Restrict the vRealize Automation and vRealize Orchestrator Service Accounts Access to Virtual Machine and Datastore Folders in the VI Workload Domain for Private Cloud Automation for VMware Cloud Foundation

Restrict access for the vRealize Automation and vRealize Orchestrator service accounts to the NSX Edge virtual machine folder, the local datastore folders, and the read-only datastore folders in the VI workload domain vCenter Server inventory.

You restrict access to the following virtual machine and datastore folders in the VI workload domain vCenter Server inventory, and to any additional inventory item that must be excluded from the vRealize Automation or vRealize Orchestrator access.


Folder Description	vSphere Inventory
Virtual machine folder for NSX Edge clusters, if applicable.	VMs and templates
Datastore folders for local datastores, if applicable.	Storage
Datastore folders for read-only datastores, if applicable.	Storage

UI Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui as administrator@vsphere.local.
In the vSphere inventory for the first folder, expand the VI workload domain vCenter Server tree and expand the VI workload domain data center.
Select the first folder and click the Permissions tab.
Select the service account for vRealize Automation to vSphere integration and click the Change role icon.
In the Change role dialog box, from the Role drop-down menu, select No Access, select the Propagate to children check box, and click OK.
Repeat steps 4 and 5 for the service account for vRealize Orchestrator to vSphere integration.
Repeat steps 3 to 6 for each of the remaining folders and for any additional inventory item that must be excluded from the vRealize Automation or vRealize Orchestrator access.
Repeat the procedure for each VI workload domain vCenter Server in each VMware Cloud Foundation instance.

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-w01"

$domainAlias = "SFO"
$vraServiceAccount = "svc-vra-vsphere"
$vroServiceAccount = "svc-vro-vsphere"

$nsxEdgeVMFolder = "sfo-w01-fd-edge"
$localDatastoreFolder = "sfo-w01-fd-ds-local"
$readOnlyDatastoreFolder = "sfo-w01-fd-ds-readonly"

Perform the configuration for the service account for vRealize Automation to vSphere integration by running the command in the PowerShell console.

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $vraServiceAccount -role "NoAccess" -folderName $nsxEdgeVMFolder -folderType "VM"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $vraServiceAccount -role "NoAccess" -folderName $localDatastoreFolder -folderType "Datastore"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $vraServiceAccount -role "NoAccess" -folderName $readOnlyDatastoreFolder -folderType "Datastore"

Perform the configuration for the service account for vRealize Orchestrator to vSphere integration by running the command in the PowerShell console.

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $vroServiceAccount -role "NoAccess" -folderName $nsxEdgeVMFolder -folderType "VM"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $vroServiceAccount -role "NoAccess" -folderName $localDatastoreFolder -folderType "Datastore"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $vroServiceAccount -role "NoAccess" -folderName $readOnlyDatastoreFolder -folderType "Datastore"

Repeat the procedure for each VI workload domain in each VMware Cloud Foundation instance.