The appendix aggregates all design decisions of the Identity and Access Management for VMware Cloud Foundation validated solution. You can use this design decision list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.

Deployment Specification

Table 1. Design Decisions on the Deployment of a standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-CFG-001

Deploy a single-node standalone Workspace ONE Access instance in the management domain for a VMware Cloud Foundation instance.

Supports the design objectives for users and groups scalability for Workspace ONE Access without requiring clustering support.

  • A standalone Workspace ONE Access instance is not managed by SDDC Manager.

  • Deployment is performed using Open Virtualization Format (OVF) open standard supported by vSphere.

  • Life cycle management of the standalone Workspace ONE Access instance is performed by using the native command line tools within the appliance.

IAM-WSA-CFG-002

Use the native PostgreSQL database service in the Workspace ONE Access appliance.

  • Supports the design objectives for users and groups scalability in Workspace ONE Access without requiring clustering support.

  • Removes the constraints and operational overhead that an external database requires.

None.

IAM-WSA-CFG-003

Protect the standalone Workspace ONE Access instance using vSphere High Availability.

Supports the design objectives for availability of Workspace ONE Access without requiring human intervention during an ESXi host failure event.

In the event of an ESXi host failure, the services provided by the standalone Workspace ONE Access instance are temporarily unavailable during the restart of the appliance initiated by vSphere High Availability. SDDC components using Workspace ONE Access as an authentication source are interrupted (for example, vRealize Automation to NSX Manager) during the restart of the appliance.

IAM-WSA-CFG-004

Place the standalone Workspace ONE Access instance in a designated virtual machine folder.

Organizes the standalone Workspace ONE Access instance within the management domain vSphere inventory.

You must specify the virtual machine folder placement during or after the deployment.

Table 2. Design Decisions on the Deployment of standalone Workspace ONE Access for Multi-Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-CFG-005

When using more than one availability zone, add the standalone Workspace ONE Access instance to the primary availability zone virtual machine group.

Ensures that, by default, the standalone Workspace ONE Access instance is powered on in the primary availability zone host group.

In the event of a primary availability zone failure, vSphere High Availability will restart the Workspace ONE Access in the secondary availability zone without human intervention.

After stretching the management domain cluster across availability zones in a region, the virtual machine group for the primary availability zone virtual machines must be updated to include the Workspace ONE Access appliance.

Table 3. Design Decisions on the Sizing of standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-CFG-006

Deploy the standalone Workspace ONE Access instance using the Extra Small virtual appliance configuration.

  • Supports the design objectives for users and groups scalability for Workspace ONE Access.

  • Removes the constraints and operational overhead that a non-managed clustered deployment requires.

None.

Network Design

Table 4. Design Decisions on the Network Segments for the standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-NET-001

Place the standalone Workspace ONE Access instance on the local-instance NSX network segment.

  • Authentication for SDDC components can sustain operations in the event of a network service interruption between regions.

  • Ensures a consistent deployment model for management applications.

You must use an implementation in NSX to support this networking configuration.

Table 5. Design Decisions on the IP Addressing for the standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-NET-002

Allocate and assign a static IP address to the standalone Workspace ONE Access instance.

Using assigned IP addresses removes the constraints and risks associated with providing and managing DHCP on your management networks.

The use of static IP addresses requires precise IP address management.

Table 6. Design Decisions on Name Resolution for standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-NET-003

Configure both forward (A) and reverse (PTR) DNS records for a standalone Workspace ONE Access instance.

Workspace ONE Access is accessible using a fully qualified domain name.

  • DNS infrastructure services must be available in the environment.

  • You must establish the DNS records (A and PTR) for each standalone Workspace ONE Access instance.

  • Firewalls between Workspace ONE Access instances and each DNS server must allow traffic for DNS.

Table 7. Design Decisions on Time Synchronization for standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-NET-004

Configure the standalone Workspace ONE Access instance to use NTP servers rather than using VMTools to synchronize with the ESXi hosts on which it is running.

  • Ensures that Workspace ONE Access has accurate time synchronization.

  • Assists in the prevention of time mismatch between the management components.

  • NTP services must be available in the environment.

  • Firewalls between Workspace ONE Access nodes and each NTP server must allow traffic for NTP.

Life Cycle Management Design

Table 8. Design Decisions on Life Cycle Management of Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-LCM-001

Life cycle management of a standalone Workspace ONE Access instance is provided using the native command line tools in the appliance.

  • A standalone Workspace ONE Access instance is not managed by SDDC Manager.

  • A standalone Workspace ONE Access instance cannot be managed by the vRealize Suite Lifecycle Manager instance deployed by SDDC Manager.

Deployment, patching, updates, and upgrades of a standalone Workspace ONE Access instance are performed without native automation.

Information Security and Access Design

Table 9. Design Decisions on Information Security

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-SEC-001

Limit the use of local accounts for both interactive or API access and solution integration.

Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.

You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.

IAM-WSA-SEC-002

Limit the scope and privileges for accounts used for both interactive or API access and solution integration.

The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.

You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.

IAM-WSA-SEC-003

Assign Active Directory user accounts to security groups following your organization's access policies.

Allows Active Directory security groups to be assigned to roles in SDDC components for streamlined management of access and administrative privileges.

You must define and manage security groups, group membership, and security controls in Active Directory.

IAM-WSA-SEC-004

Assign Active Directory security groups to default or custom roles, as applicable, for interactive or API access to solution components based on your organization's business and security requirements.

  • SDDC Manager

  • ESXi (as applicable)

  • vCenter Servers

  • NSX Managers

  • Workspace ONE Access

  • Using Active Directory security group membership provides greater flexibility in granting access to roles across solution components.

  • Ensuring that users log in with a unique Active Directory user account provides greater visibility for auditing.

  • Evaluate the needs for additional role separation in your organization and implement mapping from Active Directory users to Active Directory security groups and default or custom roles.

  • You must manage privileges assigned to custom roles.

  • You must manage the assignment and scope of custom roles based on the business and security requirements.

  • Additional Active Directory security groups must be created in advance to assigning roles.

  • You must maintain the life cycle and availability of Active Directory security groups outside of the SDDC stack.

  • The principle of least privilege is only one aspect of access management and must be part of a comprehensive defense-in-depth security strategy aligned with organization personas.

Table 10. Design Decisions on Password Policies for ESXi Hosts

Decision ID

Design Decision

Design Justification

Design Implication

IAM-ESXI-SEC-001

Configure the password expiration policy for each ESXi host.

  • You configure the password expiration for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable to the following default accounts for a commissioned ESXi host:

    • root account

    • SERVICE account

  • The policy is applicable only to the local ESXi host users.

You must manage the local user password expiration policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.

IAM-ESXI-SEC-002

Configure the password complexity policy for each ESXi host.

  • You configure the password complexity policy for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards.

  • The password complexity policy is applicable only to the local ESXi host users.

You must manage the local user password complexity policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.

IAM-ESXI-SEC-003

Configure the account lockout policy for each ESXi host.

  • You configure the account lockout policy for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local ESXi host users.

You must manage the local user account lockout policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.

Table 11. Design Decisions on Password Management for ESXi Hosts

Decision ID

Design Decision

Design Justification

Design Implication

IAM-ESXI-SEC-004

Change the root user password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager.

  • The password for the ESXi host's root user does not expire based on the default password expiration policy.

  • SDDC Manager manages each ESXi host in the system. The ESXi root user password must be known and managed by SDDC Manager.

  • You must manage the password update or password rotation for the root account by using SDCC Manager.

  • An automated password rotation schedule can not be activated for ESXi hosts in SDDC Manager.

IAM-ESXI-SEC-005

Rotate the SERVICE account password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager.

  • SDDC Manager creates a SERVICE account on each ESXi host to provide the access to the ESXi host over SSH in the context of an exception user in normal lock down mode.

  • The password for the ESXi host's SERVICE account does not expire based on the default password expiration policy.

  • SDDC Manager manages each ESXi host in the system. The ESXi root user password must be known and managed by SDDC Manager.

  • You must manage the password rotation for the SERVICE account by using SDDC Manager.

  • An automated password rotation schedule can not be activated for ESXi hosts in SDDC Manager.

Table 12. Design Decisions on the Identity Provider for vCenter Server

Decision ID

Design Decision

Design Justification

Design Implication

IAM-VCS-SEC-001

Configure the vCenter Server instances to use Active Directory over LDAP with SSL (LDAPS) as the identity source.

  • Provides the ability for vCenter Server to connect to an Active Directory using LDAP.

  • Ensures that LDAP traffic between a vCenter Server instance and the Active Directory is encrypted.

    Microsoft recommends a hardened configuration for LDAP channel binding and LDAP signing on Active Directory domain controllers. For more information, see Microsoft Security Advisory ADV190023.

  • In a multi-domain forest, where the vCenter Server instance connects to a child domain, Active Directory security groups must have global scope. Therefore members added to the Active Directory global security group and user accounts for solution integration must reside within the same Active Directory domain.

  • If multiple VMware Cloud Foundation instances are deployed to separate Active Directory domains (for example, child domains in a multi-domain forest), the instances can not be in enhanced linked-mode.

  • A certificate is required to establish trust for the Active Directory LDAPS endpoints. You must obtain a CA-signed certificate that can be used for server authentication.

  • You must remove and reconfigure the integration between the identity provider and vCenter Server when replacing the certificates used by Active Directory over LDAP with SSL.

IAM-VCS-SEC-002

Use an Active Directory user account with minimum read-only access as Base DN for users and groups to server as the service account for the Active Directory bind.

Provides the following access control features:

  • Each vCenter Server instance connects to the Active Directory domain with the minimum permissions to bind and query the directory.

  • Improves the visibility in tracking request-response interactions between the vCenter Server instances and Active Directory.

You must manage the password life cycle of this Active Directory use account.

Table 13. Design Decisions on Identity and Access Management for vCenter Server

Decision ID

Design Decision

Design Justification

Design Implication

IAM-VCS-SEC-003

Assign the default Administrator role in vCenter Server to an Active Directory security group.

By assigning the Administrator role to an Active Directory security group, you can simplify and manage user access with administrative rights in vCenter Server based on your organization's personas.

  • An Active Directory security group must be created in advance to assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-VCS-SEC-004

Assign vCenter Server global permissions for the Active Directory security groups assigned the Administrator role.

By assigning the global permissions to an Active Directory security group with the Administrator role , you can manage user access with administrative rights across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider.

None.

IAM-VCS-SEC-005

Assign the default Read-Only role in vCenter Server to an Active Directory security group.

By assigning the Read-only role to an Active Directory security group, you can simplify and manage user access with read-only rights in vCenter Server based on your organization's personas.

  • An Active Directory security group must be created in advance to assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-VCS-SEC-006

Assign vCenter Server global permissions for the Active Directory security groups assigned the Read-Only role.

By assigning global permissions to an Active Directory security group with the Read-only role, you can manage user access with read-only privileges across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider.

None.

IAM-VCS-SEC-007

Add an Active Directory security group as a member of the vCenter Single Sign-On Administrators group.

By adding an Active Directory security group as a member of the Administrators group, you can manage user access with administrative rights to the vCenter Single Sign-On built-in identity provider based on your organization's personas.

  • An Active Directory security group must be created in advance to assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

Table 14. Design Decisions on Password Policies for vCenter Server

Decision ID

Design Decision

Design Justification

Design Implication

IAM-VCS-SEC-008

Configure the global password expiration policy for each vCenter Server instance.

You configure the global password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards.

You must manage the password expiration policy on each vCenter Server instance by using the vCenter Server Management Interface.

IAM-VCS-SEC-009

Configure the local user password expiration policy for each vCenter Server instance.

  • You configure the local user password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the root account for the vCenter Server virtual appliance.

You must manage the local user password expiration settings on each vCenter Server instance by using both the vCenter Server Management Interface and the virtual appliance console.

IAM-VCS-SEC-010

Configure the local user password complexity policy for each vCenter Server instance.

  • You configure the local user password complexity policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to the local vCenter Server virtual appliance users.

  • You must manage the local user password complexity settings on each vCenter Server instance by using the virtual appliance console.

  • If the password complexity policy sets the minimum password length to a value greater than 20, password rotation in SDDC Manager cannot be performed for a managed account. Passwords must be updated or remediated.

IAM-VCS-SEC-011

Configure the local user account lockout policy for each vCenter Server instance.

  • You configure the local user account lockout policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to the local vCenter Server virtual appliance users.

You must manage the local user account lockout settings on each vCenter Server instance by using the virtual appliance console.

IAM-VCS-SEC-012

Configure the password expiration policy for the vCenter Single Sign-On built-in identity provider.

  • You configure the password expiration policy for the vCenter Single Sign-On built-in identity provider to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance.

  • The password for the Administrator account of the vCenter Single Sign-On built-in identity provider does not expire based on the vCenter Server Single-Sign-On password expiration policy configuration.

You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client.

IAM-VCS-SEC-013

Configure the password complexity policy for the vCenter Single Sign-On built-in identity provider.

  • You configure the password complexity policy for the vCenter Single Sign-On built-in identity provider to align with the requirements of your organization which might be based on industry compliance standards.

  • The password complexity policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance.

  • You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider using the vSphere Client.

  • If the password complexity policy sets the minimum password length to a value greater than 20, password rotation in SDDC Manager cannot be performed for a managed account. Passwords must be updated or remediated.

IAM-VCS-SEC-014

Configure the account lockout policy for the vCenter Single Sign-On built-in identity provider.

  • You configure the account lockout policy for the vCenter Single Sign-On domain to align with the requirements of your organization which might be based on industry compliance standards.

  • The account lockout policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance.

  • The password for the vCenter Single Sign-On built-in identity provider Administrator account does not lock out based on the vCenter Server Single-Sign-On account lockout policy configuration.

You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client.

Table 15. Design Decisions on Password Management for vCenter Server

Decision ID

Design Decision

Design Justification

Design Implication

IAM-VCS-SEC-015

For each vCenter Server instance, change the vCenter Server virtual appliance root account password on a recurring or event-initiated schedule by using SDDC Manager.

  • The password for the vCenter Server root user account expires based on the default password expiration settings. By default, SDDC Manager is configured to automate a password rotation for the root account every 90 days.

  • SDDC Manager manages each vCenter Server instance in the system. The vCenter Server virtual appliance root account password must be known and managed by SDDC Manager.

You must manage the password update or an automated password rotation schedule (default) for the root account by using SDDC Manager.

IAM-VCS-SEC-016

Change the vCenter Single Sign-On domain administrator SYSTEM account (for example, administrator@vsphere.local) password in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager.

  • The password for the vCenter Single Sign-On domain administrator SYSTEM account does not expire based on the vCenter Server Single Sign-On password expiration settings.

  • SDDC Manager manages each vCenter Server instance in the system. The vCenter Single Sign-On domain administrator SYSTEM account password must be known and managed by SDDC Manager.

You must manage the password update or an automated password rotation schedule for the SYSTEM account by using SDDC Manager.

IAM-VCS-SEC-017

Rotate the passwords for SDDC Manager SERVICE account types in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager.

  • The password for each vCenter Single Sign-On SERVICE account expires based on the vCenter Server Single Sign-On password expiration settings. By default, SDDC Manager is configured to automate a password rotation for the account every 90 days.

  • A vCenter Server instance is registered as a compute manager with its NSX Local Manager cluster during workload domain creation. This SERVICE account password must be known and managed by SDDC Manager.The passwords for the SERVICE accounts are randomly generated by SDDC Manager and cannot be manually set.

You must manage the password rotation or an automated password rotation schedule for the SERVICE account by using SDDC Manager.

Table 16. Design Decisions on Identity Management in NSX

Decision ID

Design Decision

Design Justification

Design Implication

IAM-NSX-SEC-001

Configure the standalone Workspace ONE Access instance as the authentication source for the NSX Local Managers.

  • Provides integration with Active Directory for role-based access control. You can introduce authorization policies by assignment of roles to Active Directory security groups.

  • A standalone Workspace ONE Access instance allows users to authenticate to NSX in the event of connectivity loss between regions.

  • You must have the standalone Workspace ONE Access deployed and the identity provider configured before configuring role-based access in NSX.

  • After the integration with Workspace ONE Access, to log in to NSX Manager with a local account, you must append login.jsp?local=true to the NSX Manager user interface URL.

IAM-NSX-SEC-002

Assign the default Enterprise Admin role in NSX Manager to an Active Directory security group.

By assigning the Enterprise Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-NSX-SEC-003

Assign the default Network Admin role in NSX Manager to an Active Directory security group.

By assigning the Network Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-NSX-SEC-004

Assign the default Auditor role in NSX Manager to an Active Directory security group.

By assigning the Auditor role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

Table 17. Design Decisions on Password Policies for NSX

Decision ID

Design Decision

Design Justification

Design Implication

IAM-NSX-SEC-005

Configure the password expiration policy for each NSX Local Manager cluster.

  • You configure the password expiration policy for NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable to the following default active accounts for the NSX Local Manager cluster nodes:

    • root account

    • admin account

    • audit account

You must manage the password expiration policy on each NSX Local Manager cluster using the CLI or an API.

IAM-NSX-SEC-006

Configure the password complexity policy for each NSX Local Manager cluster node.

You configure the password complexity policy for each NSX Local Manager cluster node to align with the requirements of your organization which might be based on industry compliance standards.

  • You must manage the password complexity policy on each NSX Local Manager cluster node using the virtual appliance console.

  • If the password complexity policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

IAM-NSX-SEC-007

Configure the account lockout policy on each NSX Local Manager cluster to configure the account lockout policy and set the lockout behavior for the API, CLI, and user interface.

You configure the account lockout policy for each NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards.

You must manage the account lockout policy on each NSX Local Manager cluster by using the virtual appliance console.

IAM-NSX-SEC-008

Configure the password expiration policy for each NSX Edge node.

  • You configure the password expiration policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable to the following default active accounts for the NSX Edge nodes:

    • root account

    • admin account

    • audit account

You must manage the password expiration policy on each NSX Edge node by using the virtual appliance console.

IAM-NSX-SEC-009

Configure the password complexity policy for each NSX Edge node.

You configure the password complexity policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.

  • You must manage the password complexity policy on each NSX Edge node by using the virtual appliance console.

  • If the password complexity policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

IAM-NSX-SEC-010

Configure the account lockout policy on each NSX Edge node to configure the account lockout policy and set the lockout behavior for the CLI.

You configure the account lockout policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.

You must manage the account lockout policy on each NSX Edge node by using the virtual appliance console.

Table 18. Design Decisions on Password Management for NSX

Decision ID

Design Decision

Design Justification

Design Implication

IAM-NSX-SEC-011

For the management domain NSX Local Manager cluster, change the root, admin, and audit account passwords on a recurring or event-initiated schedule by using SDDC Manager.

  • The passwords for the root, admin, and audit accounts for the management domain NSX Local Manager cluster expire based on the default password expiration setting for each account.

  • SDDC Manager manages the management domain NSX Local Manager cluster in the system. The root, admin, and audit account passwords must be known and managed by SDDC Manager.

You must manage the password change or an automated password rotation schedule for the root, admin, and audit accounts by using SDDC Manager.

IAM-NSX-SEC-012

For each VI workload domain NSX Local Manager cluster, change the root and the admin account passwords on a recurring or event-initiated schedule by using SDDC Manager.

  • The passwords for the root and admin accounts for each VI workload domain NSX Local Manager cluster expire based on the default password expiration settings for each account.

  • SDDC Manager manages each VI workload domain NSX Local Manager cluster in the system. The root and admin account passwords must be known and managed by SDDC Manager.

  • You must manage the password change or an automated password rotation schedule for the root and admin accounts by using SDDC Manager

  • If the authentication policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

IAM-NSX-SEC-013

For each VI workload domain NSX Local Manager cluster, change the audit account password on a recurring or event-initiated schedule by using the API or CLI.

  • The password for the audit account for each VI workload domain NSX Local Manager cluster expires based on the password expiration settings the account.

  • SDDC Manager does not manage the workload domain NSX Local Manager cluster audit account password.

  • You must manage the password change for the account by using the API or CLI.

  • You must monitor the password expiration of the account.

IAM-NSX-SEC-014

For each NSX Edge cluster deployed and managed by SDDC Manager, change the root, admin, and audit account passwords for each NSX Edge node on a recurring or event-initiated schedule by using SDDC Manager.

  • The passwords for the root, admin, and audit accounts for each NSX Edge node in an NSX Edge cluster managed by SDDC Manager expire based on the default password expiration settings for each account.

  • For each NSX Edge node in an NSX Edge cluster managed by SDDC Manager, the root, admin, and audit account passwords must be known and managed by SDDC Manager.

  • You must manage the password change for the accounts by using SDDC Manager.

  • If the authentication policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

Table 19. Design Decisions on Active Directory Integration for SDDC Manager

Decision ID

Design Decision

Design Justification

Design Implication

IAM-SDDC-SEC-001

Assign the Admin role in SDDC Manager to an Active Directory security group.

By assigning the Admin role to an Active Directory security group, you can simplify and manager user access with administrative rights to SDDC Manager.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-SDDC-SEC-002

Assign the Operator role in SDDC Manager to an Active Directory security group.

By assigning the Operator role to an Active Directory security group, you can simplify and manage user access with operative rights to SDDC Manager.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-SDDC-SEC-003

Assign the Viewer role in SDDC Manager to an Active Directory group.

By assigning the Viewer role to an Active Directory group, you can create user accounts that have read-only rights in SDDC Manager.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

Table 20. Design Decisions on Password Policies for SDDC Manager

Decision ID

Design Decision

Design Justification

Design Implication

IAM-SDDC-SEC-004

Configure the password expiration policy for the SDDC Manager appliance.

  • You configure the password expiration policy for the SDDC Manager appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable only to the following accounts for the SDDC Manager appliance:

    • root account

    • vcf account

    • backup account

You must manage the password expiration policy on the SDDC Manager appliance by using the virtual appliance console.

IAM-SDDC-SEC-005

Configure the password complexity policy for the SDDC Manager appliance.

  • You configure the password complexity policy for SDDC Manager to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local SDDC Manager users.

You must manage the password complexity policy on the SDDC Manager appliance by using the virtual appliance console.

IAM-SDDC-SEC-006

Configure the account lockout policy for the SDDC Manager appliance.

  • You configure the account lockout policy for SDDC Manager to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local SDDC Manager users.

You must manage the account lockout policy on the SDDC Manager appliance by using the virtual appliance console.

Table 21. Design Decisions on Password Management for SDDC Manager

Decision ID

Design Decision

Design Justification

Design Implication

IAM-SDDC-SEC-007

Change the SDDC Manager virtual appliance root, vcf, and backup account passwords on a recurring or event-initiated schedule by using the appliance shell.

  • The passwords for the root, vcf, and backup accounts for the SDDC Manager virtual appliance expire based on the default password expiration settings for each account.

  • You cannot update the SDDC Manager virtual appliance account passwords through the SDDC Manager user interface or API.

  • You must manage the password change for the virtual appliance root, vcf, and backup accounts by using the SDDC Manager virtual appliance console.

  • You must monitor the password expiration of the accounts.

IAM-SDDC-SEC-008

Change the SDDC Manager local administrative admin@local account password on a recurring or event-initiated schedule by using the API.

The password for the SDDC Manager local administrative admin@local account does not expire.

  • You must routinely perform the password change for the admin@local account by using API.

Table 22. Design Decisions on Directories for the Standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-CFG-007

Connect the standalone Workspace ONE Access instance to the Active Directory domain within the same region.

You can integrate Workspace ONE Access with your organization's directory service to synchronize users and groups to a Workspace ONE Access directory.

To remove any dependency between regions, a Workspace ONE Access instance connects to the organization's directory service within the region, and not across regions.

None

IAM-WSA-CFG-008

Configure Workspace ONE Access to use Active Directory over LDAP with TLS (LDAPS) for directory services connection.

  • The embedded Workspace ONE Access connector binds to Active Directory over LDAPS using a standard bind authentication.

  • Ensures that LDAP traffic between a Workspace ONE Access instance and the Active Directory is encrypted.

    Microsoft recommends a hardened configuration for LDAP channel binding and LDAP signing on Active Directory domain controllers. For more information, see Microsoft Security Advisory ADV190023.

  • In a multi-domain forest, where the standalone Workspace ONE Access instance connects to a child-domain, Active Directory security groups must have global scope. Members added to the Active Directory global security group must reside within the same Active Directory domain.

  • You must configure additional Workspace ONE Access directories if authentication to more than one Active Directory domains is required.

  • You must use the root certificate of the certificate authority to establish trust between Workspace ONE Access and the Active Directory over LDAPS.

    If intermediate certificate authorities are used, add each intermediate certificate in sequence to the certificate file in PEM format .

  • You must manage the rotation of the certificate in Workspace ONE Access when the certificate authority's certificate chain is updated or renewed.

IAM-WSA-CFG-009

Use an Active Directory user account with the minimum of read-only access to Base DNs for users and groups, as the service account that binds to Active Directory.

Provides the following access control features:

  • Workspace ONE Access connects to the Active Directory with the minimum set of required permissions to bind and query the directory.

  • You can introduce an improved accountability in tracking request-response interactions between the Workspace ONE Access and Active Directory.

  • You must manage the password life cycle of this account.

  • You must use additional accounts to bind to each Active Directory domain if authentication to more than one Active Directory domains is required.

IAM-WSA-CFG-010

Configure the Workspace ONE Access directory to synchronize Active Directory security groups for assignment to Workspace ONE Access and NSX roles.

  • Limits the number of replicated security groups.

  • Using Active Directory security group membership provides greater flexibility in granting access to Workspace ONE Access roles.

  • Ensuring that users log in with a unique Active Directory user account provides greater visibility for auditing.

  • You must manage the groups from your organization's directory service that are synchronized to the Workspace ONE Access directory.

  • You must define and manage security groups, group membership, and security controls in Active Directory.

IAM-WSA-CFG-011

Activate the synchronization of Active Directory security group members to the directory when a group is added to the Workspace ONE Access directory.

Members of security groups are synchronized to Workspace ONE Access directory when adding security groups from the organization's directory services. If the feature is inactive, group names are synchronized to the Workspace ONE Access directory, but security group members are not synchronized until the group is entitled to an application or the group name is added to an access policy.

None

IAM-WSA-CFG-012

Configure Workspace ONE Access to synchronize nested group members by default.

Allows Workspace ONE Access to update and cache the membership of security groups without querying your organization's directory services.

Changes to group membership are not reflected until the next synchronization event.

IAM-WSA-CFG-013

Add a filter to the directory settings to exclude users from the directory replication.

Limits the number of replicated users for each Workspace ONE Access instance within the design objectives for scalability.

To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema based on your organization's directory services attributes.

IAM-WSA-CFG-014

Configure the minimum required user attributes in Active Directory to synchronize with the Workspace ONE Access directory.

Ensures successful synchronization between Active Directory and Workspace ONE Access. You configure the minimum required and extended user attributes which then synchronize directory user accounts in Workspace ONE Access.

Active Directory accounts in your organization must have the following mapped attributes:

  • firstname in Workspace ONE Access to givenname in Active Directory

  • lastName in Workspace ONE Access to sn in Active Directory

  • email in Workspace ONE Access to mail in Active Directory

  • userName in Workspace ONE Access to sAMAccountName in Active Directory

  • If you require users to sign in with an alternate unique identifier, for example, userPrincipalName, you must map the attribute and update the identity and access management preferences.

IAM-WSA-CFG-015

Configure the directory synchronization frequency to 15 minutes.

Ensures that any changes to group memberships in your organization's directory services are available for integrated solutions in a timely manner.

Schedule the synchronization interval to be longer than the time it takes to synchronize the enterprise directory. Otherwise, if the process of synchronization is still ongoing when the next synchronization start is scheduled, the new synchronization starts after the end of the previous one and the process is continuous.

Table 23. Design Decisions on Identity Management for standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-SEC-005

Assign the default Super Admins role in Workspace ONE Access to an Active Directory security group.

By assigning the Super Admins role to an Active Directory security group, you can simplify and manage user access with administrative rights in Workspace ONE Access.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of an Active Directory security group outside of the SDDC stack.

IAM-WSA-SEC-006

Assign the default Directory Admins role in Workspace ONE Access to an Active Directory security group.

By assigning the Directory Admins role to an Active Directory security group, you can simplify and manage user access with administrative rights in Workspace ONE Access.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of an Active Directory security group outside of the SDDC stack.

IAM-WSA-SEC-007

Assign the default ReadOnly role in Workspace ONE Access to an Active Directory security group.

By assigning the ReadOnly role to an Active Directory security group, you can simplify and manage user access to Workspace ONE Access.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of an Active Directory security group outside of the SDDC stack.

Table 24. Design Decisions on Password Policies for the Standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-SEC-008

Configure the local user password expiration policy for each standalone Workspace ONE Access virtual appliance.

  • You configure the local user password expiration policy for each standalone Workspace ONE Access virtual appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password expiration policy is applicable to the following default accounts for the Workspace ONE Access virtual appliance:

    • root account

    • sshuser account

You must manage the local user password expiration settings on each standalone Workspace ONE Access virtual appliance by using the virtual appliance console.

IAM-WSA-SEC-009

Configure the local user password complexity policy for each Workspace ONE Access virtual appliance.

  • You configure the local user password complexity policy for each standalone Workspace ONE Access instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user password complexity policy is applicable only to the local user accounts on the Workspace ONE Access virtual appliance.

You must manage the local user password complexity settings on each standalone Workspace ONE Access virtual appliance by using the virtual appliance console.

IAM-WSA-SEC-0010

Configure the local user account lockout policy for each Workspace ONE Access virtual appliance.

  • You configure the local user account lockout policy for each standalone Workspace ONE Access instance to align with the requirements of your organization which might be based on industry compliance standards.

  • The local user account lockout policy is applicable only to the local user accounts on the Workspace ONE Access virtual appliance.

You must manage the local user account lockout settings on each standalone Workspace ONE Access virtual appliance using the virtual appliance console.

IAM-WSA-SEC-0011

Configure the password expiration policy for the Workspace ONE Access local directory (system-domain) users.

  • You set a password expiration policy for the Workspace ONE Access local directory users to align with the requirements of your organization which might be based on industry compliance standards.

  • The password policy is applicable only to the Workspace ONE Access local directory users.

The SMTP settings for the Workspace ONE Access instance must be configured to ensure notifications are operational if a user password in the local user directory is expiring, expired, or must be reset.

IAM-WSA-SEC-0012

Configure the password complexity policy for the Workspace ONE Access local directory (system-domain) users.

  • You set a password complexity policy for the Workspace ONE Access local directory users to align with the requirements of your organization which might be based on industry compliance standards.

  • The password policy is applicable only to the Workspace ONE Access local directory users.

None.

IAM-WSA-SEC-0013

Configure the account lockout policy for the Workspace ONE Access local directory (system-domain) users.

  • You set an account lockout policy for the Workspace ONE Access local directory users to align with the requirements of your organization which might be based on industry compliance standards.

  • The password policy is applicable only to the Workspace ONE Access local directory users.

None.

Table 25. Design Decisions on Password Management for standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-SEC-014

Change the standalone Workspace ONE Access appliance root and sshuser account passwords on a recurring or event-initiated schedule.

The password for the Workspace ONE Access virtual appliance root and sshuser accounts expire based on the default password expiration policy for each account.

  • You must manage the password change for the root and sshuser accounts.

  • You must manage the password change on each standalone Workspace ONE Access virtual appliance by using the virtual appliance console.

  • You must monitor the password expiration of the accounts passwords.

IAM-WSA-SEC-015

Change the standalone Workspace ONE Access local user directory admin account password for Workspace ONE Access on a recurring or event-initiated schedule.

The password for the Workspace ONE Access application local user directory admin account does not expire.

  • You must manage the password change for the local user admin account.

  • You must manage the password change on each standalone Workspace ONE Access virtual appliance with the /usr/sbin/hznAdminTool command in the virtual appliance console.

  • You must manage the password change for the account.

IAM-WSA-SEC-016

Change the standalone Workspace ONE Access application local admin account password for Workspace ONE Access on a recurring or event-initiated schedule.

By default, the password for the Workspace ONE Access application local admin does not expire.

  • You must manage the password change for the local admin account.

  • You must manage the password change on each standalone Workspace ONE Access virtual appliance by using the Workspace ONE Access Configuration UI (for example, https://<fqdn>:/8443/cfg/) or with the /usr/sbin/hznAdminTool command in the virtual appliance console.

  • You must maintain the password change for the account.

Table 26. Design Decisions on Certificates for the Standalone Workspace ONE Access

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-SEC-017

Replace the default self-signed certificate with a CA-signed certificate during the deployment of the standalone Workspace ONE Access instance.

Ensures that all communication to user interface and API endpoint of Workspace ONE Access is encrypted.

  • Replacing the default certificates with a trusted CA-signed certificates increases the deployment preparation time as certificates requests are generated and delivered.

  • You must manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 or 4096 bits.

IAM-WSA-SEC-018

Import the certificate for the Root Certificate Authority to the standalone Workspace ONE Access instance.

Ensures that the Certificate Authority is trusted by the Workspace ONE Access instance.

None

IAM-WSA-SEC-019

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and is deprecated.

Not all certificate authorities support SHA-2.

IAM-WSA-SEC-020

Rotate the CA-signed certificate of the standalone Workspace ONE Access instance on a recurring or event-initiated schedule.

Ensures that all communication to user interface and API endpoint of Workspace ONE Access, and between the components continues to be encrypted with a non-expired or non-compromised certificate.

  • Replacing the default certificates with a trusted CA-signed certificates may require preparation time as certificates requests are generated and delivered.

  • You must continue to manage the life cycle of the certificate replacement.

  • The SSL certificate key size must be 2048 or 4096 bits.

Solution Interoperability

Table 27. Design Decisions on Monitoring of Identity and Access Management

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-MON-001

Configure vRealize Operations Manager with a VMware Identity Manager adapter for the standalone Workspace ONE Access instance.

vRealize Operations Manager uses the adapter for the standalone Workspace ONE Access instance to collect monitoring metrics.

None.

IAM-WSA-MON-002

Configure the standalone Workspace ONE Access endpoints to use the remote collector group.

  • Local-instance components are configured to use the remote collector group.

  • Offloads data collection for local management components from the analytics cluster.

None.

IAM-WSA-MON-003

Add a Ping adapter for the standalone Workspace ONE Access instance.

Provides metrics on the availability of the standalone Workspace ONE Access.

You must add the adapter instances manually.

IAM-WSA-MON-004

Configure the Ping adapter for the standalone Workspace ONE Access instance to use the remote collector group.

  • Local-instance components are configured to use the remote collector group.

  • Offloads data collection for local management components from the analytics cluster.

None.

Table 28. Design Decisions on Logging of Identity and Access Management

Decision ID

Design Decision

Design Justification

Design Implication

IAM-WSA-LOG-001

Install the vRealize Log Insight agent on the standalone Workspace ONE Access instance.

The vRealize Log Insight agent is required to collect and transfer logs to the vRealize Log Insight instances.

None.

IAM-WSA-LOG-002

Configure the vRealize Log Insight agent to transmit logs from the standalone Workspace ONE Access instance to the adjacent vRealize Log Insight in the VMware Cloud Foundation instance using the vRealize Log Insight ingestion API, cfapi, on port 9000.

Ensures the transmission of logs from the standalone Workspace ONE Access instance to be forwarded to the adjacent vRealize Log Insight using the Ingestion API.

The configuration is unencrypted. To ensure that the transmission of logs between the standalone Workspace ONE Access is encrypted using TLS, you must update the configuration for Workspace ONE Access to send logs to vRealize Log Insight using the ingestion API, cfapi, on port 9543, by editing the agent configuration (/etc/liagent.ini).

IAM-WSA-LOG-003

Configure a dedicated Workspace ONE Access agent group and assign the standalone Workspace ONE Access instance FQDN.

  • Provides a standardized configuration to all vRealize Log Insight agents in each of the groups.

  • Defines the vRealize Log Insight agent configuration for log collection and parsing in the context of the SDDC components, such as specific log directories, files, and formats.

Adds minimal load to vRealize Log Insight.

IAM-WSA-LOG-004

Configure a dedicated Photon OS agent group and assign the standalone Workspace ONE Access instance FQDN.

  • Provides a standardized configuration to all vRealize Log Insight agents in each of the groups.

  • Defines the vRealize Log Insight agent configuration for log collection and parsing in the context of the SDDC components, such as specific log directories, files, and formats.

Adds minimal load to vRealize Log Insight.