A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

Service Accounts

A service account is a standard Active Directory account that you configure in the following way:

  • The password never expires.
  • The user cannot change the password.

In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to the Active Directory domain.

Service Accounts in This VMware Validated Design

This Validated Design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.

Figure 1. Service Accounts in VMware Validated Design for Software-Defined Data Center

You configure service accounts for communication between the management components of the SDDC. The service accounts have only the rights that are limited only to exchanging data.
Table 1. Application-to-Application or Application Service Accounts in the VMware Validated Design
User Name Source Destination Description Required Role
svc-domain-join Various management components (one-time domain join action) Active Directory Service account for performing domain-join operations from certain SDDC management components.
  • Account Operators Group
  • Delegation to Join Computers to Domain for both the parent and child domains
svc-nsxmanager NSX for vSphere Manager vCenter Server Service account for registering NSX Manager with vCenter Single Sign-On on the Platform Services Controller and vCenter Server for the management cluster and for the shared compute and edge cluster Administrator
svc-vrli vRealize Log Insight Active Directory Service account for using the Active Directory as an authentication source in vRealize Log Insight -
svc-vrli-vsphere vRealize Log Insight vCenter Server Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information Log Insight User (vCenter Server)
svc-vrli-vrops vRealize Log Insight vRealize Operations Manager Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration Administrator
svc-vrslcm-vsphere vRealize Suite Lifecycle Manager vCenter Server A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center management cluster. vRealize Suite Lifecycle Manager User (Custom)
svc-bck-vsphere vSphere Storage API - Data Protection vCenter Server Service account for performing backups using the vSphere Storage API - Data Protection with vCenter Server for the management cluster VADP Backup Solution Requirements
svc-srm Site Recovery Manager vCenter Server Service account for connecting Site Recover Manager to vCenter Server and for pairing sites in Site Recovery Manager Single Sign-On Administrator
svc-vr vSphere Replication vCenter Server Service account for connecting vSphere Replication to vCenter Server and for pairing vSphere Replication instances Single Sign-On Administrator
svc-vra vRealize Automation
  • vCenter Server
  • vRealize Automation
Service account for access from vRealize Automation to vCenter Server. This account is a part of the vRealize Automation setup process.
  • Administrator
  • vRealize Orchestrator Administrator
svc-vro vRealize Orchestrator vCenter Server Service account for access from vRealize Orchestrator to vCenter Server Administrator
svc-vrops vRealize Operations Manager Active Directory Service account for Active Directory integration in vRealize Operations Manager for user authentication -
svc-vrops-vsphere vRealize Operations Manager vCenter Server Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server in to vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server. vSphere Actions User
svc-vrops-nsx vRealize Operations Manager
  • vCenter Server
  • NSX for vSphere
Local service account for connecting the NSX for vSphere adapter for vRealize Operations Manager to the NSX Manager instances in the SDDC
  • Read-Only (vCenter Server)
  • Enterprise Administrator (NSX)
svc-vrops-vsan vRealize Operations Manager vCenter Server Service account for monitoring and collecting metrics about vSAN components from vCenter Server in to vRealize Operations Manager MPSD Metrics User
svc-vrops-mpsd vRealize Operations Manager vCenter Server Service account for storage device monitoring of the vCenter Server instances in the SDDC from vRealize Operations Manager MPSD Metrics User
svc-vrops-srm vRealize Operations Manager Site Recovery Manager Service account for monitoring site recovery of the Management vCenter Server from vRealize Operations Manager SRM Read-only
svc-vrops-vra vRealize Operations Manager vRealize Automation Service account for connecting the vRealize Automation adapter for vRealize Operations Manager to vRealize Automation
  • IaaS Administrator
  • Infrastructure Architect
  • Software Architect
  • Tenant Administrator
  • Fabric Administrator
svc-vra-vrops vRealize Automation vRealize Operations Manager Service account for integration of health statistics from vRealize Operations Manager in the vRealize Automation portal Read-Only
svc-umds vSphere Update Manager Download Service -- Local service account for configuring the Update Manager Download Service on the host virtual machine Administrator

User Accounts in the Parent Domain

Create the following user accounts in the parent Active Directory domain rainpole.local:

Table 2. User Accounts in the rainpole.local Parent Domain
User Name Description Service Account Member of Groups
vra-admin-rainpole Tenant administrator role in the SDDC for configuring vRealize Automation according to the needs of your organization including user and group management, tenant branding and notifications, and business policies No
  • RAINPOLE\ug-vra-admins-rainpole
  • RAINPOLE\ug-vROAdmins
vra-arch-rainpole Tenant blueprint architect role in the SDDC for creating the blueprints that tenants request from the service catalog No RAINPOLE\ug-vra-archs-rainpole

Users in the Child Domains

Create the following accounts for user access in each of the child Active Directory domain to provide centralized user access to the SDDC. In the Active Directory, you do not assign any special rights to these accounts other than the default ones.

Table 3. User Accounts in the Child Domains
User Name Description Service Account Member of Groups
SDDC-Admin Global administrative account across the SDDC. No RAINPOLE\ug-SDDC-Admins