I had a customer reach out to me recently and ask why NSX Manager was not displaying inside the Network and Security inventory item. The screen looked something like this.
When you integrate NSX manager into a vSphere environment via vCenter you’re required to register it with an account. This might be a service account or an administrative account. This account by default is assigned the Enterprise Administration group for NSX components. When logging into vSphere with a different account it will not have the permissions required to see NSX items. Case in point the local root account was used to register the NSX service to vCenter where an administrator SSO account has used to log into vCenter.
How to fix this?
It is quite a simple fix. We need to add the main administrator user (or SSO group) to the correct role under the Networking and Security inventory item. Log in with the account you registered the NSX service with.
Double click on the NSX manager.
Under Manage > Users you will see the default account used for NSX manager as well as the account that registered the NSX service into vCenter. Note that the [email protected] account that showed zero NSX objects earlier is missing? This is why it cannot see anything. NSX manages object control under this section. It can consume users or SSO groups presented to it.
Select the Green Plus. Add the user [email protected] and select Next.
Pick the role appropriate to this user. In this case it is Enterprise Administrator.
Open another browser and log in as [email protected] Note that the NSX objects are there and now can be administered.
This is a little gotcha that is not immediately picked up on my many. With NSX managing its objects via SSO it allows administrators and business’ to give control of numerous teams that run and operate DC’s control. The control allows Security teams to perform management and auditing of rule sets, vSphere teams the ability to change only port-group assignments of VMs, and allow external 3rd party auditors to see a Resultant set of policies. SSO – while I mumble and grumble about it a lot – it is really powerful stuff.
I think there is a bug on older NSX versions. Cannot check the recent ones. If you change the default domain, for example using the AD domain, and NSX manager is registered using [email protected], then you won’t see NSX manager even with right permissions.