You use a service account for authentication and authorization of vRealize Orchestrator to vCenter Server for orchestrating and creating virtual objects in the SDDC.

Table 1. Authorization and Authentication Management Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication


Configure a service account svc-vro in vCenter Server for application-to-application communication from vRealize Orchestrator with vSphere.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability


Use local permissions when you create the svc-vro service account in vCenter Server.

The use of local permissions ensures that only the Compute vCenter Server instances are valid and accessible endpoints from vRealize Orchestrator.

If you deploy more Compute vCenter Server instances, you must ensure that the service account has been assigned local permissions in each vCenter Server so that this vCenter Server is a viable endpoint in vRealize Orchestrator.