HCX configuration and operation requires an understanding of the various accounts and roles involved in deploying, managing, and operating the system.

User Accounts

HCX has the following account requirements:

Account

Requirements

Additional Information

admin

  • The admin password must be set.
  • The root password must be set.
  • Created during the OVA deployment.
  • Used in the Appliance Management (https://hcx-ip-or-fqdn:9443)
  • Used for CLI/terminal shell access.

Account for vCenter Server Registration

The account must belong to the vSphere administrators group, or have the administrator role assigned.
  • The administrator@vsphere.local account is suggested by default, but not required.
  • Alternate vSphere SSO local users that meet the requirements can be used.
  • Active Directory service accounts that meet the requirements can be used.

Account for NSX Registration

If NSX-T, this account must have the Enterprise Admin role assigned.

If NSXv, this account must have the Enterprise Administrator role assigned.

  • The NSX admin account is suggested by default, but not required.
  • Alternate NSX local accounts that meet the requirements can be used.
  • Active Directory service accounts that meet the requirements can be used.
  • Prior to NSX-T Data Center 3.0, it is mandatory to use the NSX admin account.
Note: This account is generally not required for HCX Connector installations. It is required only when extending NSX Segments, or migrating NSX Tags.

Account for vCloud Director Registration

The account must have the System Administrator role assigned.
  • The VMware Cloud Director’s sysadmin account is suggested by default, but not required.
  • An alternate local account that meets the requirements can be used.
  • LDAP service accounts that meet the requirements can be used.
Note: This account is only required for provider installations of VMware HCX with vCloud Director. A tenant does not require this account.
Accounts for HCX Role Mapping

(This refers to SSO User accounts that will be mapped to an HCX role.)

The user’s group must be included in the HCX Role Mapping configuration.
  • HCX supports two user roles: Administrator and Tenant:
    • HCX Administrator is for those who configure and operate HCX (create and manage Compute Profiles, Site Pairings, Service Meshes, Network Extensions, Migrations, and DR operations).
    • HCX Tenants are for Service Provider installations only. This role does not support adding or deleting Network Profiles.
  • The vsphere.local\Administrators vSphere SSO Group is added by default to HCX Administrator. However, it is not mandatory to use this SSO group. For the HCX Tenant role, no default group is provided.
  • A common practice is to create an hcx-administrators vSphere SSO Group. SSO and Active Directory users are populated into the hcx-administrators vSphere SSO group. The default vsphere.local\Administrators HCX Administrator user group entry in the HCX Role Mapping configuration is replaced with the new hcx-administrators vSphere SSO group.

Site Pairing Accounts

The user’s group must be included in the HCX Role Mapping configuration (on the remote HCX Cloud system being paired). The user's group can be in either the HCX Administrators group or the HCX Tenant group. The site pairing user is entered along with the HCX Cloud’s URL in the site pairing configuration on the source HCX Manager system. The following are typical scenarios:
  • In a private data center HCX deployment, the site pairing user is traditionally the administrate user for the destination vSphere environment.
  • In a dedicated public cloud HCX deployment , the site pairing user is traditionally the SDDC administrator account provided to the tenant.
  • In a VMware Cloud Director HCX deployment, the site pairing user is the Organization Administrator account.
Note: vCenter Server, NSX Manager, and VMware Cloud Director registration accounts (“service accounts”) must have global object access.

HCX Role Mapping

Access to HCX services and features depends on the assigned user role. User roles are assigned in the HCX appliance management interface during the initial HCX activation and configuration.

HCX Administrator

SSO groups assigned to the HCX Administrator role have unrestricted access to perform all HCX configurations and operations.

HCX Tenant

This role is intended for use by HCX Service Providers. SSO groups assigned to the HCX Tenant role cannot add or delete HCX Network Profiles.

Note:

The HCX Tenant role is not available in HCX Connector deployments.

vSphere Privileges for Migration Operations

User groups assigned to the HCX Administrator or the HCX Tenant role must have these vSphere vCenter Server privileges to perform migrations.

vCenter Resource Type

User Privilege

Description

ComputeResource

  • VirtualMachine.Inventory.Create
  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.State.CreateSnapshot
  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination ComputeResource object when performing a migration operation.

HostSystem

  • VirtualMachine.Inventory.Create
  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.State.CreateSnapshot
  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination HostSystem object when performing a migration operation.

ClusterComputeResource
  • VirtualMachine.Inventory.Create
  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.State.CreateSnapshot
  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination ClusterComputeResource object when performing a migration operation.

ResourcePool
  • VirtualMachine.Inventory.Create
  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.State.CreateSnapshot
  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination ResourcePool object when performing a migration operation.

Folder

  • VirtualMachine.Inventory.Create
  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.State.CreateSnapshot
  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination Folder object when performing a migration operation.

Datacenter

  • VirtualMachine.Inventory.Create
  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.Interact.PowerOff
  • Resouce.HotMigrate
  • Resouce.ColdMigrate
  • Folder.Create
  • Folder.Delete

Privileges required on the destination Datacenter objects when performing a migration operation.

Datastore

  • Datastore.UpdateVirtualMachineMetadata
  • Datastore.DeleteFile

Privileges required on the destination Datastore objects when performing a migration operation.

DistributedVirtualPortgroup/Network

Network.Assign

Privileges required on the destination Network objects when performing a migration operation.

VirtualMachine

  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.Interact.PowerOff
  • Resource.HotMigrate
  • Resource.ColdMigrate
  • VirtualMachine.State.CreateSnapshot
  • VirtualMachine.State.RemoveSnapshot
  • VirtualMachine.Hbr.ConfigureReplication
  • VirtualMachine.Hbr.MonitorReplication

Privileges required on the source Virtual Machines when performing a migration operation.