You use a service account for authentication and authorization of NSX Manager for virtual network management.

Table 1. Design Decisions on Authorization and Authentication Management in NSX

Decision ID

Design Decision

Design Justification

Design Implication

ROBO-VI-SDN-024

Configure a service account svc-nsxmanager in vCenter Server for application-to-application communication from NSX Manager with vSphere.

Provides the following access control features:

  • NSX Manager accesses vSphere with the minimum set of permissions that are required to perform lifecycle management of virtual networking objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

ROBO-VI-SDN-025

Use global permissions when you create the svc-nsxmanager service account in vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.