Users & Groups is for Administrators to define users, login banners, local groups, group membership, authorizations and LDAP/Active Directory connections / group mappings.
Minimum Release: 1.0 Application: N/A License: Enterprise Privilege level: Enterprise Admin
To view user settings, navigate to Admin > Users and Groups.
Local users and group memberships are managed under this section along with password changes, account status, last login timestamp and user tools.
User Lookup – search for a user and view their effective permissions. Effective permissions is a calculation performed based upon a user who may belong to multiple groups.
The sample below shows the per-user rights as calculated by ReSTNSX.
Audit – perform a real-time permissions audit to view a summary of the effective permissions per user and per function (Network Virtualization, Security, Compute, Tools, Reporting and Workflows) of the application. This data can be exported to CSV format.
The user group section displays the system and custom defined groups. To review the permissions for a given group, click the search or edit icon. Below is an example group – Network Engineer – showing a user of this groups view, create, edit, delete, NSX Mover (Copy b/w Managers), allow launch (workflows) and Authorization required (see workflow authorizations).
Beginning in ReSTNSX version 3.3, Administrators can now define policies based upon specific objects; specific data sources (NSX Managers) and name patterns.
Previously, group permissions were limited to all objects of that same type. For example, Group1 can edit IP Sets. This applied to all IP Sets across all data sources. Custom permissions allows administrators to lock down a group to a specific data source or object. In the following example, the administrator defined two sample policies.
- Edit rights to any IP Set that begins with the characters “Customer1” on any NSX Manager
- Edit rights to a specific IP Set with a specific name (object ID) of “1111” on NSX Manager 172.16.100.232
Work Authorizations provide a three tier request – approval – implementation process. For further information on this topic, see the Work Authorization Feature Guide.
ReSTNSX supports local and AD/LDAP-based users and groups. Multiple servers (via ldap or ldaps) are supported. Below is an example of a mapping between AD group Administrator to local ReSTNSX group Authgroup2.
In the setup or edit screen, users can test a user permission against the configured LDAP host. The results will show a success or fail of being able to read the user from the directory with a list of the first 1,000 groups discovered and the group membership of the user. User Groups can be copied and used in the Group-Role Mappings tab.
Once configured and validated with a successful test authentication, directory-based logins are now possible and the domain drop-down will be displayed on the login page.
A ReSTNSX login banner requires a user to confirm, by selecting the confirmation checkbox, that they have read the terms defined by the Administrator. These terms are applied to every user’s login.