VCAP6-NV (3V0-643) Study Guide – Part 15. Role Based Access Control.

This is part 15 of 20+ blogs I am writing covering the exam prep guide for the VMware Certified Advanced Professional 6 – Network Virtualisation Deployment (3V0-643)  VCAP6-NV certification.

At the time of writing there is no VCAP Design exam stream, thus you’re automatically granted the new VMware Certified Implementation Expert 6 – Network Virtualisation (VCIX6-NV) certification by successfully passing the VCAP6-NV Deploy exam.

Previous blogs in this series:

Part 1 – Intro
Part 2 – Objective 1.1
Part 3 – Objective 1.2
Part 4 – Objective 1.3
Part 5 – Objective 2.1
Part 6 – Objective 2.2
Part 7 – Objective 2.3
Part 8 – Objective 3.1
Part 9A – Objective 3.2 IPSec VPNs
Part 9B – Objective 3.2 SSL VPNs
Part 9C – Objective 3.2 L2 VPNs
Part 10 – Objective 3.3
Part 11 – Objective 4.1
Part 12 – Objective 4.2
Part 13 – Objective 5.1
Part 14 – Objective 5.2

This blogs covers:

Section 5 – Perform Operational Management of a VMware NSX Implementation
Objective 5.3 – Configure and Manage Role Based Access Control

  • Implement identity service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)
  • Manage User Rights:
    • Assign roles to user accounts
    • Change a user role
    • Delete/disable/enable a user account


Role Based Access Control is a pretty universal mechanism for controlling access and restricting actions of users by adding user accounts to groups that have delegated permissions.

Microsoft Active Directory, as well as others can be consumed for directory lookup services.

Implement Identity Service support for Active Directory, NIS, and LDAP with Single Sign-On (SSO)

I looked at this heading for some time trying to ascertain what VMware are looking for here; still slightly confused.

If we are talking Identity Based Firewall or Service Composer Security Groups based on Active Directory users or groups then the NSX Manager must be joined to Active Directory.

If we are talking about user access to NSX Manager (management plane), the ability to log into NSX Manager with an Active Directory account this then focuses on the NSX Manager being configured to the vCenter Lookup Service. Therefore the Platform Services Controller (vSphere v6.0+) must be configured to consume that directory service.

We have already covered off both of these sections.

To join NSX Manager to Active Directory see blog post 11, under the section: Connect NSX Manager to an Active Directory Domain.


NSX Manager joined to Active Directory for Identity Based Firewall


To configure NSX Manager to consume vCenter Single Sign-On see blog post 2, under the section: Configure Single Sign-On.

*Remember from vSphere 6.0+ that the Lookup Service port is 443!


NSX Manager connected to the vCenter Lookup Service for SSO


We may also need to know how to configure vCenter Server identity sources to talk to a new directory service, so know how to do this.

Log into the Platform Services Controller (PSC), click on Configuration, then Identity Sources. Click on Add to Add New Identity Source.

Note: To get to the PSC, don’t forget to add ‘/psc‘ to the URL. i.e. https://psc01.lab.local/psc


Add the details for the Identity Source.


Like I mention above this stuff is covered in detail in blogs 2 & 11.


Manage User Rights

This part of the exam objective is about managing user rights and covers 3 things:

  • Assign Role to User Accounts
  • Change a User Role
  • Delete/Disable/Enable a User Account


To start with lets look at the different roles available inside NSX that users or groups can be added to.

  • Enterprise Administrator: God-mode. All NSX operations and security functions.
  • NSX Administrator: Limited God-mode, All NSX operations.
  • Security Administrator: Security functions only.
  • Auditor: Read only mode.

The Enterprise Administrator role and the NSX Administrator role can only be granted to vCenter users.

A user can only belong to one group.

You cannot add or remove an assigned role from a user, you can only change the assigned role of the user.

Assign Role to User Account

Log into the vSphere Web Client.

Click Networking and Security.

Click NSX Managers on the left-hand-side.


Select the NSX Manager, click Manage, followed by Users.


When you click the green + sign it’s a 2 stage process. First you add/select the user or group, secondly you assign the role.

Click the green + sign. Select a vCenter Group…


OR a vCenter User.


Next, assign the role.



Change a User Role

Select a user, then Edit it.

Select the new role for the user.


All sessions running under the user account will be terminated.



Disable a User Account


Select a user, then click  thedis  Disable icon.



Enable a User Account


Select a disabled user, then click  the enable Enable icon.



Delete a User Account

Select a user, then click the x Delete icon.


Note: The user account is not deleted in vCenter, only NSX.


Another quick lab objective with not much content really, but still learned a few things.

Blog 16 is going to cover Section 6, Objective 6.1: Configure Cross vCenter VMware NSX.

Follow me on Twitter or LinkedIn.

Be Social; Please Share.


  1. […] Next up in part 15 is Section 5, Objective 5.3 which covers Role Based Access Control (RBAC). Now a… […]



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: