To access NSX, a user must be assigned to a vCenter role and an NSX role. Without rights to vCenter, the user cannot administer NSX as the NSX plugin access is via the vCenter vSphere web client. The minimum role required in the vCenter is a Read-only role; this way, the user can be restricted to just administer NSX and not vSphere and vice versa.

Users can be assigned to roles directly or via groups. The users can originate from the Single Sign-On (SSO) domain (for example, the vsphere.local domain), an NSX Manager CLI user account, or an external domain registered in SSO or PSC. VMware SSO supports the following identity services based on SAML tokens:

• Microsoft Active Directory (AD)
• Network information services (NIS)
• Lightweight directory access protocol (LDAP)

To assign users from SSO domains, the NSX Manager will need to be registered to the SSO with an SSO administrator account, as covered in the previous recipe. Users are not created in NSX Manager; instead, NSX roles are mapped to existing user and user groups originating from the vCenter server and Active Directory.

Deleting a vCenter user from the NSX users menu will not delete the user account in the vCenter server or Active Directory; only the role assignment gets deleted. Users can have only one role, but users can have multiple roles if assigned via groups.