IBM Cloud Docs
NSX administration interface identity and access management

NSX administration interface identity and access management

End of Marketing: As of 31 October 2025, new deployments of VMware Solutions offerings are no longer available for new customers. Existing customers can still use and expand their active VMware® workloads on IBM Cloud®. For more information, see End of Marketing for VMware on IBM Cloud.

End of Marketing: As of 17 July 2025, new deployments of VMware Regulated Workloads instances are no longer available for new customers. If you are an existing customer, you can still add or delete clusters, add or delete VMware ESXi™ servers or NFS storage, and add or remove services for your existing Regulated Workloads instances. As an existing customer, you can also view or delete your Regulated Workloads instances.

The following main principles or requirements apply:

  • Infrastructure Admin has execute and full access to all components.
  • Auditor has read-only access to all components.

NSX role mapping

NSX role mapping
VMware NSX® component Auditor Infrastructure admin
Controllers Read Full
Transport Nodes Read Full
Edge Nodes Read Full
Segments - VLAN Read Full
Segments - Overlay Read Full
T0 - Tenant Read Full
T0 - Transit Read Full
T0 - Management Read Full
T1s - Tenant Read Full
T1s - Services Read Full
T1s - Management Read Full

The roles and privileges for load balancing, firewall rules, and VPN services follow the T0/T1 roles and privileges.

NSX roles

NSX Data Center has the following built-in roles. You cannot add any new roles.

  • Enterprise administrator
  • Auditor
  • Network engineer
  • Network operations
  • Security engineer
  • Security operations
  • Load balancer administrator
  • Load balancer auditor
  • VPN administrator
  • Guest introspection administrator
  • Network introspection administrator

NSX user interface user IDs

NSX user IDs
User User ID Description
Privileged user admin Used post-deployment to manage NSX VTEP IP addresses and to manage host and cluster configuration when hosts and clusters are added and removed. Also, used to manage ESG configuration for services that require public network access for licensing, activation, or usage reporting.
IBM automation automation_admin Automation account used by IBM. It uses the principle identity functions to create configuration and protect it with a certificate.

For more information, see the Role-Based Access Control.