Headline:
NSX-T integration with a custom NSX-T Role
Description:
Currently it is not supported to use a service account with a custom NSX role (i.e not NSX Enterprise Admin) to connect Morpheus to NSX-T. Only NSX’s Enterprise Admin role is supported (which is full admin).
This raises a security problem as Morpheus (at least in our cases) only needs a couple of NSX functionnalities to operate, and we do not want to delegate the NSX security to Morpheus mapped permission sets.
Example/Use case(s):
(Replace with mock workflow/example/diagram when applicable)
Which NSX functionalities are the ones you hoping to pare down to? In my testing, all system roles are able to authenticate when creating the NSX integration. Custom roles are not able to connect. I am not sure of the difference here. One thing I was able to do (which I am still testing) is giving the service account the auditor role or the network operator role and the having a custom role to add permissions that I want the account to have on top of those.
Hello sjabro,
sorry for the late reply,
Reading your comment I just tried the following :
assign both the “auditor” system role AND my custom role to the service account user, and this time I could integrate NSX with the service account !
It’s a bit unexpected but it seems the connection works only if at least a “system” role is mapped to the service account.
Thanks for your comment which lead to the solution.