In this version of the validated design, you dedicate service accounts on vSphere for each integration with vRealize Operations Manager and you assign them global permissions accordingly. This version also introduces a naming convention for service accounts for consistency.

About this task

  • The svc-vrops-vsphere and svc-vrops-nsx users have read-only access on all objects in vCenter Server.

  • The svc-vrops-mpsd and svc-vrops-vsan users have rights that are specifically required for access to storage device and VSAN information, respectively, in vRealize Operations Manager on all objects in vCenter Server.

You assign global permissions to these service accounts by assigning them the following roles:

User

Role

svc-vrops-vsphere@rainpole.local

Read-only

svc-vrops-nsx@rainpole.local

Read-only

svc-vrops-vsan@rainpole.local

MPSD Metrics User

svc-vrops-mpsd@rainpole.local

MPSD Metrics User

Procedure

  1. Log in to vCenter Server by using the vSphere Web Client.
    1. Open a Web browser and go to https://sfo01m01vc01.sfo01.rainpole.local/vsphere-client.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      administrator@vsphere.local

      Password

      vsphere_admin_password

  2. From the Home menu, select Administration.
  3. Click Global Permissions in the Access Control area.
  4. Click Add permission on the Manage tab.
  5. In the Global Permissions Root - Add Permission dialog box, click Add to associate a user or a group with a role.
  6. In the Select Users/Groups dialog box, select the first user
    1. From the Domain drop-down menu, select rainpole.local
    2. In the filter box type svc-vrops and press Enter.
    3. From the list of users and groups, select svc-vrops-vsphere, click Add, and click OK.
  7. Select a role.
    1. In the Global Permissions Root - Add Permission dialog box, from the Assigned Role drop-down menu, select Read-only.
    2. Ensure that Propagate to children is selected and click OK.
  8. Repeat the steps to assign global permissions to the other service accounts.