NSX manager and vCenter – Permissions

I had a customer reach out to me recently and ask why NSX Manager was not displaying inside the Network and Security inventory item. The screen looked something like this.

Screen Shot 2015-03-18 at 2.20.03 pm

When you integrate NSX manager into a vSphere environment via vCenter you’re required to register it with an account. This might be a service account or an administrative account. This account by default is assigned the Enterprise Administration group for NSX components. When logging into vSphere with a different account it will not have the permissions required to see NSX items. Case in point the local root account was used to register the NSX service to vCenter where an administrator SSO account has used to log into vCenter.

How to fix this?

It is quite a simple fix. We need to add the main administrator user (or SSO group) to the correct role under the Networking and Security inventory item. Log in with the account you registered the NSX service with.

Screen Shot 2015-03-18 at 2.19.23 pm

Double click on the NSX manager.

Screen Shot 2015-03-18 at 2.19.31 pm

Under Manage > Users you will see the default account used for NSX manager as well as the account that registered the NSX service into vCenter. Note that the [email protected] account that showed zero NSX objects earlier is missing? This is why it cannot see anything. NSX manages object control under this section. It can consume users or SSO groups presented to it.

Select the Green Plus. Add the user [email protected] and select Next.

Screen Shot 2015-03-18 at 2.51.24 pm

Pick the role appropriate to this user. In this case it is Enterprise Administrator.

Screen Shot 2015-03-18 at 2.20.21 pm

Open another browser and log in as [email protected] that the NSX objects are there and now can be administered.

Screen Shot 2015-03-18 at 2.20.29 pm

This is a little gotcha that is not immediately picked up on my many. With NSX managing its objects via SSO it allows administrators and business’ to give control of numerous teams that run and operate DC’s control. The control allows Security teams to perform management and auditing of rule sets, vSphere teams the ability to change only port-group assignments of VMs, and allow external 3rd party auditors to see a Resultant set of policies. SSO – while I mumble and grumble about it a lot – it is really powerful stuff.

1 thought on “NSX manager and vCenter – Permissions”

Leave a Reply

Your email address will not be published. Required fields are marked *