STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware NSX-T Manager NDM Security Technical Implementation Guide

V-251778

CAT I (High)

NSX-T Manager must restrict the use of configuration, administration, and the execution of privileged commands to authorized personnel based on organization-defined roles.

Rule ID

SV-251778r879530_rule

STIG

VMware NSX-T Manager NDM Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000213CCI-000366CCI-002169CCI-002235

Discussion

To mitigate the risk of unauthorized access, privileged access must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. Controls for this requirement include prevention of non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures; enforcing the use of organization-defined role-based access control policies over defined subjects and objects; and restricting access associated with changes to the system components. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000340-NDM-000288, SRG-APP-000329-NDM-000287, SRG-APP-000340-NDM-000288

Check Content

From the NSX-T Manager web interface, go to System >> Users and Roles >> User Role Assignment.

View each user and group and verify the role assigned to it.

Application service account and user required privileges must be documented.

If any user/group or service account are assigned to roles with privileges that are beyond those assigned by the SSP, this is a finding.

Fix Text

View the SSP to determine the required organization-defined roles and the least privilege policies required for each role. For example, audit administrator, crypto administrator, system administrator, etc. Assign users to roles based on SSP and least privileges. Carefully assign capabilities to each role based on SSP role assignments. To create a new role with reduced permissions, do the following:

From the NSX-T Manager web interface, go to System >> Users and Roles >> Roles. Click "Add Role", provide a name and the required permissions, and then click "Save".

To update user or group permissions to an existing role with reduced permissions, do the following:

From the NSX-T Manager web interface, go to System >> Users and Roles >> User Role Assignment. Click the menu dropdown next to the target user or group and select "Edit". Remove the existing role, select the new one, and then click "Save".