At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.
Previous blogs in this series:
Part 1 – Intro
Part 2 – Objective 1.1
Part 3 – Objective 1.2
Part 4 – Objective 1.3
Part 5 – Objective 2.1
Part 6 – Objective 2.2
Part 7 – Objective 2.3
Part 8 – Objective 3.1
Part 9A – Objective 3.2 IPSec VPNs
Part 9B – Objective 3.2 SSL VPNs
Part 9C – Objective 3.2 L2 VPNs
Part 10 – Objective 3.3
Part 11 – Objective 4.1
Part 12 – Objective 4.2
Part 13 – Objective 5.1
Part 14 – Objective 5.2
This blogs covers:
Section 5 – Perform Operational Management of a VMware NSX Implementation
Objective 5.3 – Configure and Manage Role Based Access Control
- Implement identity service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)
- Manage User Rights:
- Assign roles to user accounts
- Change a user role
- Delete/disable/enable a user account
Role Based Access Control is a pretty universal mechanism for controlling access and restricting actions of users by adding user accounts to groups that have delegated permissions.
Microsoft Active Directory, as well as others can be consumed for directory lookup services.
Implement Identity Service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)
I looked at this heading for some time trying to ascertain what VMware are looking for here; still slightly confused.
If we are talking Identity Based Firewall or Service Composer Security Groups based on Active Directory users or groups then the NSX Manager must be joined to Active Directory.
If we are talking about user access to NSX Manager (management plane), the ability to log into NSX Manager with an Active Directory account this then focuses on the NSX Manager being configured to the vCenter Lookup Service. Therefore the Platform Services Controller (vSphere v6.0+) must be configured to consume that directory service.
We have already covered off both of these sections.
To join NSX Manager to Active Directory see blog post 11, under the section: Connect NSX Manager to an Active Directory Domain.
To configure NSX Manager to consume vCenter Single Sign-On see blog post 2, under the section: Configure Single Sign-On.
*Remember from vSphere 6.0+ that the Lookup Service port is 443!
We may also need to know how to configure vCenter Server identity sources to talk to a new directory service, so know how to do this.
Log into the Platform Services Controller (PSC), click on Configuration, then Identity Sources. Click on Add to Add New Identity Source.
Note: To get to the PSC, don’t forget to add ‘/psc‘ to the URL. i.e. https://psc01.lab.local/psc
Add the details for the Identity Source.
Like I mention above this stuff is covered in detail in blogs 2 & 11.
Manage User Rights
This part of the exam objective is about managing user rights and covers 3 things:
- Assign Role to User Accounts
- Change a User Role
- Delete/Disable/Enable a User Account
To start with lets look at the different roles available inside NSX that users or groups can be added to.
- Enterprise Administrator: God-mode. All NSX operations and security functions.
- NSX Administrator: Limited God-mode, All NSX operations.
- Security Administrator: Security functions only.
- Auditor: Read only mode.
The Enterprise Administrator role and the NSX Administrator role can only be granted to vCenter users.
A user can only belong to one group.
You cannot add or remove an assigned role from a user, you can only change the assigned role of the user.
Assign Role to User Account
Log into the vSphere Web Client.
Click Networking and Security.
Click NSX Managers on the left-hand-side.
Select the NSX Manager, click Manage, followed by Users.
When you click the green + sign it’s a 2 stage process. First you add/select the user or group, secondly you assign the role.
Click the green + sign. Select a vCenter Group…
OR a vCenter User.
Next, assign the role.
Change a User Role
Select a user, then Edit it.
Select the new role for the user.
All sessions running under the user account will be terminated.
Disable a User Account
Select a user, then click the Disable icon.
Enable a User Account
Select a disabled user, then click the Enable icon.
Delete a User Account
Select a user, then click the Delete icon.
Note: The user account is not deleted in vCenter, only NSX.
Another quick lab objective with not much content really, but still learned a few things.
Be Social; Please Share.