Creating Accounts for NSX Devices

NSX-T Devices

  1. In the NSX-T manager go to System > Settings > User and Roles
  2. Click on ADD and select a role assignment for LDAP

  3. Add the LDAP domain

  4. Add a User, and select Role “Auditor” for read only or “Enterprise Admin” for read write user , and click on Save.

NSX-V Devices

SecureTrack uses the NSX API to monitor NSX-V devices. To retrieve revisions, use NSX Role Based Access Control (RBAC) to create an NSX-CLI user with read-only access to the NSX API as follows:

A: Create an NSX Manager user account with read-only permission for the API.

  1. Connect to the NSX manager via SSH, switch to enable mode, and enter the configuration terminal.

  2. From the configuration terminal, create a new user account on the NSX Manager with the following command:

    user username password (hash | plaintext) password

  3. After you create the CLI user, use the following command to assign the user web-interface privileges so that it can be authenticated against the NSX Manager web interface:

    user username privilege web-interface

  4. Save the configuration.
  5. To view the running configuration, enter the following commands:
    1. exit
    2. write memory
    3. show running-config

  6. In the vSphere Web Client, navigate to Menu > Networking & Security > Users and Domains > Users tab.

    In the example below, the new user usertufin2 is not listed and therefore has no assigned role:

  7. Create a user using the following REST API POST call, using CURL, Postman, or another REST client:

    https://<NSX-Manager-IP-Address>/api/2.0/services/usermgmt/role/userId?isCli=true

    • Authorization

      To authenticate the request, add an Authorization header with the admin user/password for the NSX Manager device.

    • Headers

      The REST call must also include the Authorization and Content-Type headers.

      The example below shows the headers in the Postman client:

    • Request Body

    <accessControlEntry>

    <role>auditor</role>

    <resource>

    <resourceId>globalroot-0</resourceId>

    </resource>

    </accessControlEntry>

    The options for role are:

    • auditor (Auditor for monitor changes only from ST)
    • security_admin (Security Administrator if needed provision changes from SC)

    The example below shows the results in the Postman client:

  8. To verify that the user is created, in the vSphere Web Client navigate to Menu > Networking & Security > Users and Domains > Users tab.

    In the example below, the new user usertufin2 is listed with the role you assigned:

For more information, see the Sneaku.com article "How to create a NSX-v API Only User Account".

B: Create a vCenter Single Sign On (SSO) User with the vSphere Web Client

  1. Log in to vCenter and browse to Menu > Administration > Single Sign-On > Users and Groups in the vSphere Web Client.
  2. To add a new user, in the Users tab, click .
  3. Enter a user name and password for the new user.
    • You cannot change the username after you create a user.
    • The password must meet the password policy requirements for the system.
    • Optional: Enter a first and last name for the user.
    • Optional: Enter an email address for the user.
  4. Click OK.

This user should have access to view DFW policies, with read-only permission. For more information, see the VMware vSphere 5.1 Documentation Center article "Add a vCenter Single Sign On User with the vSphere Web Client".

C: Assign permissions to a vCenter Client user

  1. In the vSphere Web Client navigate to Administration > Access Control > Global Permissions.
  2. Select the user and click to open the Add Permission window.

    In Assigned Role, select Read-only (or Administrator for user provisioning permissions) from the list of roles.

  3. Optional: Select the Domain from the list.
  4. Click OK.

    The user appears in the list with the assigned Read-only role.

For more information, see the VMware vSphere 5.1 Documentation Center article "Assign Permissions in the vSphere Web Client". In step 6 of the procedure, select the Auditor role from the Assigned Role menu.