HCX Manager (HCX) configuration and operation requires an understanding of the various accounts and roles involved in deploying, managing, and operating the system.

User Accounts

HCX has the following account requirements for site manager deployments:

Account

Requirements

Additional Information

admin

  • The admin password must be set.

  • The root password must be set.

  • Created during the site manager OVA deployment.

  • Used in the Appliance Management interface (https://hcx-ip-or-fqdn:9443)

  • Used for CLI/terminal shell access.

Account for vCenter Server Registration

The account must belong to the vSphere administrators group and have the administrator role assigned.

  • The [email protected] account is suggested by default, but not required.

  • Alternate vSphere SSO local users that meet the requirements can be used.

  • Active Directory service accounts that meet the requirements can be used.

Account for NSX Registration

This account must have the Enterprise Admin role assigned.

If NSXv, this account must have the Enterprise Administrator role assigned.

  • The NSX admin account is suggested by default, but not required.

  • Alternate NSX local accounts that meet the requirements can be used.

  • Active Directory service accounts that meet the requirements can be used.

  • Prior to NSX-T Data Center 3.0, it is mandatory to use the NSX admin account.

Note:

This account is not required for HCX Connector installations. It is required only when extending NSX Segments, or migrating NSX tags.

Accounts for HCX Role Mapping

(This account refers to SSO User accounts that map to an HCX role.)

The user’s group must be included in the HCX Role Mapping configuration.

  • HCX supports two user roles: Administrator and Tenant.

    • The Administrator role is for users who configure and operate HCX (create and manage the Compute Profiles, Site Pairings, Service Meshes, Network Extensions, Migrations, and DR operations).

    • The Tenant role is for Service Provider installations only. This role does not support adding or deleting Network Profiles.

  • The vsphere.local\Administrators vSphere SSO Group is added by default to HCX Administrator. However, it is not mandatory to use this SSO group. For the HCX Tenant role, no default group is provided.

  • A common practice is to create an hcx-administrators vSphere SSO Group. SSO and Active Directory users are populated into the hcx-administrators vSphere SSO group. The default vsphere.local\Administrators HCX Administrator user group entry in the Role Mapping configuration is replaced with the new hcx-administrators vSphere SSO group.

Site Pairing Accounts

The user’s group must be included in the HCX Role Mapping configuration (on the remote HCX Cloud system being paired). The user's group can be in either the Administrators group or the Tenant group.

The site pairing user is entered along with the HCX Cloud URL in the site pairing configuration on the source HCX system. The following are typical scenarios:

  • In a private data center HCX deployment, the site pairing user is traditionally the administrative user for the destination vSphere environment.

  • In a dedicated public cloud HCX deployment, the site pairing user is traditionally the SDDC administrator account provided to the tenant.

Note:

The vCenter Server and the NSX Manager registration accounts (“service accounts”) must have global object access.

Role Mapping

Access to HCX services and features depends on the assigned user role. User roles are assigned in the HCX appliance management interface during the initial HCX activation and configuration.

Administrator

SSO groups assigned to the Administrator role have unrestricted access to perform all HCX configurations and operations.

Tenant

This role is intended for use by Service Providers. SSO groups assigned to the Tenant role cannot add or delete HCX Network Profiles.

Note:

The Tenant role is not available in HCX Connector deployments.

vSphere Privileges for Migration Operations

User groups assigned to the Administrator or the Tenant role must have these vSphere vCenter Server privileges to perform migrations.

vCenter Resource Type

User Privilege

Description

ComputeResource

  • VirtualMachine.Inventory.Create

  • VirtualMachine.Interact.PowerOn

  • VirtualMachine.State.CreateSnapshot

  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination compute resource object when performing a migration operation.

HostSystem

  • VirtualMachine.Inventory.Create

  • VirtualMachine.Interact.PowerOn

  • VirtualMachine.State.CreateSnapshot

  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination HostSystem object when performing a migration operation.

ClusterComputeResource

  • VirtualMachine.Inventory.Create

  • VirtualMachine.Interact.PowerOn

  • VirtualMachine.State.CreateSnapshot

  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination ClusterComputeResource object when performing a migration operation.

ResourcePool

  • VirtualMachine.Inventory.Create

  • VirtualMachine.Interact.PowerOn

  • VirtualMachine.State.CreateSnapshot

  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination ResourcePool object when performing a migration operation.

Folder

  • VirtualMachine.Inventory.Create

  • VirtualMachine.Interact.PowerOn

  • VirtualMachine.State.CreateSnapshot

  • VirtualMachine.State.RemoveSnapshot

Privileges required on the destination Folder object when performing a migration operation.

Datacenter

  • VirtualMachine.Inventory.Create

  • VirtualMachine.Interact.PowerOn

  • VirtualMachine.Interact.PowerOff

  • Resource.HotMigrate

  • Resource.ColdMigrate

  • Folder.Create

  • Folder.Delete

Privileges required on the destination data center objects when performing a migration operation.

Datastore

  • Datastore.UpdateVirtualMachineMetadata

  • Datastore.DeleteFile

Privileges required on the destination datastore objects when performing a migration operation.

DistributedVirtualPortgroup/Network

Network.Assign

Privileges required on the destination network objects when performing a migration operation.

VirtualMachine

  • VirtualMachine.Interact.PowerOn

  • VirtualMachine.Interact.PowerOff

  • Resource.HotMigrate

  • Resource.ColdMigrate

  • VirtualMachine.State.CreateSnapshot

  • VirtualMachine.State.RemoveSnapshot

  • VirtualMachine.Hbr.ConfigureReplication

  • VirtualMachine.Hbr.MonitorReplication

Privileges required on the source virtual machines when performing a migration operation.