You use a service account for authentication and authorization of vSphere Data Protection for backup and restore operations.

Table 1. Authorization and Authentication Management Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-BKP-010

Configure a service account svc-vdp in vCenter Server for application-to-application communication from vSphere Data Protection with vSphere.

Provides the following access control features:

  • vSphere Data Protection accesses vSphere with the minimum set of permissions that are required to perform backup and restore operations.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

SDDC-OPS-BKP-011

Use global permissions when you create the svc-vdp service account in vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.