11 Replies Latest reply on Feb 5, 2018 2:49 PM by Bayu Wibowo

    NSX Manager - User Account

    rajeevsrikant Hot Shot
    Community Warriors

      I am planning to use Power NSX to automate few of my NSX DFW policies.

      At present I have the admin account with NSX Manager.

       

      Is there any way I can create separate account for NSX Manager with less privileage  than Admin account which allows only to execute policies related to DFW,

      I  am using NSX 6.3.2

       

      When checked what i observed is that in NSX Manager it is possible to create account which has access to web interface.

      Let me know any one has any inputs regarding this.

        • 1. Re: NSX Manager - User Account
          A13x Hot Shot

          Could you not just create either a local @vsphere or assign a domain account with the Security Administrator permission. this will allow the account to have security permissions only and not have the operational permissions the enterprise or nsx admin has

          • 2. Re: NSX Manager - User Account
            rajeevsrikant Hot Shot
            Community Warriors

            Thnx for your inputs.

            But my understanding is that that will have rights to login to the vCenter with less privilege access.

            But the Power NSX which I will be using accounts of NSX Manager. Let me know if this is feasible.

            • 3. Re: NSX Manager - User Account
              rajeevsrikant Hot Shot
              Community Warriors

              Any inputs ?

              • 4. Re: NSX Manager - User Account
                Floki00 Novice

                Hi Raj, you can create accounts via the NSX Manager and assign the roles viaa API call.

                 

                VMware Knowledge Base

                • 5. Re: NSX Manager - User Account
                  DaleCoghlan Enthusiast
                  VMware Employees

                  PowerNSX allows you to connect using a local NSX Manager account OR via a vCenter/SSO account.

                   

                  You can see the different connection methods with the following command:

                   

                  •      Get-Help Connect-NsxServer -Examples

                   

                  PS /Users/dcoghlan> get-help connect-nsxserver -examples

                  << SNIP >>

                      -------------------------- EXAMPLE 3 --------------------------

                     

                      PS C:\>Connect-NsxServer -vCenterServer vcenter.corp.local -username me@vsphere.local -password secret

                     

                      Connect to vCenter server vcenter.corp.local using the SSO credentials in

                      -username and -password to determine the NSX server IP and return an

                      appropriate connection object.

                     

                      The credentials specified in -credential are used for both vCenter connection

                      (if not already established) AND SSO authentication to NSX server.

                  • 6. Re: NSX Manager - User Account
                    A13x Hot Shot

                    Please use the following KB as it details how to create a local user and assign it permissions. This user account depending on the level of access you require can be used for cli

                    VMware Knowledge Base

                     

                    Change the role access to whatever level of access you require

                    • 7. Re: NSX Manager - User Account
                      rajeevsrikant Hot Shot
                      Community Warriors

                      Thanks.

                      I understand that by creating the below account there will be additional user with web-interface privilege.

                       

                      user api_username privilege web-interface

                       

                      Let me know what will be the difference between this account & the admin account.

                      what are the privilege difference between these accounts.

                      • 8. Re: NSX Manager - User Account
                        A13x Hot Shot

                        web-interface - assumption that this is required to access nsx via the web. The role permissions happen after as per the KB. Each possible role has certain permissions. auditor for example is readonly

                         

                         

                        possible roles:

                        super_user (System Administrator)

                        vshield_admin (NSX Administrator)

                        enterprise_admin(Enterprise Admin)

                        security_admin (Security Administrator)

                        auditor (Auditor)

                        • 9. Re: NSX Manager - User Account
                          rajeevsrikant Hot Shot
                          Community Warriors

                          Thanks.

                          So you mean to say that I need to create the user name & then associate the with web interface & set the privilege to security admin

                           

                          So with this privilege it will have only the access to NSX firewall policy changes ?

                          • 10. Re: NSX Manager - User Account
                            Floki00 Novice

                            Hi Raj,

                             

                            I told you this 3 weeks ago, you didn't even bother to read the posting, which is somewhat self defeating, why should people bother!!

                             

                            Hi Raj, you can create accounts via the NSX Manager and assign the roles viaa API call.

                             

                            VMware Knowledge Base

                             

                            Clear as daylight, you can create the account you need via API call as stated in the link above and set this to security admin role which handles Firewall related stuff!!

                             

                            sheeesh!!

                            • 11. Re: NSX Manager - User Account
                              Bayu Wibowo Master
                              User ModeratorsCommunity WarriorsvExpert

                              Hi Rajeev,

                               

                              User account management in the vSphere Web Client (Networking & Security Plugin) is separate from the CLI user account in NSX Manager CLI.

                              nsx-users1.png

                              As shown in above picture, the users can be originating from vCenter/vSphere which can be from vsphere.local/SSO domain or external domain integrated with SSO (e.g. Active Directory)

                              or can be originating from NSX CLI User which is created from NSX CLI, SSH or Console.

                              In the CLI user account, you can add privilege for web-interface that is the NSX Manager appliance web, below screenshot.

                              nsxmgr-web-interface.png

                              CLI user account without web-interface privilege can ONLY access the CLI interface.

                               

                              After assigning the CLI user account for web-interface access, the user still can't access REST API.

                              restapierror.png

                              You will get an error that the user does not have any role.

                              As you may know there are 4 roles in NSX, they are:

                              1. Enterprise Administrator (enterprise_admin in REST API), full access role with read and write REST API calls (HTTP GET, POST, UPDATE, DELETE)

                              2. Security Administrator (security_admin in REST API), security only access role with read-only access REST API calls (HTTP GET)

                              3. NSX Administrator (vshield_admin in REST API), NSX only access role outside of security features with read-only access REST API calls (HTTP GET)

                              4. Auditor (auditor in REST API), read only access role with read-only access REST API calls (HTTP GET)

                              There is an additional role called System Administrator (super_user in REST API). This role can only be assigned for CLI user account. The default 'admin' account has the System Administrator role.

                               

                              To allow NSX CLI user to access REST API, you would need to assign a NSX role to the user which can only be done through REST API

                              Depending on you NSX version, lately not all roles are available for CLI user account. For example, I used NSX 6.3.3 and the enterprise_admin and vshield_admin cannot be assigned to CLI user account anymore.

                              cliuserrole.png

                               

                              How to assign the role, create CLI user account etc is already covered in previous reply in VMware KB 2150736 Creating a User for NSX CLI and assigning api roles/permissions https://kb.vmware.com/s/article/2150736

                               

                              But, as mentioned by Dale in previous reply, in PowerNSX you can use user from local NSX Manager account (CLI User account) or vCenter/SSO account.

                              Bayu Wibowo | vExpert NSX, VCIX6-DCV/NV, Cisco Champion
                              https://nz.linkedin.com/in/bayupw | twitter @bayupw