System Administration > Settings > User Management

Associated URIs:

API Description API Path

List feature permissions


List features
GET /policy/api/v1/aaa/features-with-properties

List LDAP identity sources


Return a list of all configured LDAP identity sources.
GET /global-manager/api/v1/aaa/ldap-identity-sources

Probe an LDAP identity source


Verify that the configuration of an LDAP identity source is correct before actually creating the source.
POST /global-manager/api/v1/aaa/ldap-identity-sources?action=probe_identity_source

Fetch the server certificate of an LDAP server


Attempt to connect to an LDAP server and retrieve the server certificate it presents.
POST /global-manager/api/v1/aaa/ldap-identity-sources?action=fetch_certificate

Test an LDAP server


Attempt to connect to an LDAP server and ensure that the server can be contacted using the given URL and authentication credentials.
POST /global-manager/api/v1/aaa/ldap-identity-sources?action=probe_ldap_server

Delete an LDAP identity source


Delete an LDAP identity source. Users defined in that source will no longer be able to access NSX.
DELETE /global-manager/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Read a single LDAP identity source


Return details about one LDAP identity source
GET /global-manager/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Test the configuration of an existing LDAP identity source


Attempt to connect to an existing LDAP identity source and report any errors encountered.
POST /global-manager/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>?action=probe

Update an existing LDAP identity source


Update the configuration of an existing LDAP identity source. You may wish to verify the new configuration using the POST /aaa/ldap-identity-sources?action=probe API before changing the configuration.
PUT /global-manager/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>

Search the LDAP identity source


Search the LDAP identity source for users and groups that match the given filter_value. In most cases, the LDAP source performs a case-insensitive search.
POST /global-manager/api/v1/aaa/ldap-identity-sources/<ldap-identity-source-id>/search

Create registration access token


The privileges of the registration token will be the same as the caller.
POST /policy/api/v1/aaa/registration-token

Delete registration access token


DELETE /policy/api/v1/aaa/registration-token/<token>

Get registration access token


GET /policy/api/v1/aaa/registration-token/<token>

Get all users and groups with their roles


GET /policy/api/v1/aaa/role-bindings

Delete all stale role assignments


POST /policy/api/v1/aaa/role-bindings?action=delete_stale_bindings

Assign roles to User or Group


When assigning a user role, specify the user name with the same
case as it appears in vIDM to access the NSX-T user interface.
For example, if vIDM has the user name User1@example.com then
the name attribute in the API call must be be User1@example.com
and cannot be user1@example.com.
POST /policy/api/v1/aaa/role-bindings

Delete user/group's roles assignment


DELETE /policy/api/v1/aaa/role-bindings/<binding-id>

Get user/group's role information


GET /policy/api/v1/aaa/role-bindings/<binding-id>

Update User or Group's roles


PUT /policy/api/v1/aaa/role-bindings/<binding-id>

Get information about all roles


GET /policy/api/v1/aaa/roles

Validate a new feature permission set


Validate the permissions of an incoming role. Also, recommend the
permissions which need to be corrected.
POST /policy/api/v1/aaa/roles?action=validate

Get information about all roles with features and their permissions


GET /policy/api/v1/aaa/roles-with-feature-permissions

Delete custom role


If a role is assigned to a role binding then the deletion of
the role is not allowed. Precanned roles cannot be deleted.
DELETE /policy/api/v1/aaa/roles/<role>

Get role information


GET /policy/api/v1/aaa/roles/<role>

Clone an already present role


The role with id is cloned and the new id, name and description are
the ones provided in the request body.
POST /policy/api/v1/aaa/roles/<role>?action=clone

Update custom role


Creates a new role with id as if there does not exist any
role with id , else updates the existing role.
PUT /policy/api/v1/aaa/roles/<role>

Get the name and role information of the user.


This API will return the name and role information of the user
invoking this API request. This API is available for all NSX users
no matter their authentication method (Local account, VIDM, LDAP etc).
The permissions parameter of the NsxRole has been deprecated.
GET /policy/api/v1/aaa/user-info

Get all the User Groups where vIDM display name matches the search key case insensitively. The search key is checked to be a substring of display name. This is a non paginated API.


GET /policy/api/v1/aaa/vidm/groups

Get all the users and groups from vIDM matching the search key case insensitively. The search key is checked to be a substring of name or given name or family name of user and display name of group. This is a non paginated API.


POST /policy/api/v1/aaa/vidm/search

Get all the users from vIDM whose userName, givenName or familyName matches the search key case insensitively. The search key is checked to be a substring of name or given name or family name. This is a non paginated API.


GET /policy/api/v1/aaa/vidm/users

Read AAA provider vIDM properties


GET /api/v1/node/aaa/providers/vidm
GET /api/v1/transport-nodes/<transport-node-id>/node/aaa/providers/vidm
GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm

Update AAA provider vIDM properties


PUT /api/v1/node/aaa/providers/vidm
PUT /api/v1/transport-nodes/<transport-node-id>/node/aaa/providers/vidm
PUT /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm

Read AAA provider vIDM status


GET /api/v1/node/aaa/providers/vidm/status
GET /api/v1/transport-nodes/<transport-node-id>/node/aaa/providers/vidm/status
GET /api/v1/cluster/<cluster-node-id>/node/aaa/providers/vidm/status