Restrict the VMware Aria Automation and VMware Aria Automation Orchestrator Service Accounts Access to Virtual Machine and Datastore Folders in the VI Workload Domain for Private Cloud Automation for VMware Cloud Foundation

Restrict access for the VMware Aria Automation and VMware Aria Automation Orchestrator service accounts to the NSX Edge virtual machine folder, the local datastore folders, and the read-only datastore folders in the VI workload domain vCenter Server inventory.

You restrict access to the following virtual machine and datastore folders in the VI workload domain vCenter Server inventory, and to any additional inventory item that must be excluded from the VMware Aria Automation or VMware Aria Automation Orchestrator access.


Folder Description	vSphere Inventory
Virtual machine folder for NSX Edge clusters, if applicable.	VMs and templates
Datastore folders for local datastores, if applicable.	Storage
Datastore folders for read-only datastores, if applicable.	Storage

UI Procedure

Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as [email protected].
In the vSphere inventory for the first folder, expand the VI workload domain vCenter Server tree and expand the VI workload domain data center.
Select the first folder and click the Permissions tab.
Select the service account for VMware Aria Automation to vSphere integration and click the Change role icon.
In the Change role dialog box, from the Role drop-down menu, select No Access, select the Propagate to children check box, and click OK.
Repeat steps 4 and 5 for the service account for VMware Aria Automation Orchestrator to vSphere integration.
Repeat steps 3 to 6 for each of the remaining folders and for any additional inventory item that must be excluded from the VMware Aria Automation or VMware Aria Automation Orchestrator access.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-w01"

$domainAlias = "SFO"
$assemblerServiceAccount = "svc-vra-vsphere"
$orchestratorServiceAccount = "svc-vro-vsphere"

$nsxEdgeVMFolder = "sfo-w01-fd-edge"
$localDatastoreFolder = "sfo-w01-fd-ds-local"
$readOnlyDatastoreFolder = "sfo-w01-fd-ds-readonly"

Perform the configuration for the service account for VMware Aria Automation to vSphere integration by running the command in the PowerShell console.

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $assemblerServiceAccount -role "NoAccess" -folderName $nsxEdgeVMFolder -folderType "VM"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $assemblerServiceAccount -role "NoAccess" -folderName $localDatastoreFolder -folderType "Datastore"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $assemblerServiceAccount -role "NoAccess" -folderName $readOnlyDatastoreFolder -folderType "Datastore"

Perform the configuration for the service account for VMware Aria Automation Orchestrator to vSphere integration by running the command in the PowerShell console.

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $orchestratorServiceAccount -role "NoAccess" -folderName $nsxEdgeVMFolder -folderType "VM"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $orchestratorServiceAccount -role "NoAccess" -folderName $localDatastoreFolder -folderType "Datastore"

Set-vCenterPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainAlias -workloadDomain $sddcDomainName -principal $orchestratorServiceAccount -role "NoAccess" -folderName $readOnlyDatastoreFolder -folderType "Datastore"