Creating Accounts for NSX Devices

NSX-T Devices

In the NSX-T manager go to System > Settings > User and Roles
Click on ADD and select a role assignment for LDAP
Add the LDAP domain
Add a User, and select Role “Auditor” for read only or “Enterprise Admin” for read write user , and click on Save.

NSX-V Devices

SecureTrack uses the NSX API to monitor NSX-V devices. To retrieve revisions, use NSX Role Based Access Control (RBAC) to create an NSX-CLI user with read-only access to the NSX API as follows:

Create an NSX Manager User Account with Read-only Permission for the API

Connect to the NSX manager via SSH, switch to enable mode, and enter the configuration terminal.
From the configuration terminal, create a new user account on the NSX Manager with the following command:
user username password (hash | plaintext) password
After you create the CLI user, use the following command to assign the user web-interface privileges so that it can be authenticated against the NSX Manager web interface:
user username privilege web-interface
Save the configuration.
To view the running configuration, enter the following commands:
1. exit
2. write memory
3. show running-config
In the vSphere Web Client, navigate to Menu > Networking & Security > Users and Domains > Users tab.
In the example below, the new user usertufin2 is not listed and therefore has no assigned role:
Create a user using the following REST API POST call, using CURL, Postman, or another REST client:
https://<NSX-Manager-IP-Address>/api/2.0/services/usermgmt/role/userId?isCli=true
- Authorization
  To authenticate the request, add an Authorization header with the admin user/password for the NSX Manager device.
- Headers
  The REST call must also include the Authorization and Content-Type headers.
  The example below shows the headers in the Postman client:
- Request Body
<accessControlEntry>
<role>auditor</role>
<resource>
<resourceId>globalroot-0</resourceId>
</resource>
</accessControlEntry>
The options for role are:
- auditor (Auditor for monitor changes only from ST)
- security_admin (Security Administrator if needed provision changes from SC)
The example below shows the results in the Postman client:
To verify that the user is created, in the vSphere Web Client navigate to Menu > Networking & Security > Users and Domains > Users tab.
In the example below, the new user usertufin2 is listed with the role you assigned:

For more information, see the Sneaku.com article "How to create a NSX-v API Only User Account".

Create a vCenter Single Sign On (SSO) User with the vSphere Web Client

Log in to vCenter and browse to Menu > Administration > Single Sign-On > Users and Groups in the vSphere Web Client.
To add a new user, in the Users tab, click .
Enter a user name and password for the new user.
- You cannot change the username after you create a user.
- The password must meet the password policy requirements for the system.
- Optional: Enter a first and last name for the user.
- Optional: Enter an email address for the user.
Click OK.

This user should have access to view DFW policies, with read-only permission. For more information, see the VMware vSphere 5.1 Documentation Center article "Add a vCenter Single Sign On User with the vSphere Web Client".

Assign Permissions to a vCenter Client User

In the vSphere Web Client navigate to Administration > Access Control > Global Permissions.
Select the user and click to open the Add Permission window.
In Assigned Role, select Read-only (or Administrator for user provisioning permissions) from the list of roles.
Optional: Select the Domain from the list.
Click OK.
The user appears in the list with the assigned Read-only role.

For more information, see the VMware vSphere 5.1 Documentation Center article "Assign Permissions in the vSphere Web Client". In step 6 of the procedure, select the Auditor role from the Assigned Role menu.