Search the VMware Knowledge Base (KB)
View by Article ID

Creating a User for NSX CLI and Assigning api roles/permissions (2150736)

  • 0 Ratings
Language Editions

Purpose

This article explains the process of creating a NSX CLI user which can be used only for running API calls against NSX Manager. 

In a standard NSX installation, by default, the only account that has API only privileges (and no vSphere Web Client privileges) is the NSX Manager “admin” account. It is possible to use vSphere SSO accounts to interact with the NSX API, however, this will also allow vSphere Web Client access (although they won't be able to view or access anything once logged on without granting specific vCenter rights).

However, when an API is run from an SSO user the audit logs will show that the "admin" account has completed the api (not the specific user.) By creating a specific api roles, users can audit their environment and know exactly where APIs were ran from.

Resolution

  1. Create the user on the NSX cli, and assign the correct permissions.

    nsxmgr(config)#
    nsxmgr(config)# user api_username password plaintext Password123!
    nsxmgr(config)#
    nsxmgr(config)# user api_username privilege web-interface
    nsxmgr(config)# exit
    nsxmgr#
    nsxmgr# write memory 

    Note that If you see the following error message after running the second command contact VMware support. 

    "ERROR: could not add privilege"

  2. Verify that user has been created.

    nsxmgr#
    nsxmgr# show running-config 
    Building configuration...
    Current configuration:
    !
    user api_username
    !
    ntp server au.pool.ntp.org
    !
    ip name server 10.10.3.24
    !
    hostname nsxmgr
    !
    interface mgmt.
    ip address 10.10.3.4/24
    !
    ip route 0.0.0.0/0 10.10.3.1
    !
    web-manager
    nsxmgr#


  3. Create a new user via api so that it appears as created by the CLI. Make sure that you start the new user as an auditor so it can be modified later.

    POST https://<NSX-Manager-IP Address>/api/2.0/services/usermgmt/role/<userId>?isCli=true

    <accessControlEntry>
    <role>new-role</role>
    <resource>
    <resourceId>resource-num</resourceId>
    </resource>
    </accessControlEntry>
    Example:
    POST https://<NSX-IP>/api/2.0/services/usermgmt/role/api_username?isCli=true
    <accessControlEntry>
    <role>auditor</role>
    <resource>
    <resourceId>globalroot-0</resourceId>
    </resource>
    </accessControlEntry


  4. Verify that there is now a user created in the NSX Manager gui and has shows that its Origin is NSX CLI User. (go to Networking and Security -> NSX Managers -> Manager IP -> Manage -> Users)

  5. You can now change the Role of that user in the GUI or you can run the following api to modify that User.

    PUT https://<NSX-Manager-IP-Address>/api/2.0/services/usermgmt/role/<userId>
    <accessControlEntry>
    <role>role</role>
    <resource>
    <resourceId>resource-num</resourceId>
    </resource>
    </accessControlEntry>


    Example:
    PUT https://<NSX-IP/api/2.0/services/usermgmt/role/api_username
    <accessControlEntry>
    <role>enterprise_admin</role>
    <resource>
    <resourceId>globalroot-0</resourceId>
    </resource>
    </accessControlEntry>
    possible roles:
    super_user (System Administrator)
    vshield_admin (NSX Administrator)
    enterprise_admin(Enterprise Admin)
    security_admin (Security Administrator)
    auditor (Auditor)

See Also

Language Editions

zh_cn,2151203

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: