System Administration > Configuration > Fabric > Nodes > User Management

Associated URIs:

API Description API Path

Read node authentication policy and password complexity configuration


Returns information about the currently configured authentication policies and password complexity
on the node.
GET /api/v1/transport-nodes/{transport-node-id}/node/aaa/auth-policy
GET /api/v1/cluster/{cluster-node-id}/node/aaa/auth-policy
GET /api/v1/node/aaa/auth-policy

Resets node authentication policy and password complexity configuration


Resets to default, currently configured authentication policy and password complexity on the node.
Administrators need to enforce password change for existing user accounts
in order to match newly configured complexity requirements in system.

reset-all: resets configured Authentication policy and Password complexity


reset-auth-policies: resets only configured Authentication policy

includes - {api_failed_auth_lockout_period, api_failed_auth_reset_period,
api_max_auth_failures, cli_failed_auth_lockout_period, cli_max_auth_failures}


reset-pwd-complexity: resets only configured Password complexity


POST /api/v1/transport-nodes/{transport-node-id}/node/aaa/auth-policy?action=reset-all
POST /api/v1/transport-nodes/{transport-node-id}/node/aaa/auth-policy?action=reset-auth-policies
POST /api/v1/transport-nodes/{transport-node-id}/node/aaa/auth-policy?action=reset-pwd-complexity
POST /api/v1/cluster/{cluster-node-id}/node/aaa/auth-policy?action=reset-all
POST /api/v1/cluster/{cluster-node-id}/node/aaa/auth-policy?action=reset-auth-policies
POST /api/v1/cluster/{cluster-node-id}/node/aaa/auth-policy?action=reset-pwd-complexity
POST /api/v1/node/aaa/auth-policy?action=reset-all
POST /api/v1/node/aaa/auth-policy?action=reset-auth-policies
POST /api/v1/node/aaa/auth-policy?action=reset-pwd-complexity

Update node authentication policy and password complexity configuration


Update the currently configured authentication policy and password complexity on the node.
If any of api_max_auth_failures, api_failed_auth_reset_period, or
api_failed_auth_lockout_period are modified, the http service is
automatically restarted.
Whereas change in any password complexity will not be applicable on already configured
user passwords. Administrators need to enforce password change for existing user accounts
in order to match newly configured complexity requirements enforced in system.
All values from AuthenticationPolicyProperties are in sync among the management cluster nodes.
PUT /api/v1/transport-nodes/{transport-node-id}/node/aaa/auth-policy
PUT /api/v1/cluster/{cluster-node-id}/node/aaa/auth-policy
PUT /api/v1/node/aaa/auth-policy

List node users


Returns the list of users configured to log in to the NSX appliance.
GET /api/v1/transport-nodes/{transport-node-id}/node/users
GET /api/v1/transport-nodes/{transport-node-id}/node/users?internal=true
GET /api/v1/cluster/{cluster-node-id}/node/users
GET /api/v1/cluster/{cluster-node-id}/node/users?internal=true
GET /api/v1/node/users
GET /api/v1/node/users?internal=true

Create node users


Create new user account to log in to the NSX web-based user interface or access API.
username is required field in case of creating new user, further following
usernames - root, admin, audit are reserved and can not be used
to create new user account unless for local audit user.
In case of local audit account when username not specified in request by default
account will be created with audit username, although administrators
are allowed to use any other non-duplicate usernames during creation.
POST /api/v1/cluster/{cluster-node-id}/node/users?action=create_user
POST /api/v1/cluster/{cluster-node-id}/node/users?action=create_audit_user
POST /api/v1/node/users?action=create_user
POST /api/v1/node/users?action=create_audit_user

Reset a user's own password. Requires current password


Enables a user to reset their own password.
POST /api/v1/cluster/{cluster-node-id}/node/users?action=reset_own_password
POST /api/v1/node/users?action=reset_own_password

Delete node user


Delete specified user who is configured to log in to the NSX appliance.
Whereas local users root and administrator are not allowed to be deleted,
but local user audit is deletable on-demand.

Caution, users deleted from following node types cannot be recovered,
kindly plan the removal of user accounts accordingly.


  • Autonomous Edge

  • Cloud Service Manager

  • Edge

  • Public Cloud Gateway


DELETE /api/v1/transport-nodes/{transport-node-id}/node/users/{userid}
DELETE /api/v1/cluster/{cluster-node-id}/node/users/{userid}
DELETE /api/v1/node/users/{userid}

Read node user


Returns information about a specified user who is configured to log in to the
NSX appliance. The valid user IDs are: 0, 10000, 10002 or other users managed by administrators.
GET /api/v1/transport-nodes/{transport-node-id}/node/users/{userid}
GET /api/v1/cluster/{cluster-node-id}/node/users/{userid}
GET /api/v1/node/users/{userid}

Activate a user account with a password


Activates the account for this user. When an account is successfully
activated, the "status" field in the response is "ACTIVE".
This API is not supported for userid 0 and userid 10000.
POST /api/v1/cluster/{cluster-node-id}/node/users/{userid}?action=activate
POST /api/v1/node/users/{userid}?action=activate

Reset a user's password without requiring their current password


Unlike the PUT version of this call (PUT /node/users/<userid>), this API
does not require that the current password for the user be provided. The
account of the target user must be "ACTIVE" for the call to succeed.
This API is not supported for userid 0 and userid 10000.
POST /api/v1/cluster/{cluster-node-id}/node/users/{userid}?action=reset_password
POST /api/v1/node/users/{userid}?action=reset_password

Deactivate a user account


Deactivates the account for this user. Deactivating an account is
permanent, unlike an account that is temporarily locked because of
too many password failures. A deactivated account has to be explicitly
activated. When an account is successfully deactivated, the "status"
field in the response is "NOT_ACTIVATED".
This API is not supported for userid 0 and userid 10000.
POST /api/v1/cluster/{cluster-node-id}/node/users/{userid}?action=deactivate
POST /api/v1/node/users/{userid}?action=deactivate

Update node user


Updates attributes of an existing NSX appliance user. This method
cannot be used to add a new user. Modifiable attributes include the
username, full name of the user, and password. If you specify a password in
a PUT request, it is not returned in the response. Nor is it returned in a
GET request.


The specified password does not meet the following (default) complexity requirements:
- minimum 12 characters in length
- minimum 128 characters in length
- minimum 1 uppercase character
- minimum 1 lowercase character
- minimum 1 numeric character
- minimum 1 special character
- minimum 5 unique characters
- default password complexity rules as enforced by the Linux PAM module


the configured password complexity may vary as per defined Authentication and Password policies,
which shall be available at: [GET]: /api/v1/node/aaa/auth-policy


The valid user IDs are: 0, 10000, 10002 or other users managed by administrators.
Note that invoking this API does not update any user-related properties of
existing objects in the system and does not modify the username field in existing
audit log entries.


PUT /api/v1/transport-nodes/{transport-node-id}/node/users/{userid}
PUT /api/v1/cluster/{cluster-node-id}/node/users/{userid}
PUT /api/v1/node/users/{userid}

List SSH keys from authorized_keys file for node user


Returns a list of all SSH keys from authorized_keys file for node user
GET /api/v1/transport-nodes/{transport-node-id}/node/users/{userid}/ssh-keys
GET /api/v1/cluster/{cluster-node-id}/node/users/{userid}/ssh-keys
GET /api/v1/node/users/{userid}/ssh-keys

Remove SSH public key from authorized_keys file for node user


POST /api/v1/transport-nodes/{transport-node-id}/node/users/{userid}/ssh-keys?action=remove_ssh_key
POST /api/v1/cluster/{cluster-node-id}/node/users/{userid}/ssh-keys?action=remove_ssh_key
POST /api/v1/node/users/{userid}/ssh-keys?action=remove_ssh_key

Add SSH public key to authorized_keys file for node user


POST /api/v1/transport-nodes/{transport-node-id}/node/users/{userid}/ssh-keys?action=add_ssh_key
POST /api/v1/cluster/{cluster-node-id}/node/users/{userid}/ssh-keys?action=add_ssh_key
POST /api/v1/node/users/{userid}/ssh-keys?action=add_ssh_key