System Administration > Settings > User Management

Associated URIs:

API Description API Path

List LDAP identity sources


Return a list of all configured LDAP identity sources.
GET /policy/api/v1/aaa/ldap-identity-sources

Test an LDAP server


Attempt to connect to an LDAP server and ensure that the server can be contacted using the given URL and authentication credentials.
POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_ldap_server

Probe an LDAP identity source


Verify that the configuration of an LDAP identity source is correct before actually creating the source.
POST /policy/api/v1/aaa/ldap-identity-sources?action=probe_identity_source

Fetch the server certificate of an LDAP server


Attempt to connect to an LDAP server and retrieve the server certificate it presents.
POST /policy/api/v1/aaa/ldap-identity-sources?action=fetch_certificate

Delete an LDAP identity source


Delete an LDAP identity source. Users defined in that source will no longer be able to access NSX.
DELETE /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Read a single LDAP identity source


Return details about one LDAP identity source
GET /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Test the configuration of an existing LDAP identity source


Attempt to connect to an existing LDAP identity source and report any errors encountered.
POST /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>?action=probe

Update an existing LDAP identity source


Update the configuration of an existing LDAP identity source. You may wish to verify the new configuration using the POST /aaa/ldap-identity-sources?action=probe API before changing the configuration.
PUT /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Search the LDAP identity source


Search the LDAP identity source for users and groups that match the given filter_value. In most cases, the LDAP source performs a case-insensitive search.
POST /policy/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>/search

Create registration access token


The privileges of the registration token will be the same as the caller.
POST /api/v1/aaa/registration-token

Delete registration access token


DELETE /api/v1/aaa/registration-token/<token>

Get registration access token


GET /api/v1/aaa/registration-token/<token>

Get all users and groups with their roles


GET /api/v1/aaa/role-bindings

Delete all stale role assignments


POST /api/v1/aaa/role-bindings?action=delete_stale_bindings

Assign roles to User or Group


When assigning a user role, specify the user name with the same
case as it appears in vIDM to access the NSX-T user interface.
For example, if vIDM has the user name User1@example.com then
the name attribute in the API call must be be User1@example.com
and cannot be user1@example.com.
POST /api/v1/aaa/role-bindings

Delete user/group's roles assignment


DELETE /api/v1/aaa/role-bindings/<binding-id>

Get user/group's role information


GET /api/v1/aaa/role-bindings/<binding-id>

Update User or Group's roles


PUT /api/v1/aaa/role-bindings/<binding-id>

Get information about all roles


GET /api/v1/aaa/roles

Get information about all roles with features and their permissions


GET /api/v1/aaa/roles-with-feature-permissions

Get role information


GET /api/v1/aaa/roles/<role>

Get the name and role information of the user.


This API will return the name and role information of the user
invoking this API request. This API is available for all NSX users
no matter their authentication method (Local account, VIDM, LDAP etc).
The permissions parameter of the NsxRole has been deprecated.
GET /api/v1/aaa/user-info

Get all the User Groups where vIDM display name matches the search key case insensitively. The search key is checked to be a substring of display name. This is a non paginated API.


GET /api/v1/aaa/vidm/groups

Get all the users and groups from vIDM matching the search key case insensitively. The search key is checked to be a substring of name or given name or family name of user and display name of group. This is a non paginated API.


POST /api/v1/aaa/vidm/search

Get all the users from vIDM whose userName, givenName or familyName matches the search key case insensitively. The search key is checked to be a substring of name or given name or family name. This is a non paginated API.


GET /api/v1/aaa/vidm/users

Read AAA provider vIDM properties


GET /api/v1/node/aaa/providers/vidm
GET /api/v1/transport-nodes/<transport-node-id>/node/aaa/providers/vidm
GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm

Update AAA provider vIDM properties


PUT /api/v1/node/aaa/providers/vidm
PUT /api/v1/transport-nodes/<transport-node-id>/node/aaa/providers/vidm
PUT /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm

Read AAA provider vIDM status


GET /api/v1/node/aaa/providers/vidm/status
GET /api/v1/transport-nodes/<transport-node-id>/node/aaa/providers/vidm/status
GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm/status

Return the list of OpenID Connect end-points.


GET /api/v1/trust-management/oidc-uris

Update a OpenID Connect end-point's thumbprint


Update a OpenID Connect end-point's thumbprint used to connect to the
oidc_uri through SSL
POST /api/v1/trust-management/oidc-uris?action=update_thumbprint

Add an OpenID Connect end-point.


This request also fetches the issuer and jwks_uri meta-data from the OIDC
end-point and stores it.
POST /api/v1/trust-management/oidc-uris

Get an OpenID Connect end-point.


When ?refresh=true is added to the request, the meta-data is newly fetched
from the OIDC end-point.
GET /api/v1/trust-management/oidc-uris/<id>

Return the list of principal identities


Returns the list of principals registered with a certificate.
GET /api/v1/trust-management/principal-identities

Register a name-certificate combination.


Associates a principal's name with a certificate that is used to authenticate.
The combination name and node_id needs to be unique across token-based and
certificate-based principal identities.
Deprecated, use POST /trust-management/principal-identities/with-certificate instead.
POST /api/v1/trust-management/principal-identities (Deprecated)

Update a principal identity's certificate


Update a principal identity's certificate
POST /api/v1/trust-management/principal-identities?action=update_certificate

Delete a principal identity


Delete a principal identity. It does not delete the certificate.
DELETE /api/v1/trust-management/principal-identities/<principal-identity-id>

Get a principal identity


Get a stored principal identity
GET /api/v1/trust-management/principal-identities/<principal-identity-id>

Register a name-certificate combination.


Create a principal identity with a new, unused, certificate.
The combination name and node_id needs to be unique across token-based and
certificate-based principal identities.
POST /api/v1/trust-management/principal-identities/with-certificate

Return the list of token-based principal identities. | These don't have certificate or role information.


GET /api/v1/trust-management/token-principal-identities

Register a token-based principal identity.


Register a principal identity that is going to be authenticated through a token.
The combination name and node_id needs to be unique across token-based and
certificate-based principal identities.
POST /api/v1/trust-management/token-principal-identities

Delete a token-based principal identity


Delete a token-based principal identity.
DELETE /api/v1/trust-management/token-principal-identities/<principal-identity-id>

Get a token-based principal identity


Get a stored token-based principal identity
GET /api/v1/trust-management/token-principal-identities/<principal-identity-id>