Information Security and Access Control in vRealize Automation for Consolidated SDDC

For orchestrating and creating virtual objects in the SDDC, you use a service account for authentication and authorization of vRealize Automation to vCenter Server and vRealize Operations Manager.

Authentication and Authorization

Users can authenticate to vRealize Automation in the following ways:

Import users or user groups from an LDAP database: Users can use their LDAP credentials to log in to vRealize Automation.
Create local user accounts in vRealize Operations Manager: vRealize Automation performs local authentication using account information stored in its global database.

vRealize Automation also authenticates to the following systems:

Compute vCenter Server and NSX for workload provisioning
vRealize Operations Manager for workload reclamation

Table 1. Design Decisions on Authorization and Authentication Management for vRealize Automation
Decision ID	Design Decision	Design Justification	Design Implication
CSDDC-CMP-012	Join vRealize Automation IaaS VMs to Active Directory.	Active Directory access is a hard requirement for vRealize Automation.	Active Directory access must be provided using dedicated service accounts .
CSDDC-CMP-013	Configure a service account svc-vra in vCenter Server and NSX for application-to-application communication from vRealize Automation with vSphere and NSX.	Provides the following access control features: The proxy agents in vRealize Automation access vSphere and NSX with the minimum set of permissions that are required to collect metrics about vSphere inventory objects. In the event of a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.
CSDDC-CMP-014	Use local permissions when you create the svc-vra service account in vCenter Server.	Supports future expansion to a dual-region environment.	If you deploy more vCenter Server instances, you must ensure that the service account has been assigned local permissions in each vCenter Server so that this vCenter Server is a valid endpoint in vRealize Automation.
CSDDC-CMP-015	Configure a service account svc-vra-vrops on vRealize Operations Manager for application-to-application communication from vRealize Automation for collecting health and resource metrics for tenant workload reclamation.	vRealize Automation accesses vRealize Operations Manager with the minimum set of permissions that are required for collecting metrics to determine the workloads that are potential candidates for reclamation. In the event of a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

Encryption

Access to all vRealize Automation Web applications requires an SSL connection. By default, vRealize Automation uses a self-signed certificate. To provide secure access to the vRealize Automation user interfaces and between the IaaS components interacting with each other by using Web applications, replace the default self-signed certificates with a CA-signed certificate.

Table 2. Design Decision on Using CA-Signed Certificates in vRealize Automation
Decision ID	Design Decision	Design Justification	Design Implication
CSDDC-CMP-016	Replace the default self-signed certificates with a CA-signed certificate.	Ensures that all communication to the externally facing Web UI and between the IaaS components is encrypted.	You must contact a certificate authority.