This is part 15 of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643) VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

Previous blogs in this series:

Part 1 – Intro
Part 2 – Objective 1.1
Part 3 – Objective 1.2
Part 4 – Objective 1.3
Part 5 – Objective 2.1
Part 6 – Objective 2.2
Part 7 – Objective 2.3
Part 8 – Objective 3.1
Part 9A – Objective 3.2 IPSec VPNs
Part 9B – Objective 3.2 SSL VPNs
Part 9C – Objective 3.2 L2 VPNs
Part 10 – Objective 3.3
Part 11 – Objective 4.1
Part 12 – Objective 4.2
Part 13 – Objective 5.1
Part 14 – Objective 5.2

This blogs covers:

Section 5 – Perform Operational Management of a VMware NSX Implementation
Objective 5.3 – Configure and Manage Role Based Access Control

Implement identity service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)
Manage User Rights:
- Assign roles to user accounts
- Change a user role
- Delete/disable/enable a user account

Role Based Access Control is a pretty universal mechanism for controlling access and restricting actions of users by adding user accounts to groups that have delegated permissions.

Microsoft Active Directory, as well as others can be consumed for directory lookup services.

Implement Identity Service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)

I looked at this heading for some time trying to ascertain what VMware are looking for here; still slightly confused.

If we are talking Identity Based Firewall or Service Composer Security Groups based on Active Directory users or groups then the NSX Manager must be joined to Active Directory.

If we are talking about user access to NSX Manager (management plane), the ability to log into NSX Manager with an Active Directory account this then focuses on the NSX Manager being configured to the vCenter Lookup Service. Therefore the Platform Services Controller (vSphere v6.0+) must be configured to consume that directory service.

We have already covered off both of these sections.

To join NSX Manager to Active Directory see blog post 11, under the section: Connect NSX Manager to an Active Directory Domain.

NSX Manager joined to Active Directory for Identity Based Firewall

To configure NSX Manager to consume vCenter Single Sign-On see blog post 2, under the section: Configure Single Sign-On.

*Remember from vSphere 6.0+ that the Lookup Service port is 443!

NSX Manager connected to the vCenter Lookup Service for SSO

We may also need to know how to configure vCenter Server identity sources to talk to a new directory service, so know how to do this.

Log into the Platform Services Controller (PSC), click on Configuration, then Identity Sources. Click on Add to Add New Identity Source.

Note: To get to the PSC, don’t forget to add ‘/psc‘ to the URL. i.e. https://psc01.lab.local/psc

Add the details for the Identity Source.

Like I mention above this stuff is covered in detail in blogs 2 & 11.

Manage User Rights

This part of the exam objective is about managing user rights and covers 3 things:

Assign Role to User Accounts
Change a User Role
Delete/Disable/Enable a User Account

To start with lets look at the different roles available inside NSX that users or groups can be added to.

Enterprise Administrator: God-mode. All NSX operations and security functions.
NSX Administrator: Limited God-mode, All NSX operations.
Security Administrator: Security functions only.
Auditor: Read only mode.

The Enterprise Administrator role and the NSX Administrator role can only be granted to vCenter users.

A user can only belong to one group.

You cannot add or remove an assigned role from a user, you can only change the assigned role of the user.