Roles and Permissions for vCenter and NSX-T Users
Overview
The NSX-T cloud connector interacts with vCenter for Service Engine (SE) lifecycle management, and with NSX-T manager to sync and create objects for networking and security.
For this, the admin needs to configure vCenter and NSX-T user credentials which have required permissions for Avi to be able to perform these operations.
This article discusses the roles and permissions required by the vCenter and NSX-T users and the steps to configure them.
vCenter Roles
This section discusses the roles required to be assigned to the vCenter user.
Create the following roles:
AviRole- Global
This role must apply Global Permissions. It allows the user to upload SE OVF to the content library, allocate space on datastore to create a virtual machine (VM) and assign networks to it.
Role Summary
The AviRole-Global needs the following permissions:
- Content Library
- Add library items
- Delete library items
- Update files
- Update library items
- Datastore
- Allocate space
- Remove files
- Network
- Assign network
- Remove
- vAPP
- Import
- Virtual Machine
- Change Configuration
- Add new disk
- Change Configuration
Creating AviRole-Global
To create AviRole-Global,
-
Log in to the vCenter UI as admin.
-
Navigate to Administration > Roles as shown below:
-
Click on the + sign to create a new role.
-
Click on Content Library and select the permissions as shown below:
-
Click on Datastore and select the permissions as shown below:
-
Click on Network and select the permissions as shown below:
-
Click on Virtual Machine and select the permissions as shown below:
-
Click on vApp and select the permissions as shown below:
-
Click on Next.
-
Enter the Role name as AviRole-Global and enter a Description, if required.
-
Click on Finish.
Role Summary
- Folder
- Create folders
- Network
- Assign networks
- Remove networks
- Resource
- Assign virtual machine to resource pool
- Tasks
- Create tasks
- Update tasks
- vApp
- Add virtual machine
- Assign resource pool
- Assign vApp
- Create
- Delete
- Export
- Import
- Power off
- Power on
- vApp application configuration
- vApp instance configuration
- Virtual machine
- Change Configuration
- Add existing disk
- Add new disk
- Add or remove device
- Advanced configuration
- Change CPU count
- Change Memory
- Change Settings
- Change resource
- Display connection settings
- Extend virtual disk
- Modify device settings
- Remove disk
- Edit Inventory
- Create new
- Remove
- Register
- Unregister
- Interaction
- Connect devices
- Install VMware Tools
- Power off
- Power on
- Reset
- Provisioning
- Allow disk access
- Allow file access
- Allow read-only disk access
- Deploy template
- Mark as virtual machine
Creating AviRole-Folder
- Change Configuration
To create AviRole-Folder,
-
Log in to the vCenter UI as admin.
-
Navigate to Administration > Roles as shown below:
-
Click on the + sign to create a new role.
-
Click on Folder and select the permissions as shown below:
-
Click on Network and select the permissions as shown below:
-
Click on Resource and select the permissions as shown below:
-
Click on Tasks and select the permissions as shown below:
-
Click on Virtual Machine and select the permissions as shown below:
-
Click on vApp and select the permissions as shown below:
-
Click on Next.
-
Enter the Role name as AviRole-Folder and enter a Description, if required.
-
Click on Finish.
Combined AviRole
If the vCenter admin does not want to restrict VM operations to a folder and wants to assign the permissions globally, a single AviRole can be created with permissions as shown below and applied as Global Permissions instead of creating AviRole - Global and AviRole - Folder.
Role Summary
- Content Library
- Add library item
- Delete library item
- Update files
- Update library item
- Datastore
- Allocate space
- Remove file
- Folder
- Create folder
- Network
- Assign network
- Remove
- Resource
- Assign virtual machine to resource pool
- Tasks
- Create task
- Update task
- vApp
- Add virtual machine
- Assign resource pool
- Assign vApp
- Create
- Delete
- Export
- Import
- Power off
- Power on
- vApp application configuration
- vApp instance configuration
- Virtual machine
- Change Configuration
- Add existing disk
- Add new disk
- Add or remove device
- Advanced configuration
- Change CPU count
- Change Memory
- Change Settings
- Change resource
- Display connection settings
- Extend virtual disk
- Modify device settings
- Remove disk
- Edit Inventory
- Create new
- Remove inventory
- Register
- Unregister
- Interaction
- Connect devices
- Install VMware Tools
- Power off
- Power on
- Reset
- Provisioning
- Allow disk access
- Allow file access
- Allow read-only disk access
- Deploy template
- Mark as virtual machine
- Change Configuration
Assigning the Roles
Assign the global and folder level roles, as discussed below.
Assigning AviRole - Global
-
Log in to vCenter UI and navigate to Global Permissions.
-
Click on the + sign to add a new permission:
-
Select the Domain.
-
Search for and select the required username (this will be used for authentication in the Avi cloud configuration).
-
Click on Propogate to children. The Add Permission screen is as shown below:
-
Click on OK.
Assigning AviRole - Folder
-
Log in to vCenter UI and navigate to VMs and Templates.
-
Select the VM folder in which the Avi SEs have to be created.
-
Click on the Permissions tab.
-
Click on the + sign to add a new permission.
-
Select the Domain.
-
Search for and select the required username (this will be used for authentication in the Avi cloud configuration).
-
Click on Propogate to children. The Add Permission screen is as shown below:
-
Click on OK.
NSX-T Roles
This section discusses the roles required to be assigned to the NSX-T user. Local user creation is not allowed on NSX-T. The admin can select a VMware Identity Manager (VIDM) or an LDAP user and assign the required roles to it.
Consider an example in which the role is assigned to a VIDM user.
To assign the role,
-
Log in to the NSX-T manager UI as an admin user.
-
Navigate to System > Users and Roles > USERS.
-
Click on ADD and select Role Assignment for VIDM.
-
Select the Network Engineer role.
-
Click on Save.
Notes:
-
Customized role creation is not supported in NSX-T 3.0. The user has to be assigned an existing role that has all the permissions required by the Avi NSX-T cloud.
-
In NSX-T 3.1, the Network Engineer role has been renamed as Network Admin. So, use Network Admin instead.