Hey all – been too long! Busy as usual, but wanted to make a quick post. I have been testing NSX-T extensively and have built several nested labs in order to do so. However, I like to build out the solution as I would in a production environment which means creating an Active Directory authenticated service account for NSX-T functions. Since I have been rolling this lab around a lot I figured I’d create the role for the user via PowerCLI rather than churn through the UI for the privileges.
The required privileges per the NSX-T 2.4 Installation Guide are:
Extension.Register extension |
Extension.Unregister extension |
Extension.Update extension |
Sessions.Message |
Sessions.Validate session |
Sessions.View and stop sessions |
Host.Configuration.Maintenance |
Host.Local Operations.Create virtual machine |
Host.Local Operations.Delete virtual machine |
Host.Local Operations.Reconfigure virtual machine |
Tasks |
Scheduled task |
Global.Cancel task |
Permissions.Reassign role permissions |
Resource.Assign vApp to resource pool |
Resource.Assign virtual machine to resource pool |
Virtual Machine.Configuration |
Virtual Machine.Guest Operations |
Virtual Machine.Provisioning |
Virtual Machine.Inventory |
Network.Assign network |
vApp |
This makes things simple for PowerCLI however these are not the actual IDs of the privileges needed. I’ve done the legwork and grabbed the actual IDs and created a dirty one-liner:
New-VIRole -Name "NSX-T Test Role 2" -Privilege (Get-VIPrivilege -Id Extension.Register,Extension.Unregister,Extension.Update,Sessions.GlobalMessage,Sessions.ValidateSession,Sessions.TerminateSessioniew,Host.Config.Maintenance,Host.Local.CreateVM,Host.Local.DeleteVM,Host.Local.ReconfigVM,Task,Task.Create,Task.Update,ScheduledTask,ScheduledTask.Create,ScheduledTask.Delete,ScheduledTask.Edit,ScheduledTask.Run,Global.CancelTask,Authorization.ReassignRolePermissions,Resource.AssignVAppToPool,Resource.AssignVMToPool,VirtualMachine.Config,VirtualMachine.GuestOperations,VirtualMachine.Provisioning,VirtualMachine.Inventory,Network.Assign,vApp)