NSX-T 2.0 was released a couple of weeks ago, and among the new features in the release notes, one caught my attention:
RBAC and vIDM integration
With this release, there are six roles for RBAC. Users can be assigned any of the six roles. NSX is also integrated with VMware Identity Manager to provide a unified user information for all VMware products.
NSX-T have two built-in users: admin and audit. To expand authentication capabilities, you can integrate NSX-T with VMware Identity Manager (vIDM) and configure Role-Based Access Control (RBAC) for users that vIDM manages.
How-to Integrate NSX-T with vIDM?
By default, NSX-T 2.0 login screen looks like this; quite familiar, no? You might have seen the same screen in other products such as vRealize Operations or Log Insight.
Before starting, let’s have a look to prerequisites:
- vIDM deployed and configured: well, that seems obvious but I thought I could clarify it again 🙂
- Certificate thumbprint from the vIDM host – Check the documentation to see how to obtain it
- NSX Manager registered as an OAuth client to the vIDM host
The 3rd item is a bit more complex, so I’ll explain further:
- In vIDM > Catalog > Settings > Remote App Access, click the Create Client button.
- Change the Access Type to Service Client Token.
- Enter the Client ID of your choice.
- In Advanced, click on Generate Shared Secret.
- Click Add.
Now that your NSX-T Manager is registered as an OAuth client in Identity Manager, follow the steps below to finish the integration.
Log in to your NSX Manager, navigate to System > Users > Configuration and click Edit.
Provide the following information:
- vIDM FQDN
- OAuth Client ID
- OAuth Client Secret
- vIDM SHA-256 Thumbprint
- FQDN of your NSX-T Manager
After saving the parameters, my connection to vIDM is up and running. 🙂
To confirm that the vIDM integration is enabled, logout and note the login screen has changed: you can know switch between Remote User and Node-Local User.
Note: the next logical step is to add users, or to integrate your enterprise directory to vIDM to sync users and groups. However, I will not describe this step as it’s not the topic of this article. My Active Directory is already integrated, and I will continue from there.
With Role-Based Access Control (RBAC), you can restrict system access to authorized users. Users are assigned roles and each role has specific permissions. The four types of permissions are: Full access, Execute (includes the read permission), Read and None.
NSX-T has the 6 following built-in roles (you cannot add any new roles).
- Enterprise Administrator
- Network Engineer
- Network Operations
- Security Engineer
- Security Operations
You can add, change, and delete role assignments to users or user groups when Identity Manager is integrated with NSX-T. Navigate to System > Users > Role Assignments to add, change or delete role assignments to users or groups. In the example below, I’m assigning the NSX-Admins group the Enterprise Administrator role.
- For authentication to work correctly, NSX Manager, vIDM and other service providers such as Active Directory must all be time synchronized.
- For users managed by vIDM, the authentication policy that applies is the one configured by the vIDM administrator, and not NSX-T’s authentication policy, which applies to users admin and audit only.
- With a default vIDM deployment, users require First Name, Last Name and email configured in Active Directory, otherwise vIDM will not sync them. You can manage which attributes are required.
- To understand which permissions each role has for different operations, please refer to the documentation.