Protect the vRealize Operations Manager deployment by providing centralized role-based authentication and secure communication with the other components in the Consolidated SDDC.

Authentication and Authorization

You can allow users to authenticate in vRealize Operations Manager in the following ways:

Import users or user groups from an LDAP database

Users can use their LDAP credentials to log in to vRealize Operations Manager.

Use vCenter Server user accounts

After a vCenter Server instance is registered with vRealize Operations Manager, the following vCenter Server users can log in to vRealize Operations Manager:

  • Users that have administration access in vCenter Server.

  • Users that have one of the vRealize Operations Manager privileges, such as PowerUser, assigned to the account which appears at the root level in vCenter Server.

Create local user accounts in vRealize Operations Manager

vRealize Operations Manager performs local authentication using the account information stored in its global database.

Table 1. Design Decisions about Authorization and Authentication Management for vRealize Operations Manager

Decision ID

Design Decision

Design Justification

Design Implication

CSDDC-OPS-MON-014

Use Active Directory authentication.

  • Provides access to vRealize Operations Manager by using standard Active Directory accounts.

  • Ensures that authentication is available even if vCenter Server becomes unavailable.

You must manually configure the Active Directory authentication.

CSDDC-OPS-MON-015

Configure a service account svc-vrops-vsphere in vCenter Server for application-to-application communication from vRealize Operations Manager with vSphere.

Provides the following access control features:

  • The adapter in vRealize Operations Manager accesses vSphere with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

CSDDC-OPS-MON-016

Configure a service account svc-vrops-nsx in vCenter Server for application-to-application communication from vRealize Operations Manager with NSX for vSphere.

Provides the following access control features:

  • The adapter in vRealize Operations Manager accesses NSX for vSphere with the minimum set of permissions that are required for metrics collection and topology mapping.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

CSDDC-OPS-MON-017

Configure a service account svc-vrops-mpsd in vCenter Server for application-to-application communication from the Storage Devices Adapter in vRealize Operations Manager with vSphere.

Provides the following access control features:

  • The adapter in vRealize Operations Manager accesses vSphere with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

CSDDC-OPS-MON-018

Configure a service account svc-vrops-vsan in vCenter Server for application-to-application communication from the vSAN Adapters in vRealize Operations Manager with vSphere.

Provides the following access control features:

  • The adapter in vRealize Operations Manager accesses vSphere with the minimum set of permissions that are required to collect metrics about vSAN inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

CSDDC-OPS-MON-019

Use global permissions when you create the svc-vrops-vsphere, svc-vrops-nsx, svc-vrops-vsan and svc-vrops-mpsd service accounts in vCenter Server.

  • Simplifies and standardizes the deployment of the service accounts across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.

CSDDC-OPS-MON-020

Configure a service account svc-vrops-vra in vRealize Automation for application-to-application communication from the vRealize Automation Adapter in vRealize Operations Manager with vRealize Automation.

Provides the following access control features:

  • The adapter in vRealize Operations Manager accesses vRealize Automation with the minimum set of permissions that are required for collecting metrics about provisioned virtual machines and capacity management.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

  • You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

  • If you add more tenants to vRealize Automation, you must maintain the service account permissions to guarantee that metric uptake in vRealize Operations Manager is not compromised.

CSDDC-OPS-MON-021

Configure a local service account svc-vrops-nsx in each NSX instance for application-to-application communication from the NSX-vSphere Adapters in vRealize Operations Manager with NSX.

Provides the following access control features:

  • The adapter in vRealize Operations Manager accesses NSX for vSphere with the minimum set of permissions that are required for metrics collection and topology mapping.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

Encryption

Access to all vRealize Operations Manager Web interfaces requires an SSL connection. By default, vRealize Operations Manager uses a self-signed certificate. To provide secure access to the vRealize Operations Manager user interface, replace the default self-signed certificates with a CA-signed certificate.

Table 2. Design Decisions about CA-Signed Certificates for vRealize Operations Manager

Decision ID

Design Decision

Design Justification

Design Implication

CSDDC-OPS-MON-022

Replace the default self-signed certificates with a CA-signed certificate.

Ensures that all communication to the externally facing Web UI is encrypted.

You must contact a certificate authority.