Service Accounts Design for Private Cloud Automation for VMware Cloud Foundation

You add and configure accounts associated with other solutions to activate cloud accounts for vCenter Server instances and NSX Manager clusters across VMware Cloud Foundation instances. You configure the service accounts to provide and control integration between VMware Aria Automation Orchestrator-to-vCenter Server endpoint instances.

Accounts are assigned roles for integration between VMware Aria Automation and the VI workload domain vCenter Server instances and VI workload domain NSX Manager clusters across the VMware Cloud Foundation instances.

Note:

For an environment with NSX Federation, you configure NSX Manager cloud accounts for the VI workload domain NSX Local Manager instances.

This solution ensures that the context of each integration uses the least privilege and permissions scope required for the private cloud integrations.

Table 1. Design Decisions on Service Accounts for VMware Aria Automation Assembler Cloud Accounts in VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-SEC-007	Define a custom vCenter Server role for VMware Aria Automation that has minimum privileges required to support a vCenter Server cloud account.	VMware Aria Automation integrates with VI workload domain vCenter Server instances in VMware Cloud Foundation instances using the minimum set of privileges and permissions scope required to support the cloud account.	You must maintain the privileges required by the custom vSphere role. If additional VMware Cloud Foundation instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain.
PCA-VAA-SEC-008	For each VMware Cloud Foundation instance, use an Active Directory user account as a service account for each vCenter Server for application-to-application communication from VMware Aria Automation to vCenter Server.	Provides the following access control features: VMware Aria Automation services, such as VMware Aria Automation Assembler, access VI workload domain vCenter Server instances with the minimum set of required permissions. If there is a compromised account, the accessibility to the destination cloud account remains restricted. You can introduce an improved accountability in tracking request-response interactions between the VMware Aria Automation and the vCenter Server endpoint in the cloud account.	You must maintain the life cycle, availability, and security controls for the account in Active Directory. You must maintain the scope of permissions assigned to the service account across the VMware Cloud Foundation instances. To reduce the potential fault domain for a cloud account, you can create a service account per VI workload domain for the vCenter Server cloud account.
PCA-VAA-SEC-009	Assign vCenter Server global permissions for the VMware Aria Automation-to-vCenter Server integration accounts for each VMware Cloud Foundation instance.	VMware Aria Automation accesses VI workload domain vCenter Server instances with the minimum set of permissions that are required to support a vCenter Server cloud account.	You must set the permissions scope for the service account used by the vCenter Server cloud account to the default No access vSphere role for the management domain vCenter Server instances or other VI workload domains not used by VMware Aria Automation, to ensure that service account access to the workload domains is restricted. You must set the permissions scope for the service account used by the vCenter Server cloud account to the default No access vSphere role for vSphere inventory objects that should be excluded from VMware Aria Automation workload placement or on-boarding. To reduce the potential fault domain for a cloud account, you can create a service account per VI workload domain for the vCenter Server cloud account.
PCA-VAA-SEC-010	Use an Active Directory user account as an integration account for each NSX Manager cluster for application-to-application communication from VMware Aria Automation to NSX.	Provides the following access control features: VMware Aria Automation services, such as VMware Aria Automation Assembler, accesses NSX Manager with the minimum set of required permission. If there is a compromised account, the accessibility to the destination cloud account remains restricted. You can introduce an improved accountability in tracking request-response interactions between the VMware Aria Automation and the NSX Manager endpoint in the cloud account.	You must maintain the life cycle, availability, and security controls for the account in Active Directory. To reduce the potential fault domain for a cloud account, you can create a service account per VI workload domain for the NSX cloud account. Important: This solution is based on the use of Active Directory over LDAP with SSL used as the identity provider using Workspace ONE Access. If Active Directory Federation Services (ADFS) is used as an identity provider for NSX Manager, VMware Aria Automation cannot authenticate to an NSX Manager. A limitation exists where API-based logins to a system that uses a third-party identity provider, for example, ADFS with Workspace ONE Access. The username and password cannot be sent over SAML to the identity provider for authentication.
PCA-VAA-SEC-011	Assign the NSX Manager Enterprise admin role to the VMware Aria Automation-to-NSX integration accounts for VI workload domains.	VMware Aria Automation accesses designated VI workload domain NSX Manager clusters in VMware Cloud Foundation instances with the minimum set of permissions that are required to support NSX in the NSX Manager cloud accounts.	You must configure and manage the integration of Workspace ONE Access with NSX. Important: This solution is based on the use of Active Directory over LDAP with SSL used as the identity provider using Workspace ONE Access. If Active Directory Federation Services (ADFS) is used as an identity provider for NSX Manager, VMware Aria Automation cannot authenticate to NSX Manager. A limitation exists where API-based logins to a system that uses a third-party identity provider, for example, ADFS with Workspace ONE Access. The user name and password cannot be sent over SAML to the identity provider for authentication.

Table 2. Design Decisions on Service Accounts for VMware Aria Automation Orchestrator in VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-SEC-012	For each VMware Cloud Foundation instance, use an Active Directory user account as a service account for each VI workload domain vCenter Server for application-to-application communication from VMware Aria Automation Orchestrator to vCenter Server.	Provides the following access control features: VMware Aria Automation Orchestrator services access VI workload domain vCenter Server instances with the minimum set of required permissions. If there is a compromised account, the accessibility to the destination integration remains restricted. You can introduce an improved accountability in tracking request-response interactions between the VMware Aria Automation Orchestrator and the vCenter Server instances.	You must maintain the life cycle, availability, and security controls for the account in Active Directory. You must maintain the scope of permissions assigned to the service account across VMware Cloud Foundation instances. To reduce the potential fault domain for the integration, you can create a service account per VI workload domain for the VMware Aria Automation Orchestrator integration.
PCA-VAA-SEC-013	Add the integration account used for application-to-application communication between VMware Aria Automation Orchestrator and vCenter Server to an Active Directory security group. Add any named users to the Active Directory security group.	Allows only accounts defined in the Active Directory security group membership to administer the VMware Aria Automation Orchestrator instance.	You must define and manage security groups, group membership, and security controls in Active Directory.
PCA-VAA-SEC-014	Create and apply a custom vSphere role for the service account used to add VI workload domain vCenter Server instances to the VMware Aria Automation Orchestrator configuration.	VMware Aria Automation Orchestrator integrates with VI workload domain vCenter Servers instances using the minimum set of privileges required to support the vCenter Server registration.	You must maintain the privileges required by the custom vSphere role. If additional VMware Cloud Foundation instances are not in the same vCenter Single Sign-On domain, the custom role must be applied to each vCenter Single Sign-On domain. VMware Aria Automation Orchestrator requires Administrator-level privileges to register a vCenter Server instance with VMware Aria Automation Orchestrator and can not be restricted based a registration account and another with the privileges required by workflows executed against VI workload domain vCenter Server instances. After the addition of VI workload domain, you can decide to update and reduce the privileges for the custom role.
PCA-VAA-SEC-015	Assign vCenter Server global permissions for the VMware Aria Automation Orchestrator-to-vCenter Server integration accounts for VMware Cloud Foundation instance workload domains.	VMware Aria Automation Orchestrator registers VI workload domain vCenter Servers instances with the required set of permissions. VMware Aria Automation Orchestrator can register a VI workload domain vCenter Server when added to a VMware Cloud Foundation instance.	You must set the permissions scope for the service account used by VMware Aria Automation Orchestrator to the default No access vSphere role for the management domain vCenter Server instances to ensure that service account access to the management domains is restricted. You should set the permissions scope for the service account used by the VMware Aria Automation Orchestrator to the default No access vSphere role for vSphere inventory objects that should be excluded from VMware Aria Automation Orchestrator scope. If additional VMware Cloud Foundation instances are not in the same vCenter Single Sign-On domain, the service account scope must be applied to each VMware Cloud Foundation instance.