You use a service account for authentication and authorization of NSX Manager for virtual network management.

Table 1. Authorization and Authentication Management Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-VI-SDN-035

Configure a service account svc-nsxmanager in vCenter Server for application-to-application communication from NSX Manager with vSphere.

Provides the following access control features:

  • NSX Manager accesses vSphere with the minimum set of permissions that are required to perform lifecycle management of virtual networking objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

SDDC-VI-SDN-036

Use global permissions when you create the svc-nsxmanager service account in vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.