I am planning to use Power NSX to automate few of my NSX DFW policies.
At present I have the admin account with NSX Manager.
Is there any way I can create separate account for NSX Manager with less privileage than Admin account which allows only to execute policies related to DFW,
I am using NSX 6.3.2
When checked what i observed is that in NSX Manager it is possible to create account which has access to web interface.
Let me know any one has any inputs regarding this.
Could you not just create either a local @vsphere or assign a domain account with the Security Administrator permission. this will allow the account to have security permissions only and not have the operational permissions the enterprise or nsx admin has
Thnx for your inputs.
But my understanding is that that will have rights to login to the vCenter with less privilege access.
But the Power NSX which I will be using accounts of NSX Manager. Let me know if this is feasible.
Any inputs ?
Hi Raj, you can create accounts via the NSX Manager and assign the roles viaa API call.
PowerNSX allows you to connect using a local NSX Manager account OR via a vCenter/SSO account.
You can see the different connection methods with the following command:
PS /Users/dcoghlan> get-help connect-nsxserver -examples
<< SNIP >>
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Connect-NsxServer -vCenterServer vcenter.corp.local -username me@vsphere.local -password secret
Connect to vCenter server vcenter.corp.local using the SSO credentials in
-username and -password to determine the NSX server IP and return an
appropriate connection object.
The credentials specified in -credential are used for both vCenter connection
(if not already established) AND SSO authentication to NSX server.
Please use the following KB as it details how to create a local user and assign it permissions. This user account depending on the level of access you require can be used for cli
Change the role access to whatever level of access you require
Thanks.
I understand that by creating the below account there will be additional user with web-interface privilege.
user api_username privilege web-interface
Let me know what will be the difference between this account & the admin account.
what are the privilege difference between these accounts.
web-interface - assumption that this is required to access nsx via the web. The role permissions happen after as per the KB. Each possible role has certain permissions. auditor for example is readonly
super_user (System Administrator)
vshield_admin (NSX Administrator)
enterprise_admin(Enterprise Admin)
Thanks.
So you mean to say that I need to create the user name & then associate the with web interface & set the privilege to security admin
So with this privilege it will have only the access to NSX firewall policy changes ?
Hi Raj,
I told you this 3 weeks ago, you didn't even bother to read the posting, which is somewhat self defeating, why should people bother!!
Hi Raj, you can create accounts via the NSX Manager and assign the roles viaa API call.
Clear as daylight, you can create the account you need via API call as stated in the link above and set this to security admin role which handles Firewall related stuff!!
sheeesh!!