Appendix: Design Decisions on Identity and Access Management for VMware Cloud Foundation

The appendix aggregates all design decisions of the Identity and Access Management for VMware Cloud Foundation validated solution. You can use this design decision list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.

Information Security and Access Design

Table 1. Design Decisions on Information Security
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCF-SEC-001	Limit the use of local accounts for both interactive or API access and solution integration.	Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity.	You must define and manage service accounts, security groups, group membership, and security controls in Active Directory.
IAM-VCF-SEC-002	Limit the scope and privileges for accounts used for both interactive or API access and solution integration.	The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy.	You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration.
IAM-VCF-SEC-003	Assign Active Directory user accounts to security groups following your organization's access policies.	Allows Active Directory security groups to be assigned to roles in SDDC components for streamlined management of access and administrative privileges.	You must define and manage security groups, group membership, and security controls in Active Directory.
IAM-VCF-SEC-004	Assign Active Directory security groups to default or custom roles, as applicable, for interactive or API access to solution components based on your organization's business and security requirements. SDDC Manager ESXi (as applicable) vCenter Servers NSX Managers	Using Active Directory security group membership provides greater flexibility in granting access to roles across solution components. Ensuring that users log in with a unique Active Directory user account provides greater visibility for auditing. Evaluate the needs for additional role separation in your organization and implement mapping from Active Directory users to Active Directory security groups and default or custom roles.	You must manage privileges assigned to custom roles. You must manage the assignment and scope of custom roles based on the business and security requirements. Additional Active Directory security groups must be created in advance to assigning roles. You must maintain the life cycle and availability of Active Directory security groups outside of the SDDC stack. The principle of least privilege is only one aspect of access management and must be part of a comprehensive defense-in-depth security strategy aligned with organization personas.

Table 2. Design Decisions on Password Policies for ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
IAM-ESXI-SEC-001	Configure the password expiration policy for each ESXi host.	You configure the password expiration for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards. The password expiration policy is applicable to the following default accounts for a commissioned ESXi host: root account SERVICE account The policy is applicable only to the local ESXi host users.	You must manage the local user password expiration policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.
IAM-ESXI-SEC-002	Configure the password complexity policy for each ESXi host.	You configure the password complexity policy for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards. The password complexity policy is applicable only to the local ESXi host users.	You must manage the local user password complexity policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.
IAM-ESXI-SEC-003	Configure the account lockout policy for each ESXi host.	You configure the account lockout policy for ESXi hosts to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local ESXi host users.	You must manage the local user account lockout policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client.

Table 3. Design Decisions on Password Management for ESXi Hosts
Decision ID	Design Decision	Design Justification	Design Implication
IAM-ESXI-SEC-004	Change the root user password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager.	The password for the ESXi host's root user does not expire based on the default password expiration policy. SDDC Manager manages each ESXi host in the system. The ESXi root user password must be known and managed by SDDC Manager.	You must manage the password update or password rotation for the root account by using SDCC Manager. An automated password rotation schedule can not be activated for ESXi hosts in SDDC Manager.
IAM-ESXI-SEC-005	Rotate the SERVICE account password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager.	SDDC Manager creates a SERVICE account on each ESXi host to provide the access to the ESXi host over SSH in the context of an exception user in normal lock down mode. The password for the ESXi host's SERVICE account does not expire based on the default password expiration policy. SDDC Manager manages each ESXi host in the system. The ESXi root user password must be known and managed by SDDC Manager.	You must manage the password rotation for the SERVICE account by using SDDC Manager. An automated password rotation schedule can not be activated for ESXi hosts in SDDC Manager.

Table 4. Design Decisions on the Identity Provider for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-001	Configure the vCenter Server instances to use Active Directory over LDAP with SSL (LDAPS) as the identity source.	Provides the ability for vCenter Server to connect to an Active Directory using LDAP. Ensures that LDAP traffic between a vCenter Server instance and the Active Directory is encrypted. Microsoft recommends a hardened configuration for LDAP channel binding and LDAP signing on Active Directory domain controllers. For more information, see Microsoft Security Advisory ADV190023.	In a multi-domain forest, where the vCenter Server instance connects to a child domain, Active Directory security groups must have global scope. Therefore members added to the Active Directory global security group and user accounts for solution integration must reside within the same Active Directory domain. If multiple VMware Cloud Foundation instances are deployed to separate Active Directory domains (for example, child domains in a multi-domain forest), the instances can not be in enhanced linked-mode. A certificate is required to establish trust for the Active Directory LDAPS endpoints. You must obtain a CA-signed certificate that can be used for server authentication. You must remove and reconfigure the integration between the identity provider and vCenter Server when replacing the certificates used by Active Directory over LDAP with SSL.
IAM-VCS-SEC-002	Use an Active Directory user account with minimum read-only access as Base DN for users and groups to server as the service account for the Active Directory bind.	Provides the following access control features: Each vCenter Server instance connects to the Active Directory domain with the minimum permissions to bind and query the directory. Improves the visibility in tracking request-response interactions between the vCenter Server instances and Active Directory.	You must manage the password life cycle of this Active Directory use account.

Table 5. Design Decisions on Identity and Access Management for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-003	Assign the default Administrator role in vCenter Server to an Active Directory security group.	By assigning the Administrator role to an Active Directory security group, you can simplify and manage user access with administrative rights in vCenter Server based on your organization's personas.	An Active Directory security group must be created in advance to assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-VCS-SEC-004	Assign vCenter Server global permissions for the Active Directory security groups assigned the Administrator role.	By assigning the global permissions to an Active Directory security group with the Administrator role , you can manage user access with administrative rights across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider.	None.
IAM-VCS-SEC-005	Assign the default Read-Only role in vCenter Server to an Active Directory security group.	By assigning the Read-only role to an Active Directory security group, you can simplify and manage user access with read-only rights in vCenter Server based on your organization's personas.	An Active Directory security group must be created in advance to assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-VCS-SEC-006	Assign vCenter Server global permissions for the Active Directory security groups assigned the Read-Only role.	By assigning global permissions to an Active Directory security group with the Read-only role, you can manage user access with read-only privileges across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider.	None.
IAM-VCS-SEC-007	Add an Active Directory security group as a member of the vCenter Single Sign-On Administrators group.	By adding an Active Directory security group as a member of the Administrators group, you can manage user access with administrative rights to the vCenter Single Sign-On built-in identity provider based on your organization's personas.	An Active Directory security group must be created in advance to assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.

Table 6. Design Decisions on Password Policies for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-008	Configure the global password expiration policy for each vCenter Server instance.	You configure the global password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards.	You must manage the password expiration policy on each vCenter Server instance by using the vCenter Server Management Interface.
IAM-VCS-SEC-009	Configure the local user password expiration policy for each vCenter Server instance.	You configure the local user password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password expiration policy is applicable to the root account for the vCenter Server virtual appliance.	You must manage the local user password expiration settings on each vCenter Server instance by using both the vCenter Server Management Interface and the virtual appliance console.
IAM-VCS-SEC-010	Configure the local user password complexity policy for each vCenter Server instance.	You configure the local user password complexity policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. The local user password complexity policy is applicable only to the local vCenter Server virtual appliance users.	You must manage the local user password complexity settings on each vCenter Server instance by using the virtual appliance console. If the password complexity policy sets the minimum password length to a value greater than `20`, password rotation in SDDC Manager cannot be performed for a managed account. Passwords must be updated or remediated.
IAM-VCS-SEC-011	Configure the local user account lockout policy for each vCenter Server instance.	You configure the local user account lockout policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. The local user account lockout policy is applicable only to the local vCenter Server virtual appliance users.	You must manage the local user account lockout settings on each vCenter Server instance by using the virtual appliance console.
IAM-VCS-SEC-012	Configure the password expiration policy for the vCenter Single Sign-On built-in identity provider.	You configure the password expiration policy for the vCenter Single Sign-On built-in identity provider to align with the requirements of your organization which might be based on industry compliance standards. The password expiration policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance. The password for the Administrator account of the vCenter Single Sign-On built-in identity provider does not expire based on the default vCenter Server Single-Sign-On password expiration policy configuration.	You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client.
IAM-VCS-SEC-013	Configure the password complexity policy for the vCenter Single Sign-On built-in identity provider.	You configure the password complexity policy for the vCenter Single Sign-On built-in identity provider to align with the requirements of your organization which might be based on industry compliance standards. The password complexity policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance.	You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider using the vSphere Client. If the password complexity policy sets the minimum password length to a value greater than 20, password rotation in SDDC Manager cannot be performed for a managed account. Passwords must be updated or remediated.
IAM-VCS-SEC-014	Configure the account lockout policy for the vCenter Single Sign-On built-in identity provider.	You configure the account lockout policy for the vCenter Single Sign-On domain to align with the requirements of your organization which might be based on industry compliance standards. The account lockout policy is applicable to the built-in identity provider users only and does not impact your organization's directory services or the root account for the vCenter Server virtual appliance. The password for the vCenter Single Sign-On built-in identity provider Administrator account does not lock out based on the vCenter Server Single-Sign-On account lockout policy configuration.	You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client.

Table 7. Design Decisions on Password Management for vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
IAM-VCS-SEC-015	For each vCenter Server instance, change the vCenter Server virtual appliance root account password on a recurring or event-initiated schedule by using SDDC Manager.	The password for the vCenter Server root user account expires based on the default password expiration settings. By default, SDDC Manager is configured to automate a password rotation for the root account every 90 days. SDDC Manager manages each vCenter Server instance in the system. The vCenter Server virtual appliance root account password must be known and managed by SDDC Manager.	You must manage the password update or an automated password rotation schedule (default) for the root account by using SDDC Manager.
IAM-VCS-SEC-016	Change the vCenter Single Sign-On domain administrator SYSTEM account (for example, [email protected]) password in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager.	The password for the vCenter Single Sign-On domain administrator SYSTEM account does not expire based on the default vCenter Server Single Sign-On password expiration settings. SDDC Manager manages each vCenter Server instance in the system. The vCenter Single Sign-On domain administrator SYSTEM account password must be known and managed by SDDC Manager.	You must manage the password update or an automated password rotation schedule for the SYSTEM account by using SDDC Manager.
IAM-VCS-SEC-017	Rotate the passwords for SDDC Manager SERVICE account types in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager.	The password for each vCenter Single Sign-On SERVICE account expires based on the vCenter Server Single Sign-On password expiration settings. By default, SDDC Manager is configured to automate a password rotation for the account every 90 days. A vCenter Server instance is registered as a compute manager with its NSX Local Manager cluster during workload domain creation. This SERVICE account password must be known and managed by SDDC Manager.The passwords for the SERVICE accounts are randomly generated by SDDC Manager and cannot be manually set.	You must manage the password rotation or an automated password rotation schedule for the SERVICE account by using SDDC Manager.

Table 8. Design Decisions on Identity Management in NSX
Decision ID	Design Decision	Design Justification	Design Implication
IAM-NSX-SEC-001	Configure Active Directory over LDAP as the authentication source for the NSX Local Managers.	Provides integration with Active Directory for role-based access control. You can introduce authorization policies by assigning roles to Active Directory security groups.	None.
IAM-NSX-SEC-002	Assign the default Enterprise Admin role in NSX Manager to an Active Directory security group.	By assigning the Enterprise Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.	An Active Directory security group must be created before assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-NSX-SEC-003	Assign the default Network Admin role in NSX Manager to an Active Directory security group.	By assigning the Network Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.	An Active Directory security group must be created before assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-NSX-SEC-004	Assign the default Auditor role in NSX Manager to an Active Directory security group.	By assigning the Auditor role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory.	An Active Directory security group must be created before assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.

Table 9. Design Decisions on Password Policies for NSX
Decision ID	Design Decision	Design Justification	Design Implication
IAM-NSX-SEC-005	Configure the password expiration policy for each NSX Local Manager cluster.	You configure the password expiration policy for NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards. The password expiration policy is applicable to the following default active accounts for the NSX Local Manager cluster nodes: root account admin account audit account	You must manage the password expiration policy on each NSX Local Manager cluster using the CLI or an API.
IAM-NSX-SEC-006	Configure the password complexity policy for each NSX Local Manager cluster node.	You configure the password complexity policy for each NSX Local Manager cluster node to align with the requirements of your organization which might be based on industry compliance standards.	You must manage the password complexity policy on each NSX Local Manager cluster node using the virtual appliance console. If the password complexity policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.
IAM-NSX-SEC-007	Configure the account lockout policy on each NSX Local Manager cluster to configure the account lockout policy and set the lockout behavior for the API, CLI, and user interface.	You configure the account lockout policy for each NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards.	You must manage the account lockout policy on each NSX Local Manager cluster by using the virtual appliance console.
IAM-NSX-SEC-008	Configure the password expiration policy for each NSX Edge node.	You configure the password expiration policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards. The password expiration policy is applicable to the following default active accounts for the NSX Edge nodes: root account admin account audit account	You must manage the password expiration policy on each NSX Edge node by using the virtual appliance console.
IAM-NSX-SEC-009	Configure the password complexity policy for each NSX Edge node.	You configure the password complexity policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.	You must manage the password complexity policy on each NSX Edge node by using the virtual appliance console. If the password complexity policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.
IAM-NSX-SEC-010	Configure the account lockout policy on each NSX Edge node to configure the account lockout policy and set the lockout behavior for the CLI.	You configure the account lockout policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards.	You must manage the account lockout policy on each NSX Edge node by using the virtual appliance console.

Table 10. Design Decisions on Password Management for NSX
Decision ID	Design Decision	Design Justification	Design Implication
IAM-NSX-SEC-011	For VMware Cloud Foundation 5.1 and later, for each NSX Local Manager cluster, change the root, admin, and audit account passwords on a recurring or event-initiated schedule by using SDDC Manager. For VMware Cloud Foundation 5.0 and earlier, for the management domain NSX Local Manager cluster, change the root, admin, and audit account passwords on a recurring or event-initiated schedule by using SDDC Manager.	The passwords for the accounts for the management domain NSX Local Manager cluster expire based on the password expiration settings for each account. SDDC Manager manages the management domain NSX Local Manager cluster in the system. The accounts passwords must be known and managed by SDDC Manager.	For VMware Cloud Foundation 5.1 and later, SDDC Manager supports the rotation of the audit account for each NSX Local Manager cluster, regardless of the domain type. You must manage the password change or an automated password rotation schedule for the root, admin, and audit accounts by using SDDC Manager.
IAM-NSX-SEC-012	For VMware Cloud Foundation 5.0 and earlier, for each VI workload domain NSX Local Manager cluster, change the root and the admin account passwords on a recurring or event-initiated schedule by using SDDC Manager.	The passwords for the accounts for each VI workload domain NSX Local Manager cluster expire based on the password expiration settings for each account. SDDC Manager manages each VI workload domain NSX Local Manager cluster in the system. The accounts passwords must be known and managed by SDDC Manager.	You must manage the password change or an automated password rotation schedule for the accounts by using SDDC Manager If the authentication policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.
IAM-NSX-SEC-013	For VMware Cloud Foundation 5.0 and earlier, for each VI workload domain NSX Local Manager cluster, change the audit account password on a recurring or event-initiated schedule by using the API or CLI.	The password for the account for each VI workload domain NSX Local Manager cluster expires based on the password expiration settings the account. SDDC Manager does not manage the workload domain NSX Local Manager cluster audit account password.	You must manage the password change for the account by using the API or CLI. You must monitor the password expiration of the account.
IAM-NSX-SEC-014	For each NSX Edge cluster deployed and managed by SDDC Manager, change the root, admin, and audit account passwords for each NSX Edge node on a recurring or event-initiated schedule by using SDDC Manager.	The passwords for the accounts for each NSX Edge node in an NSX Edge cluster managed by SDDC Manager expire based on the password expiration settings for each account. For each NSX Edge node in an NSX Edge cluster managed by SDDC Manager, the accounts passwords must be known and managed by SDDC Manager.	You must manage the password change for the accounts by using SDDC Manager. If the authentication policy sets the minimum password length to a value greater than 20, automatic password rotation in SDDC Manager cannot be performed. Passwords must be updated or remediated.

Table 11. Design Decisions on Active Directory Integration for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
IAM-SDDC-SEC-001	Assign the Admin role in SDDC Manager to an Active Directory security group.	By assigning the Admin role to an Active Directory security group, you can simplify and manager user access with administrative rights to SDDC Manager.	An Active Directory security group must be created before assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-SDDC-SEC-002	Assign the Operator role in SDDC Manager to an Active Directory security group.	By assigning the Operator role to an Active Directory security group, you can simplify and manage user access with operative rights to SDDC Manager.	An Active Directory security group must be created before assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.
IAM-SDDC-SEC-003	Assign the Viewer role in SDDC Manager to an Active Directory security group.	By assigning the Viewer role to an Active Directory security group, you can create user accounts that have read-only rights in SDDC Manager.	An Active Directory security group must be created before assigning a role. You must maintain the life cycle and availability of the security group in Active Directory.

Table 12. Design Decisions on Password Policies for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
IAM-SDDC-SEC-004	Configure the password expiration policy for the SDDC Manager appliance.	You configure the password expiration policy for the SDDC Manager appliance to align with the requirements of your organization which might be based on industry compliance standards. The password expiration policy is applicable only to the following accounts for the SDDC Manager appliance: root account vcf account backup account	You must manage the password expiration policy on the SDDC Manager appliance by using the virtual appliance console.
IAM-SDDC-SEC-005	Configure the password complexity policy for the SDDC Manager appliance.	You configure the password complexity policy for SDDC Manager to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local SDDC Manager users.	You must manage the password complexity policy on the SDDC Manager appliance by using the virtual appliance console.
IAM-SDDC-SEC-006	Configure the account lockout policy for the SDDC Manager appliance.	You configure the account lockout policy for SDDC Manager to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local SDDC Manager users.	You must manage the account lockout policy on the SDDC Manager appliance by using the virtual appliance console.

Table 13. Design Decisions on Password Management for SDDC Manager
Decision ID	Design Decision	Design Justification	Design Implication
IAM-SDDC-SEC-007	Change the SDDC Manager virtual appliance root, vcf, and backup account passwords on a recurring or event-initiated schedule by using the appliance shell.	The passwords for the root, vcf, and backup accounts for the SDDC Manager virtual appliance expire based on the password expiration settings for each account. You cannot update the SDDC Manager virtual appliance account passwords through the SDDC Manager user interface or API.	You must manage the password change for the virtual appliance root, vcf, and backup accounts by using the SDDC Manager virtual appliance console. You must monitor the password expiration of the accounts.
IAM-SDDC-SEC-008	Change the SDDC Manager local administrative admin@local account password on a recurring or event-initiated schedule by using the API.	The password for the SDDC Manager local administrative admin@local account does not expire.	You must routinely perform the password change for the admin@local account by using API.