Could you not just create either a local @vsphere or assign a domain account with the Security Administrator permission. this will allow the account to have security permissions only and not have the operational permissions the enterprise or nsx admin has
Thnx for your inputs.
But my understanding is that that will have rights to login to the vCenter with less privilege access.
But the Power NSX which I will be using accounts of NSX Manager. Let me know if this is feasible.
Any inputs ?
PowerNSX allows you to connect using a local NSX Manager account OR via a vCenter/SSO account.
You can see the different connection methods with the following command:
- Get-Help Connect-NsxServer -Examples
PS /Users/dcoghlan> get-help connect-nsxserver -examples
<< SNIP >>
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Connect-NsxServer -vCenterServer vcenter.corp.local -username firstname.lastname@example.org -password secret
Connect to vCenter server vcenter.corp.local using the SSO credentials in
-username and -password to determine the NSX server IP and return an
appropriate connection object.
The credentials specified in -credential are used for both vCenter connection
(if not already established) AND SSO authentication to NSX server.
Please use the following KB as it details how to create a local user and assign it permissions. This user account depending on the level of access you require can be used for cli
Change the role access to whatever level of access you require
I understand that by creating the below account there will be additional user with web-interface privilege.
user api_username privilege web-interface
Let me know what will be the difference between this account & the admin account.
what are the privilege difference between these accounts.
web-interface - assumption that this is required to access nsx via the web. The role permissions happen after as per the KB. Each possible role has certain permissions. auditor for example is readonly
So you mean to say that I need to create the user name & then associate the with web interface & set the privilege to security admin
So with this privilege it will have only the access to NSX firewall policy changes ?
I told you this 3 weeks ago, you didn't even bother to read the posting, which is somewhat self defeating, why should people bother!!
Hi Raj, you can create accounts via the NSX Manager and assign the roles viaa API call.
Clear as daylight, you can create the account you need via API call as stated in the link above and set this to security admin role which handles Firewall related stuff!!
User account management in the vSphere Web Client (Networking & Security Plugin) is separate from the CLI user account in NSX Manager CLI.
As shown in above picture, the users can be originating from vCenter/vSphere which can be from vsphere.local/SSO domain or external domain integrated with SSO (e.g. Active Directory)
or can be originating from NSX CLI User which is created from NSX CLI, SSH or Console.
In the CLI user account, you can add privilege for web-interface that is the NSX Manager appliance web, below screenshot.
CLI user account without web-interface privilege can ONLY access the CLI interface.
After assigning the CLI user account for web-interface access, the user still can't access REST API.
You will get an error that the user does not have any role.
As you may know there are 4 roles in NSX, they are:
1. Enterprise Administrator (enterprise_admin in REST API), full access role with read and write REST API calls (HTTP GET, POST, UPDATE, DELETE)
2. Security Administrator (security_admin in REST API), security only access role with read-only access REST API calls (HTTP GET)
3. NSX Administrator (vshield_admin in REST API), NSX only access role outside of security features with read-only access REST API calls (HTTP GET)
4. Auditor (auditor in REST API), read only access role with read-only access REST API calls (HTTP GET)
There is an additional role called System Administrator (super_user in REST API). This role can only be assigned for CLI user account. The default 'admin' account has the System Administrator role.
To allow NSX CLI user to access REST API, you would need to assign a NSX role to the user which can only be done through REST API
Depending on you NSX version, lately not all roles are available for CLI user account. For example, I used NSX 6.3.3 and the enterprise_admin and vshield_admin cannot be assigned to CLI user account anymore.
How to assign the role, create CLI user account etc is already covered in previous reply in VMware KB 2150736 Creating a User for NSX CLI and assigning api roles/permissions https://kb.vmware.com/s/article/2150736
But, as mentioned by Dale in previous reply, in PowerNSX you can use user from local NSX Manager account (CLI User account) or vCenter/SSO account.Bayu Wibowo | vExpert NSX, VCIX6-DCV/NV, Cisco Champion
https://nz.linkedin.com/in/bayupw | twitter @bayupw