You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-vmware/concepts-identity.md
+24-24Lines changed: 24 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,8 +3,8 @@ title: Concepts - Identity and access
3
3
description: Learn about the identity and access concepts of Azure VMware Solution
4
4
ms.topic: conceptual
5
5
ms.service: azure-vmware
6
-
ms.date: 07/21/2022
7
-
ms.custom: references_regions
6
+
ms.date: 11/18/2022
7
+
ms.custom: "references_regions, engagement-fy23"
8
8
---
9
9
10
10
# Azure VMware Solution identity concepts
@@ -53,9 +53,9 @@ The CloudAdmin role in Azure VMware Solution has the following privileges on vCe
53
53
54
54
### Create custom roles on vCenter Server
55
55
56
-
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role. You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role.
56
+
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role. You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges less than or equal to their current role.
57
57
58
-
>[!NOTE]
58
+
>[!NOTE]
59
59
>You can create roles with privileges greater than CloudAdmin. However, you can't assign the role to any users or groups or delete the role. Roles that have privileges greater than that of CloudAdmin is unsupported.
60
60
61
61
To prevent creating roles that can't be assigned or deleted, clone the CloudAdmin role as the basis for creating new custom roles.
@@ -90,31 +90,30 @@ To prevent creating roles that can't be assigned or deleted, clone the CloudAdmi
90
90
91
91
1. Check the **Propagate to children** if needed, and select **OK**. The added permission displays in the **Permissions** section.
92
92
93
+
## VMware NSX-T Data Center NSX-T Manager access and identity
93
94
94
-
## NSX-T Manager access and identity
95
-
96
-
When a private cloud is provisioned using Azure portal, software-defined data center (SDDC) management components like vCenter Server and NSX-T Manager are provisioned for customers.
95
+
When a private cloud is provisioned using Azure portal, software-defined data center (SDDC) management components like vCenter Server and VMware NSX-T Data Center NSX-T Manager are provisioned for customers.
97
96
98
-
Microsoft is responsible for the lifecycle management of NSX-T appliances likeNSX-T Managers and NSX-T Data Center Edges. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.
97
+
Microsoft is responsible for the lifecycle management of NSX-T appliances like, VMware NSX-T Data Center NSX-T Manager and VMware NSX-T Data Center Microsoft Edge appliances. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.
99
98
100
-
You're responsible for NSX-T Data Center software-defined networking (SDN) configuration, for example:
99
+
You're responsible for VMware NSX-T Data Center software-defined networking (SDN) configuration, for example:
101
100
102
101
- Network segments
103
102
- Other Tier-1 gateways
104
103
- Distributed firewall rules
105
104
- Stateful services like gateway firewall
106
105
- Load balancer on Tier-1 gateways
107
106
108
-
You can access NSX-T Manager using the built-in local user "cloudadmin" assigned to a custom role that gives limited privileges to a user to manage NSX-T Data Center. While Microsoft manages the lifecycle of NSX-T Data Center, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.
107
+
You can access VMware NSX-T Data Center NSX-T Manager using the built-in local user "cloudadmin" assigned to a custom role that gives limited privileges to a user to manage VMware NSX-T Data Center. While Microsoft manages the lifecycle of VMware NSX-T Data Center, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.
109
108
110
-
For new private cloud deployments, NSX-T Data Center access will be provided with a built-in local user cloudadmin assigned to the **cloudadmin** role with a specific set of permissions to use NSX-T Data Center functionality for workloads.
109
+
For new private cloud deployments, VMware NSX-T Data Center access will be provided with a built-in local user cloudadmin assigned to the **cloudadmin** role with a specific set of permissions to use VMware NSX-T Data Center functionality for workloads.
111
110
112
-
### NSX-T Data Center cloudadmin user permissions
111
+
### VMware NSX-T Data Center cloudadmin user permissions
113
112
114
113
The following permissions are assigned to the **cloudadmin** user in Azure VMware Solution NSX-T Data Center.
115
114
116
115
> [!NOTE]
117
-
> **NSX-T Data Center cloudadmin user** on Azure VMware Solution is not the same as the **cloudadmin user** mentioned in the VMware product documentation.
116
+
> **VMware NSX-T Data Center cloudadmin user** on Azure VMware Solution is not the same as the **cloudadmin user** mentioned in the VMware product documentation.
@@ -134,7 +133,7 @@ The following permissions are assigned to the **cloudadmin** user in Azure VMwar
134
133
| System | Configuration<br>Settings<br>Settings<br>Settings | Identity firewall<br>Users and Roles<br>Certificate Management (Service Certificate only)<br>User Interface Settings | Full Access<br>Full Access<br>Full Access<br>Full Access |
135
134
| System | All other || Read-only |
136
135
137
-
You can view the permissions granted to the Azure VMware Solution cloudadmin role on your Azure VMware Solution private cloud NSX-T Data Center.
136
+
You can view the permissions granted to the Azure VMware Solution cloudadmin role on your Azure VMware Solution private cloud VMware NSX-T Data Center.
138
137
139
138
1. Log in to the NSX-T Manager.
140
139
1. Navigate to **Systems** and locate **Users and Roles**.
@@ -144,18 +143,18 @@ You can view the permissions granted to the Azure VMware Solution cloudadmin rol
144
143
> [!NOTE]
145
144
> **Private clouds created before June 2022** will switch from **admin** role to **cloudadmin** role. You'll receive a notification through Azure Service Health that includes the timeline of this change so you can change the NSX-T Data Center credentials you've used for other integration.
146
145
147
-
## NSX-T Data Center LDAP integration for rolebased access control (RBAC)
146
+
## NSX-T Data Center LDAP integration for role-based access control (RBAC)
148
147
149
-
In an Azure VMware Solution deployment, the NSX-T Data Center can be integrated with external LDAP directory service to add remote directory users or group, and assign them an NSX-T Data Center RBAC role, like on-premises deployment. For more information on how to enable NSX-T Data Center LDAP integration, see the [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html).
148
+
In an Azure VMware Solution deployment, the VMware NSX-T Data Center can be integrated with external LDAP directory service to add remote directory users or group, and assign them a VMware NSX-T Data Center RBAC role, like on-premises deployment. For more information on how to enable VMware NSX-T Data Center LDAP integration, see the [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html).
150
149
151
-
Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles are supported with Azure VMware solution to keep Azure VMware Solution IaaS control plane config management separate from tenant network and security configuration. Please see the next section, Supported NSX-T Data Center RBAC roles, for more details.
150
+
Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles are supported with Azure VMware solution to keep Azure VMware Solution IaaS control plane config management separate from tenant network and security configuration. See the next section, Supported NSX-T Data Center RBAC roles, for more details.
152
151
153
152
> [!NOTE]
154
-
> NSX-T LDAP Integration supported only with SDDC’s with NSX-T Data Center “cloudadmin” user.
153
+
> VMware NSX-T Data Center LDAP Integration is supported only with SDDC’s with VMware NSX-T Data Center “cloudadmin” user.
155
154
156
155
### Supported and unsupported NSX-T Data Center RBAC roles
157
156
158
-
In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are supported with LDAP integration:
157
+
In an Azure VMware Solution deployment, the following VMware NSX-T Data Center predefined RBAC roles are supported with LDAP integration:
159
158
160
159
- Auditor
161
160
- Cloudadmin
@@ -164,7 +163,7 @@ Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles
164
163
- VPN Admin
165
164
- Network Operator
166
165
167
-
In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are not supported with LDAP integration:
166
+
In an Azure VMware Solution deployment, the following VMware NSX-T Data Center predefined RBAC roles aren't supported with LDAP integration:
168
167
169
168
- Enterprise Admin
170
169
- Network Admin
@@ -211,10 +210,13 @@ You can create custom roles in NSX-T Data Center with permissions lesser than or
211
210
4.**Apply** the changes and **Save** the Role.
212
211
213
212
> [!NOTE]
214
-
> The NSX-T Data Center **System** > **Identity Firewall AD** configuration option isn't supported by the NSX custom role. The recommendation is to assign the **Security Operator** role to the user with the custom role to allow managing the Identity Firewall (IDFW) feature for that user.
213
+
> The VMware NSX-T Data Center **System** > **Identity Firewall AD** configuration option isn't supported by the NSX custom role. The recommendation is to assign the **Security Operator** role to the user with the custom role to allow managing the Identity Firewall (IDFW) feature for that user.
214
+
215
+
> [!NOTE]
216
+
> The VMware NSX-T Data Center Traceflow feature isn't supported by the VMware NSX-T Data Center custom role. The recommendation is to assign the **Auditor** role to the user along with above custom role to enable Traceflow feature for that user.
215
217
216
218
> [!NOTE]
217
-
> The NSX-T Data Center Traceflow feature isn't supported by NSX-T Data Center custom role. The recommendation is to assign the **Auditor** role to the user along with above custom role to enable Traceflow feature for that user.
219
+
> VMware vRealize Automation(vRA) integration with the NSX-T Data Center component of the Azure VMware Solution requires the “auditor” role to be added to the user with the NSX-T Manager cloudadmin role.
218
220
219
221
## Next steps
220
222
@@ -228,8 +230,6 @@ Now that you've covered Azure VMware Solution access and identity concepts, you
228
230
229
231
-[How Azure VMware Solution monitors and repairs private clouds](./concepts-private-clouds-clusters.md#host-monitoring-and-remediation)
description: Learn how to set up vRealize Operations for your Azure VMware Solution private cloud.
4
4
ms.topic: how-to
5
5
ms.service: azure-vmware
6
-
ms.date: 10/18/2022
6
+
ms.date: 11/18/2022
7
7
---
8
8
9
9
# Configure vRealize Operations for Azure VMware Solution
@@ -72,6 +72,9 @@ The warning occurs because the **[email protected]** user in Azure VMware
72
72
73
73
For more information, see [Privileges Required for Configuring a vCenter Server Adapter Instance](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.core.doc/GUID-3BFFC92A-9902-4CF2-945E-EA453733B426.html).
74
74
75
+
> [!NOTE]
76
+
> VMware vRealize Automation(vRA) integration with the NSX-T Data Center component of the Azure VMware Solution requires the “auditor” role to be added to the user with the NSX-T Manager cloudadmin role.
0 commit comments