Skip to content

Commit 7f6bbc1

Browse files
Merge pull request #218956 from suzizuber/szuber/update-add-note-callouts
Update 2 articles, add new note
2 parents 48228a9 + 6df0348 commit 7f6bbc1

File tree

2 files changed

+28
-25
lines changed

2 files changed

+28
-25
lines changed

articles/azure-vmware/concepts-identity.md

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,8 @@ title: Concepts - Identity and access
33
description: Learn about the identity and access concepts of Azure VMware Solution
44
ms.topic: conceptual
55
ms.service: azure-vmware
6-
ms.date: 07/21/2022
7-
ms.custom: references_regions
6+
ms.date: 11/18/2022
7+
ms.custom: "references_regions, engagement-fy23"
88
---
99

1010
# Azure VMware Solution identity concepts
@@ -53,9 +53,9 @@ The CloudAdmin role in Azure VMware Solution has the following privileges on vCe
5353

5454
### Create custom roles on vCenter Server
5555

56-
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role. You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role.
56+
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role. You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges less than or equal to their current role.
5757

58-
>[!NOTE]
58+
>[!NOTE]
5959
>You can create roles with privileges greater than CloudAdmin. However, you can't assign the role to any users or groups or delete the role. Roles that have privileges greater than that of CloudAdmin is unsupported.
6060
6161
To prevent creating roles that can't be assigned or deleted, clone the CloudAdmin role as the basis for creating new custom roles.
@@ -90,31 +90,30 @@ To prevent creating roles that can't be assigned or deleted, clone the CloudAdmi
9090
9191
1. Check the **Propagate to children** if needed, and select **OK**. The added permission displays in the **Permissions** section.
9292

93+
## VMware NSX-T Data Center NSX-T Manager access and identity
9394

94-
## NSX-T Manager access and identity
95-
96-
When a private cloud is provisioned using Azure portal, software-defined data center (SDDC) management components like vCenter Server and NSX-T Manager are provisioned for customers.
95+
When a private cloud is provisioned using Azure portal, software-defined data center (SDDC) management components like vCenter Server and VMware NSX-T Data Center NSX-T Manager are provisioned for customers.
9796

98-
Microsoft is responsible for the lifecycle management of NSX-T appliances like NSX-T Managers and NSX-T Data Center Edges. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.
97+
Microsoft is responsible for the lifecycle management of NSX-T appliances like, VMware NSX-T Data Center NSX-T Manager and VMware NSX-T Data Center Microsoft Edge appliances. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.
9998

100-
You're responsible for NSX-T Data Center software-defined networking (SDN) configuration, for example:
99+
You're responsible for VMware NSX-T Data Center software-defined networking (SDN) configuration, for example:
101100

102101
- Network segments
103102
- Other Tier-1 gateways
104103
- Distributed firewall rules
105104
- Stateful services like gateway firewall
106105
- Load balancer on Tier-1 gateways
107106

108-
You can access NSX-T Manager using the built-in local user "cloudadmin" assigned to a custom role that gives limited privileges to a user to manage NSX-T Data Center. While Microsoft manages the lifecycle of NSX-T Data Center, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.
107+
You can access VMware NSX-T Data Center NSX-T Manager using the built-in local user "cloudadmin" assigned to a custom role that gives limited privileges to a user to manage VMware NSX-T Data Center. While Microsoft manages the lifecycle of VMware NSX-T Data Center, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.
109108

110-
For new private cloud deployments, NSX-T Data Center access will be provided with a built-in local user cloudadmin assigned to the **cloudadmin** role with a specific set of permissions to use NSX-T Data Center functionality for workloads.
109+
For new private cloud deployments, VMware NSX-T Data Center access will be provided with a built-in local user cloudadmin assigned to the **cloudadmin** role with a specific set of permissions to use VMware NSX-T Data Center functionality for workloads.
111110

112-
### NSX-T Data Center cloudadmin user permissions
111+
### VMware NSX-T Data Center cloudadmin user permissions
113112

114113
The following permissions are assigned to the **cloudadmin** user in Azure VMware Solution NSX-T Data Center.
115114

116115
> [!NOTE]
117-
> **NSX-T Data Center cloudadmin user** on Azure VMware Solution is not the same as the **cloudadmin user** mentioned in the VMware product documentation.
116+
> **VMware NSX-T Data Center cloudadmin user** on Azure VMware Solution is not the same as the **cloudadmin user** mentioned in the VMware product documentation.
118117
119118
| Category | Type | Operation | Permission |
120119
|-----------------|-----------------------|----------------------------------------------------------------------|------------------------------------------------------------------|
@@ -134,7 +133,7 @@ The following permissions are assigned to the **cloudadmin** user in Azure VMwar
134133
| System | Configuration<br>Settings<br>Settings<br>Settings | Identity firewall<br>Users and Roles<br>Certificate Management (Service Certificate only)<br>User Interface Settings | Full Access<br>Full Access<br>Full Access<br>Full Access |
135134
| System | All other | | Read-only |
136135

137-
You can view the permissions granted to the Azure VMware Solution cloudadmin role on your Azure VMware Solution private cloud NSX-T Data Center.
136+
You can view the permissions granted to the Azure VMware Solution cloudadmin role on your Azure VMware Solution private cloud VMware NSX-T Data Center.
138137

139138
1. Log in to the NSX-T Manager.
140139
1. Navigate to **Systems** and locate **Users and Roles**.
@@ -144,18 +143,18 @@ You can view the permissions granted to the Azure VMware Solution cloudadmin rol
144143
> [!NOTE]
145144
> **Private clouds created before June 2022** will switch from **admin** role to **cloudadmin** role. You'll receive a notification through Azure Service Health that includes the timeline of this change so you can change the NSX-T Data Center credentials you've used for other integration.
146145
147-
## NSX-T Data Center LDAP integration for role based access control (RBAC)
146+
## NSX-T Data Center LDAP integration for role-based access control (RBAC)
148147

149-
In an Azure VMware Solution deployment, the NSX-T Data Center can be integrated with external LDAP directory service to add remote directory users or group, and assign them an NSX-T Data Center RBAC role, like on-premises deployment. For more information on how to enable NSX-T Data Center LDAP integration, see the [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html).
148+
In an Azure VMware Solution deployment, the VMware NSX-T Data Center can be integrated with external LDAP directory service to add remote directory users or group, and assign them a VMware NSX-T Data Center RBAC role, like on-premises deployment. For more information on how to enable VMware NSX-T Data Center LDAP integration, see the [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html).
150149

151-
Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles are supported with Azure VMware solution to keep Azure VMware Solution IaaS control plane config management separate from tenant network and security configuration. Please see the next section, Supported NSX-T Data Center RBAC roles, for more details.
150+
Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles are supported with Azure VMware solution to keep Azure VMware Solution IaaS control plane config management separate from tenant network and security configuration. See the next section, Supported NSX-T Data Center RBAC roles, for more details.
152151

153152
> [!NOTE]
154-
> NSX-T LDAP Integration supported only with SDDC’s with NSX-T Data Center “cloudadmin” user.
153+
> VMware NSX-T Data Center LDAP Integration is supported only with SDDC’s with VMware NSX-T Data Center “cloudadmin” user.
155154
156155
### Supported and unsupported NSX-T Data Center RBAC roles
157156

158-
In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are supported with LDAP integration:
157+
In an Azure VMware Solution deployment, the following VMware NSX-T Data Center predefined RBAC roles are supported with LDAP integration:
159158

160159
- Auditor
161160
- Cloudadmin
@@ -164,7 +163,7 @@ Unlike on-premises deployment, not all pre-defined NSX-T Data Center RBAC roles
164163
- VPN Admin
165164
- Network Operator
166165

167-
In an Azure VMware Solution deployment, the following NSX-T Data Center predefined RBAC roles are not supported with LDAP integration:
166+
In an Azure VMware Solution deployment, the following VMware NSX-T Data Center predefined RBAC roles aren't supported with LDAP integration:
168167

169168
- Enterprise Admin
170169
- Network Admin
@@ -211,10 +210,13 @@ You can create custom roles in NSX-T Data Center with permissions lesser than or
211210
4. **Apply** the changes and **Save** the Role.
212211

213212
> [!NOTE]
214-
> The NSX-T Data Center **System** > **Identity Firewall AD** configuration option isn't supported by the NSX custom role. The recommendation is to assign the **Security Operator** role to the user with the custom role to allow managing the Identity Firewall (IDFW) feature for that user.
213+
> The VMware NSX-T Data Center **System** > **Identity Firewall AD** configuration option isn't supported by the NSX custom role. The recommendation is to assign the **Security Operator** role to the user with the custom role to allow managing the Identity Firewall (IDFW) feature for that user.
214+
215+
> [!NOTE]
216+
> The VMware NSX-T Data Center Traceflow feature isn't supported by the VMware NSX-T Data Center custom role. The recommendation is to assign the **Auditor** role to the user along with above custom role to enable Traceflow feature for that user.
215217
216218
> [!NOTE]
217-
> The NSX-T Data Center Traceflow feature isn't supported by NSX-T Data Center custom role. The recommendation is to assign the **Auditor** role to the user along with above custom role to enable Traceflow feature for that user.
219+
> VMware vRealize Automation(vRA) integration with the NSX-T Data Center component of the Azure VMware Solution requires the “auditor” role to be added to the user with the NSX-T Manager cloudadmin role.
218220
219221
## Next steps
220222

@@ -228,8 +230,6 @@ Now that you've covered Azure VMware Solution access and identity concepts, you
228230

229231
- [How Azure VMware Solution monitors and repairs private clouds](./concepts-private-clouds-clusters.md#host-monitoring-and-remediation)
230232

231-
232-
233233
<!-- LINKS - external-->
234234
[VMware product documentation]: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-ED56F3C4-77D0-49E3-88B6-B99B8B437B62.html
235235

articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ title: Configure vRealize Operations for Azure VMware Solution
33
description: Learn how to set up vRealize Operations for your Azure VMware Solution private cloud.
44
ms.topic: how-to
55
ms.service: azure-vmware
6-
ms.date: 10/18/2022
6+
ms.date: 11/18/2022
77
---
88

99
# Configure vRealize Operations for Azure VMware Solution
@@ -72,6 +72,9 @@ The warning occurs because the **[email protected]** user in Azure VMware
7272

7373
For more information, see [Privileges Required for Configuring a vCenter Server Adapter Instance](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.core.doc/GUID-3BFFC92A-9902-4CF2-945E-EA453733B426.html).
7474

75+
> [!NOTE]
76+
> VMware vRealize Automation(vRA) integration with the NSX-T Data Center component of the Azure VMware Solution requires the “auditor” role to be added to the user with the NSX-T Manager cloudadmin role.
77+
7578
<!-- LINKS - external -->
7679

7780
<!-- LINKS - internal -->

0 commit comments

Comments
 (0)