You protect the vRealize Operations Manager deployment by providing centralized role-based authentication and secure communication with the other components in the SDDC. You dedicate a set of service accounts to the communication between vRealize Operations Manager and the management solutions in the data center.

Authentication and Authorization

Users can authenticate to vRealize Operations Manager in the following ways:

Import users or user groups from an LDAP database

Users can use their LDAP credentials to log in to vRealize Operations Manager.

Use vCenter Server user accounts

After a vCenter Server instance is registered with vRealize Operations Manager, the following vCenter Server users can log in to vRealize Operations Manager:

  • Users that have administration access in vCenter Server.

  • Users that have one of the vRealize Operations Manager privileges, such as PowerUser, assigned to the account which appears at the root level in vCenter Server.

Create local user accounts in vRealize Operations Manager

vRealize Operations Manager performs local authentication using the account information stored in its global database.

Table 1. Design Decisions on Authorization and Authentication Management for vRealize Operations Manager

Decision ID

Design Decision

Design Justification

Design Implication

ROBO-OPS-MON-009

Configure a service account svc-vrops-vsphere in the ROBO vCenter Server for application-to-application communication from vRealize Operations Manager with vSphere.

Provides the following access control features:

  • The adapters in vRealize Operations Manager access vSphere with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's lifecycle outside of the SDDC stack to ensure its availability .

ROBO-OPS-MON-010

Configure a service account svc-vrops-nsx in the ROBO vCenter Server for application-to-application communication from vRealize Operations Manager with NSX for vSphere

Provides the following access control features:

  • The adapters in vRealize Operations Manager access NSX for vSphere with the minimum set of permissions that are required for metric collection and topology mapping.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

ROBO-OPS-MON-011

Configure a service account svc-vrops-mpsd in the ROBO vCenter Server for application-to-application communication from the Storage Devices Adapters in vRealize Operations Manager with vSphere.

Provides the following access control features:

  • The adapters in vRealize Operations Manager access vSphere with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

ROBO-OPS-MON-012

Configure a service account svc-vrops-vsan in ROBO vCenter Server for application-to-application communication from the vSAN Adapters in vRealize Operations Manager with vSphere.

Provides the following access control features:

  • The adapters in vRealize Operations Manager access vSphere with the minimum set of permissions that are required to collect metrics about vSAN inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

ROBO-OPS-MON-013

Use global permissions when you apply the svc-vrops-vsphere, svc-vrops-nsx, svc-vrops-vsan, and svc-vrops-mpsd service accounts in the ROBO vCenter Server.

  • Simplifies and standardizes the deployment of the service accounts across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

None.

ROBO-OPS-MON-014

Configure a local service account svc-vrops-nsx on the ROBO NSX instance for application-to-application communication from the NSX-vSphere Adapters in vRealize Operations Manager with NSX.

Provides the following access control features:

  • The adapters in vRealize Operations Manager access NSX for vSphere with the minimum set of permissions that are required for metric collection and topology mapping.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

Encryption

Access to all vRealize Operations Manager Web interfaces requires an SSL connection. By default, vRealize Operations Manager uses a self-signed certificate. To provide secure access to the vRealize Operations Manager user interface, replace the default self-signed certificates with a CA-signed certificate.

Table 2. Design Decision on Using CA-Signed Certificates in vRealize Operations Manager

Decision ID

Design Decision

Design Justification

Design Implication