.
- Security Administrator: The Security Administrator can manage all security related settings, such as the firewall services, NAT, SpoofGuard, Security Groups, etc.
- NSX Administrator: This role can deploy and configure NSX Edges, Logical Switches, etc.
- Enterprise Administrator: This role can do anything within NSX.
The user system also has scopes, which allow granting permissions to a specific NSX Edge. The scope definitions are: No restriction (access to all of NSX), Limit access (access to a certain Edge). NSX 6.1 brings the port groups and datacenters to the scope as well.
As with vCenter, you can register NSX Manager with a domain to enable SSO between regular vCenter operations and the NSX management pane. You will need to register this separately from the vCenter connections though. In the upcoming tasks, we will register a domain and manage user accounts.
Implement identity service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)
Requirements:
- NSX Environment.
VMware Documentation: Register a Windows Domain with NSX Manager
In this task, we will register a Windows domain to the NSX Manager so that we can use the domain accounts for access to the NSX Management plane.
Registering a Windows domain to NSX Manager
- Login to your vSphere Web Client.
- Navigate to “Networking & Security” and select the “NSX Managers” menu.
- Choose the NSX Manager you want to modify, select the “Manage” tab and select the “Domains” sub-tab.
- Click the “+” icon to start the wizard to add a domain.
- On the first page, give the domain a name and provide its NetBIOS Name. Click “Next” to continue.
- Next provide the LDAP server details: Server IP or hostname, which protocol to use (LDAP or secure LDAP(s)), which port to connect to and domain credentials (which has access to add computers and read the domain). Click “Next” to validate the settings.
- If the domain connection succeeds (server reachable and right credentials), you will get to the “Security Event Log Access” page. This page determines on how NSX will retrieve security logs from the domain server. You can do this via CIFS or WMI and optionally provide different credentials to do so. When you’re ready, click “Next” to continue.
- Lastly, review your settings on the “Ready to complete” page and click “Finish” to add the domain.
To enable SSO between vCenter and NSX Management, the Lookup Service (SSO) needs to be registered in the NSX Manager. If this was already done during the installation of NSX, great: you’re done! If not, follow these steps:
Registering NSX Manager to the Lookup Service
- Login to your NSX Manager.
- Navigate to “Manage Appliance Settings” and select the “NSX Management Service” menu.
- Click the “Edit” button in the “Lookup Service” table.
- In the popup window, enter the Lookup Service IP (usually vCenter), the port and the credentials to connect (usually [email protected]). Click “OK” when you’re done.
When SSO is registered, the status should look like this:
Configure/Modify/Delete user accounts
Requirements:
- NSX Environment.
- Added a domain to NSX Manager and registered NSX Managed with SSO.
VMware Documentation: Assign a Role to a vCenter User
After you’ve added a domain and configured the Lookup Service inside the NSX Manager, you can start adding users to the NSX Manager.
Add an user to NSX Manager
- Login to your vSphere Web Client.
- Navigate to “Networking & Security” and select the “NSX Managers” menu.
- Choose the NSX Manager you want to modify, select the “Manage” tab and select the “Users” sub-tab.
- To add an user, click the “+” icon. In the popup window, select whether to add a single user or a group. Click “Next” to select the role.
- Next, select the role for this user or group. Click “Finish” to activate the user or group.
After adding users, you can only edit their role. So if you make a typo in the username, delete the typoed username and just add the right one! Also, don’t forget to give the user or group permissions inside vCenter itself, otherwise they would not see the “Networking & Security” menu.
Configure/Modify/Delete user roles
Requirements:
- NSX Environment.
- Existing user to edit.
VMware Documentation: Change a User Role
Edit an users role
- Login to your vSphere Web Client.
- Navigate to “Networking & Security” and select the “NSX Managers” menu.
- Choose the NSX Manager you want to modify, select the “Manage” tab and select the “Users” sub-tab.
- Select the user you want to edit by clicking on it and click the “pencil” icon to edit the user.
- In the popup window, select their new role and click “Finish” to save.
Assign roles to user accounts
By completing the previous tasks, you will have completed this task as well, hooray!
Disable/Enable user accounts
Requirements:
- NSX Environment.
- Existing user to enable or disable.
VMware Documentation: Disable or Enable a User Account
Once you’re created a few users or groups, let’s say you’re the NSX administrator and you want to punish a colleague by temporarily taking away the awesomeness of NSX. You can disable and enable specific users or groups, without having to remove them (which makes you need to add them again later).
Disabling a NSX user
- Login to your vSphere Web Client.
- Navigate to “Networking & Security” and select the “NSX Managers” menu.
- Choose the NSX Manager you want to modify, select the “Manage” tab and select the “Users” sub-tab.
- Select the user or group you want to disable and click the “Disable” icon:
If you look at the “Status” column of the user table, you can tell whether a user or group is currently enabled or disabled.
Enabling a NSX user
- Login to your vSphere Web Client.
- Navigate to “Networking & Security” and select the “NSX Managers” menu.
- Choose the NSX Manager you want to modify, select the “Manage” tab and select the “Users” sub-tab.
- Select the user or group you want to enable and click the “Enable” icon:
Leave a Reply