You protect the vRealize Operations Manager deployment by providing centralized role-based authentication and secure communication with the other components in the SDDC. You dedicate a set of service accounts to the communication between vRealize Operations Manager and the management solutions in the data center.
Authentication and Authorization
Users can authenticate to vRealize Operations Manager in the following ways:
-
Import users or user groups from an LDAP database
-
Users can use their LDAP credentials to log in to vRealize Operations Manager.
-
Use vCenter Server user accounts
-
After a vCenter Server instance is registered with vRealize Operations Manager, the following vCenter Server users can log in to vRealize Operations Manager:
Users that have administration access in vCenter Server.
Users that have one of the vRealize Operations Manager privileges, such as PowerUser, assigned to the account which appears at the root level in vCenter Server.
-
Create local user accounts in vRealize Operations Manager
-
vRealize Operations Manager performs local authentication using the account information stored in its global database.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
ROBO-OPS-MON-009 |
Configure a service account svc-vrops-vsphere in the ROBO vCenter Server for application-to-application communication from vRealize Operations Manager with vSphere. |
Provides the following access control features:
|
You must maintain the service account's lifecycle outside of the SDDC stack to ensure its availability . |
ROBO-OPS-MON-010 |
Configure a service account svc-vrops-nsx in the ROBO vCenter Server for application-to-application communication from vRealize Operations Manager with NSX for vSphere |
Provides the following access control features:
|
You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability. |
ROBO-OPS-MON-011 |
Configure a service account svc-vrops-mpsd in the ROBO vCenter Server for application-to-application communication from the Storage Devices Adapters in vRealize Operations Manager with vSphere. |
Provides the following access control features:
|
You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability. |
ROBO-OPS-MON-012 |
Configure a service account svc-vrops-vsan in ROBO vCenter Server for application-to-application communication from the vSAN Adapters in vRealize Operations Manager with vSphere. |
Provides the following access control features:
|
You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability. |
ROBO-OPS-MON-013 |
Use global permissions when you apply the svc-vrops-vsphere, svc-vrops-nsx, svc-vrops-vsan, and svc-vrops-mpsd service accounts in the ROBO vCenter Server. |
|
None. |
ROBO-OPS-MON-014 |
Configure a local service account svc-vrops-nsx on the ROBO NSX instance for application-to-application communication from the NSX-vSphere Adapters in vRealize Operations Manager with NSX. |
Provides the following access control features:
|
You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability |
Encryption
Access to all vRealize Operations Manager Web interfaces requires an SSL connection. By default, vRealize Operations Manager uses a self-signed certificate. To provide secure access to the vRealize Operations Manager user interface, replace the default self-signed certificates with a CA-signed certificate.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|