You use a service account for authentication and authorization of a VADP-compatible backup solution for backup and restore operations.

Table 1. Design Decisions About Authorization and Authentication Management for a VADP-Compatible Solution

Decision ID

Design Decision

Design Justification

Design Implication

CSDDC-OPS-BKP-010

Configure a service account svc-bck-vcenter in vCenter Server for application-to-application communication from VADP-compatible backup solution with vSphere.

Provides the following access control features:

  • Provide the VADP- compatible backup solution with a minimum set of permissions that are required to perform backup and restore operations.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

CSDDC-OPS-BKP-011

Use global permissions when you create the svc-bck-vcenter service account in vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.