Azure VMware Solution identity concepts

Azure VMware Solution private clouds are provisioned with a vCenter Server and NSX-T Manager. You'll use vCenter to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. The CloudAdmin role is used for vCenter Server and the CloudAdmin role (with restricted permissions) is used for NSX-T Manager.

vCenter Server access and identity

In Azure VMware Solution, vCenter Server has a built-in local user called cloudadmin assigned to the CloudAdmin role. You can configure users and groups in Active Directory (AD) with the CloudAdmin role for your private cloud. In general, the CloudAdmin role creates and manages workloads in your private cloud. But in Azure VMware Solution, the CloudAdmin role has vCenter Server privileges that differ from other VMware cloud solutions and on-premises deployments.

Important

The local cloudadmin user should be treated as an emergency access account for "break glass" scenarios in your private cloud. It's not for daily administrative activities or integration with other services.

  • In a vCenter Server and ESXi on-premises deployment, the administrator has access to the vCenter Server administrator@vsphere.local account and the ESXi root account. They can also have more AD users and groups assigned.

  • In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account or the ESXi root account. They can, however, assign AD users and groups to the CloudAdmin role in vCenter Server. The CloudAdmin role doesn't have permissions to add an identity source like on-premises LDAP or LDAPS server to vCenter Server. However, you can use Run commands to add an identity source and assign cloudadmin role to users and groups.

The private cloud user doesn't have access to and can't configure specific management components Microsoft supports and manages. For example, clusters, hosts, datastores, and distributed virtual switches.

Note

In Azure VMware Solution, the vsphere.local SSO domain is provided as a managed resource to support platform operations. It doesn't support the creation and management of local groups and users except for those provided by default with your private cloud.

Important

Azure VMware Solution offers custom roles on vCenter Server but currently doesn't offer them on the Azure VMware Solution portal. For more information, see the Create custom roles on vCenter Server section later in this article.

View the vCenter Server privileges

You can view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware Solution private cloud vCenter Server.

  1. Sign into the vSphere Client and go to Menu > Administration.

  2. Under Access Control, select Roles.

  3. From the list of roles, select CloudAdmin and then select Privileges.

    Screenshot shows the roles and privileges for CloudAdmin in the vSphere Client.

The CloudAdmin role in Azure VMware Solution has the following privileges on vCenter Server. For more information, see the VMware product documentation.

Privilege Description
Alarms Acknowledge alarm
Create alarm
Disable alarm action
Modify alarm
Remove alarm
Set alarm status
Content Library Add library item
Add root certificate to trust store
Check in a template
Check out a template
Create a subscription for a published library
Create local library
Create or delete a Harbor registry
Create subscribed library
Create, delete or purge a Harbor registry project
Delete library item
Delete local library
Delete root certificate from trust store
Delete subscribed library
Delete subscription of a published library
Download files
Evict library items
Evict subscribed library
Import storage
Manage Harbor registry resources on specified compute resource
Probe subscription information
Publish a library item to its subscribers
Publish a library to its subscribers
Read storage
Sync library item
Sync subscribed library
Type introspection
Update configuration settings
Update files
Update library
Update library item
Update local library
Update subscribed library
Update subscription of a published library
View configuration settings
Cryptographic operations Direct access
Datastore Allocate space
Browse datastore
Configure datastore
Low-level file operations
Remove files
Update virtual machine metadata
Folder Create folder
Delete folder
Move folder
Rename folder
Global Cancel task
Global tag
Health
Log event
Manage custom attributes
Service managers
Set custom attribute
System tag
Host vSphere Replication
    Manage replication
Network Assign network
Permissions Modify permissions
Modify role
Profile Driven Storage Profile driven storage view
Resource Apply recommendation
Assign vApp to resource pool
Assign virtual machine to resource pool
Create resource pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Modify resource pool
Move resource pool
Query vMotion
Remove resource pool
Rename resource pool
Scheduled task Create task
Modify task
Remove task
Run task
Sessions Message
Validate session
Storage view View
vApp Add virtual machine
Assign resource pool
Assign vApp
Clone
Create
Delete
Export
Import
Move
Power off
Power on
Rename
Suspend
Unregister
View OVF environment
vApp application configuration
vApp instance configuration
vApp managedBy configuration
vApp resource configuration
Virtual machine Change Configuration
    Acquire disk lease
    Add existing disk
    Add new disk
    Add or remove device
    Advanced configuration
    Change CPU count
    Change memory
    Change settings
    Change swapfile placement
    Change resource
    Configure host USB device
    Configure raw device
    Configure managedBy
    Display connection settings
    Extend virtual disk
    Modify device settings
    Query fault tolerance compatibility
    Query unowned files
    Reload from paths
    Remove disk
    Rename
    Reset guest information
    Set annotation
    Toggle disk change tracking
    Toggle fork parent
    Upgrade virtual machine compatibility
Edit inventory
    Create from existing
    Create new
    Move
    Register
    Remove
    Unregister
Guest operations
    Guest operation alias modification
    Guest operation alias query
    Guest operation modifications
    Guest operation program execution
    Guest operation queries
Interaction
    Answer question
    Back up operation on virtual machine
    Configure CD media
    Configure floppy media
    Connect devices
    Console interaction
    Create screenshot
    Defragment all disks
    Drag and drop
    Guest operating system management by VIX API
    Inject USB HID scan codes
    Install VMware tools
    Pause or Unpause
    Wipe or shrink operations
    Power off
    Power on
    Record session on virtual machine
    Replay session on virtual machine
    Reset
    Resume Fault Tolerance
    Suspend
    Suspend fault tolerance
    Test failover
    Test restart secondary VM
    Turn off fault tolerance
    Turn on fault tolerance
Provisioning
    Allow disk access
    Allow file access
    Allow read-only disk access
    Allow virtual machine download
    Clone template
    Clone virtual machine
    Create template from virtual machine
    Customize guest
    Deploy template
    Mark as template
    Modify customization specification
    Promote disks
    Read customization specifications
Service configuration
    Allow notifications
    Allow polling of global event notifications
    Manage service configuration
    Modify service configuration
    Query service configurations
    Read service configuration
Snapshot management
    Create snapshot
    Remove snapshot
    Rename snapshot
    Revert snapshot
vSphere Replication
    Configure replication
    Manage replication
    Monitor replication
vService Create dependency
Destroy dependency
Reconfigure dependency configuration
Update dependency
vSphere tagging Assign and unassign vSphere tag
Create vSphere tag
Create vSphere tag category
Delete vSphere tag
Delete vSphere tag category
Edit vSphere tag
Edit vSphere tag category
Modify UsedBy field for category
Modify UsedBy field for tag

Create custom roles on vCenter Server

Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role. You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role.

Note

You can create roles with privileges greater than CloudAdmin. However, you can't assign the role to any users or groups or delete the role. Roles that have privileges greater than that of CloudAdmin is unsupported.

To prevent creating roles that can't be assigned or deleted, clone the CloudAdmin role as the basis for creating new custom roles.

Create a custom role

  1. Sign in to vCenter Server with cloudadmin@vsphere.local or a user with the CloudAdmin role.

  2. Navigate to the Roles configuration section and select Menu > Administration > Access Control > Roles.

  3. Select the CloudAdmin role and select the Clone role action icon.

    Note

    Don't clone the Administrator role because you can't use it. Also, the custom role created can't be deleted by cloudadmin@vsphere.local.

  4. Provide the name you want for the cloned role.

  5. Remove privileges for the role and select OK. The cloned role is visible in the Roles list.

Apply a custom role

  1. Navigate to the object that requires the added permission. For example, to apply permission to a folder, navigate to Menu > VMs and Templates > Folder Name.

  2. Right-click the object and select Add Permission.

  3. Select the Identity Source in the User drop-down where the group or user can be found.

  4. Search for the user or group after selecting the Identity Source under the User section.

  5. Select the role that you want to apply to the user or group.

    Note

    Attempting to apply a user or group to a role that has privileges greater than that of CloudAdmin will result in errors.

  6. Check the Propagate to children if needed, and select OK. The added permission displays in the Permissions section.

NSX-T Manager access and identity

When a private cloud is provisioned using Azure portal, software-defined data center (SDDC) management components like vCenter Server and NSX-T Manager are provisioned for customers.

Microsoft is responsible for the lifecycle management of NSX-T appliances like NSX-T Managers and NSX-T Data Center Edges. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.

You're responsible for NSX-T Data Center software-defined networking (SDN) configuration, for example:

  • Network segments
  • Other Tier-1 gateways
  • Distributed firewall rules
  • Stateful services like gateway firewall
  • Load balancer on Tier-1 gateways

You can access NSX-T Manager using the built-in local user "cloudadmin" assigned to a custom role that gives limited privileges to a user to manage NSX-T Data Center. While Microsoft manages the lifecycle of NSX-T Data Center, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.

For new private cloud deployments, NSX-T Data Center access will be provided with a built-in local user cloudadmin assigned to the cloudadmin role with a specific set of permissions to use NSX-T Data Center functionality for workloads.

NSX-T Data Center cloudadmin user permissions

The following permissions are assigned to the cloudadmin user in Azure VMware Solution NSX-T Data Center.

Note

NSX-T Data Center cloudadmin user on Azure VMware Solution is not the same as the cloudadmin user mentioned in the VMware product documentation.

Category Type Operation Permission
Networking Connectivity Tier-0 Gateways
Tier-1 Gateways
Segments
Read-only
Full Access
Full Access
Networking Network Services VPN
NAT
Load Balancing
Forwarding Policy
Statistics
Full Access
Full Access
Full Access
Read-only
Full Access
Networking IP Management DNS
DHCP
IP Address Pools
Full Access
Full Access
Full Access
Networking Profiles Full Access
Security East West Security Distributed Firewall
Distributed IDS and IPS
Identity Firewall
Full Access
Full Access
Full Access
Security North South Security Gateway Firewall
URL Analysis
Full Access
Full Access
Security Network Introspection Read-only
Security Endpoint Protection Read-only
Security Settings Full Access
Inventory Full Access
Troubleshooting IPFIX Full Access
Troubleshooting Port Mirroring Full Access
Troubleshooting Traceflow Full Access
System Configuration
Settings
Settings
Settings
Identity firewall
Users and Roles
Certificate Management (Service Certificate only)
User Interface Settings
Full Access
Full Access
Full Access
Full Access
System All other Read-only

You can view the permissions granted to the Azure VMware Solution cloudadmin role on your Azure VMware Solution private cloud NSX-T Data Center.

  1. Log in to the NSX-T Manager.
  2. Navigate to Systems and locate Users and Roles.
  3. Select and expand the cloudadmin role, found under Roles.
  4. Select a category like, Networking or Security, to view the specific permissions.

Note

Private clouds created before June 2022 will switch from admin role to cloudadmin role. You'll receive a notification through Azure Service Health that includes the timeline of this change so you can change the NSX-T Data Center credentials you've used for other integration.

NSX-T Data Center LDAP integration for role based access control (RBAC)

In an Azure VMware Solution deployment, the NSX-T Data Center can be integrated with external LDAP directory service to add remote directory users or group, and assign them an NSX-T Data Center RBAC role, like on-premises deployment. For more information on how to enable NSX-T Data Center LDAP integration, see the VMware product documentation.

Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles are supported with Azure VMware solution to keep Azure VMware Solution IaaS control plane config management separate from tenant network and security configuration. Please see the next section, Supported NSX-T Data Center RBAC roles, for more details.

Note

NSX-T LDAP Integration supported only with SDDC’s with NSX-T Data Center “cloudadmin” user.

Supported and unsupported NSX-T Data Center RBAC roles

In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are supported with LDAP integration:

  • Auditor
  • Cloudadmin
  • LB Admin
  • LB Operator
  • VPN Admin
  • Network Operator

In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are not supported with LDAP integration:

  • Enterprise Admin
  • Network Admin
  • Security Admin
  • Netx Partner Admin
  • GI Partner Admin

You can create custom roles in NSX-T Data Center with permissions lesser than or equal to CloudAdmin role created by Microsoft. Following are examples on how to create a supported "Network Admin" and "Security Admin" role.

Note

Custom role creation will fail if you assign a permission not allowed by CloudAdmin role.

Create “AVS network admin” role

Use the following steps to create this custom role.

  1. Navigate to System > Users and Roles > Roles.

  2. Clone Network Admin and provide the name, AVS Network Admin.

  3. Modify the following permissions to "Read Only" or "None" as seen in the Permission column in the following table.

    Category Subcategory Feature Permission
    Networking


    Connectivity

    Network Services
    Tier-0 Gateways
    Tier-0 Gateways > OSPF
    Forwarding Policy
    Read-only
    None
    None
  4. Apply the changes and Save the Role.

Create “AVS security admin” role

Use the following steps to create this custom role.

  1. Navigate to System > Users and Roles > Roles.

  2. Clone Security Admin and provide the name, “AVS Security Admin”.

  3. Modify the following permissions to "Read Only" or "None" as seen in the Permission column in the following table.

Category Subcategory Feature Permission
Networking Network Services Forwarding Policy None
Security


Network Introspection
Endpoint Protection
Settings


Service profiles
None
None
None
  1. Apply the changes and Save the Role.

Note

The NSX-T Data Center System > Identity Firewall AD configuration option isn't supported by the NSX custom role. The recommendation is to assign the Security Operator role to the user with the custom role to allow managing the Identity Firewall (IDFW) feature for that user.

Note

The NSX-T Data Center Traceflow feature isn't supported by NSX-T Data Center custom role. The recommendation is to assign the Auditor role to the user along with above custom role to enable Traceflow feature for that user.

Next steps

Now that you've covered Azure VMware Solution access and identity concepts, you may want to learn about: