How to create a NSX CLI user via API

There are no option to create CLI users within NSX Manager UI. So only option is to do this via API. There are several reasons why you might want to do this:

• RBAC for each person login in via SSH.
• Monitoring solution that might need to query using CLI commands or check filesystem on appliance.
• Auditor/Pen tester wanting access.

Getting Started

1) Connect to NSX manager via SSH. Login, enter privileged mode and then configuration mode to create the user account as shown:

Login as: admin
enable
conf t

user api_username password plaintext Password01!
exit
write memory

2) Grant the user account access to the web-interface (API):

user api_username privilege web-interface 

3) Start a browser and connect to the NSX manager using the ‘admin’ account. This is needed to validate self-signed cert. You can skip this step if you are using software like Postman, where you can tick a box to ignore self-signed cert warnings.

4) Start a Rest API Client and input these:

Headers:

Basic Authentication - use admin account and it's password or any others that has NSX Enterprise Admin Role. 

Content-Type: application/xml

Type: POST 
URL:https://nsxmgr.domain.local/api/2.0/services/usermgmt/role/api_username?isCli=true

Body :

<accessControlEntry>
<role>auditor</role>
<resource>
<resourceId>globalroot-0</resourceId>
</resource>
</accessControlEntry>

The possible options to change a users role are as follows: (auditor has basic read-only access, so you might need to change the role in above line <role></role>.

• super_user (System Administrator)
• vshield_admin (NSX Administrator)
• enterprise_admin (Enterprise Admin)
• security_admin (Security Administrator)
• auditor (Auditor)

5) Login to VMware Web Client and navigate to Networking & Security->NSX Managers->NSX MGR IP->Manage->Users.

You will notice that api_username CLI user has been added to the system and has auditor role.