Objective 8.1 – Configure Roles, Permissions, and Scopes

Knowledge

  • Identify default roles
    • Enterprise Administrator
      NSX operations and security.
    • NSX Administrator
      NSX operations only: for example, install virtual appliances, configure port groups.
    • Security Administrator
      NSX security only: for example, define data security policies, create port groups, create reports for NSX modules.
    • Auditor
      Read only.

      There are also two scopes available:

    • No restriction
      Access to entire NSX system.
    • Limit access scope
      Access to a specified Edge.
  • Explain Single Sign-On (SSO) integration
    • NSX supports Single Sign On (SSO), which enables NSX to authenticate users from other identity services such as Active Directory, NIS, and LDAP. User management in the vSphere Web Client is separate from user management in the CLI of any NSX component.
    • Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP. With SSO, NSX supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source via REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions.
  • Assign a role to a vCenter Server user
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click Users.
    • Click Add. The Assign Role window opens.
    • Click Specify a vCenter user or Specify a vCenter group.
    • Type the vCenter User or Group name for the user. NOTE If the vCenter user is from a domain (such as a SSO user), then you must enter a fully qualified windows domain path. This will allow the default NSX Manager user (admin) as well as the SSO default user (admin) to login to NSX Manager. This user name is for login to the NSX Manager user interface, and cannot be used to access NSX Manager CLIs.
    • Click Next.
    • Select the role for the user and click Next. For more information on the available roles, see “Managing User Rights,” on page 20.
    • Select the scope for the user and click Finish. The user account appears in the Users table.
  • Assign objects to a user
    After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same permissions at one time on multiple objects by moving the objects to a folder and setting the permissions on the folder.

    • Browse to the object in the vSphere Web Client object navigator.
    • Click the Manage tab and select Permissions.
    • Click Add Permission.
    • Click Add.
    • Identify the user or group to assign to this role.
      • Select the domain where the user or group is located from the Domain drop-down menu.
      • Type a name in the Search box or select a name from the list. The system searches user names, group names, and descriptions.
      • Select the user and click Add. The name is added to either the Users or Groups list.
      • (Optional) Click Check Names to verify that the user or group exists in the database.
      • Click OK.
    • Select a role from the Assigned Role drop-down menu. The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title.
    • (Optional) Deselect the Propagate to Child Objects check box. The role is applied only to the selected object and does not propagate to the child objects.
    • Verify that the users and groups are assigned to the appropriate permissions and click OK. The server adds the permission to the list of permissions for the object. The list of permissions references all users and groups that have roles assigned to the object and indicates where in the vCenter Server hierarchy the role is assigned.
  • Configure SSO
    • Log in to the NSX Manager virtual appliance.
    • Under Appliance Management, click Manage Settings.
    • Click NSX Management Service.
    • Click Edit next to Lookup Service.
    • Type the name or IP address of the host that has the lookup service.
    • Change the port number if required. The default port is 7444. The Lookup Service URL is displayed based on the specified host and port.
    • Type the vCenter administrator user name and password (for example, administrator@vsphere.local). This enables NSX Manager to register itself with the Security Token Service server.
    • Click OK.

      Confirm that the Lookup Service status is Connected.

  • Enable/Disable a user account
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click Users.
    • Select a user account.
    • Click the Enable or Disable icon.
  • Edit/Delete a user account
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click an NSX Manager in the Name column and then click the Manage tab.
    • Click Users.
    • Edit:
      • Select the user you want to edit.
      • Click Edit.
      • Make changes as necessary.
      • Click Finish to save your changes.
    • Delete:
    • Select a user account.
      • Click Delete.
      • Click OK to confirm deletion. If you delete a vCenter user account, only the role assignment for NSX Manager is deleted. The user account on vCenter is not deleted.

Tools

  • NSX Administration Guide
  • vSphere Web Client
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s