A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

Service Accounts

A service account is a standard Active Directory account that you configure in the following way:

  • The password never expires.

  • The user cannot change the password.

In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to both the parent and child Active Directory domains.

Service Accounts in VMware Validated Design

This Validated Design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.

Figure 1. Service Accounts in VMware Validated Design for Consolidated SDDC
You configure service accounts for communication between the management components of the SDDC. The service accounts have only the rights that are limited only to exchanging data.
Table 1. Application-to-Application or Application Service Accounts in VMware Validated Design

User Name

Source

Destination

Description

Required Role

Password Complexity Category

svc-domain-join

Various management components (one-time domain join action)

  • Parent Active Directory domain
  • Child Active Directory domains
Service account for performing domain-join operations from certain SDDC management components.
  • Account Operators Group

  • Delegation to Join Computers to Domain

Standard

svc-nsxmanager

NSX for vSphere Manager

vCenter Server

Service account for registering NSX Manager with vCenter Single Sign-On on the Platform Services Controller and vCenter Server for the management cluster and for the shared compute and edge cluster

Administrator

Standard

svc-vrli

vRealize Log Insight

Parent Active Directory domain

Service account for using the Active Directory as an authentication source in vRealize Log Insight

-

Standard

svc-vrli-vsphere

vRealize Log Insight

vCenter Server

Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information

Log Insight User (vCenter Server)

Standard

svc-vrli-vrops

vRealize Log Insight

vRealize Operations Manager

Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration

Administrator

Standard

svc-vrslcm-vsphere

vRealize Suite Lifecycle Manager

vCenter Server

A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center management cluster

vRealize Suite Lifecycle Manager User (Custom)

Standard

svc-bck-vsphere

vSphere Storage API - Data Protection

vCenter Server

Service account for performing backups using the vSphere Storage API - Data Protection with vCenter Server for the management cluster

VADP Backup Solution Requirements

Standard

svc-vra

vRealize Automation

  • vCenter Server

  • vRealize Automation

Service account for access from vRealize Automation to vCenter Server and NSX. This account is part of the vRealize Automation setup process.

  • Administrator

  • vRealize Orchestrator Administrator

Standard

svc-vro

vRealize Orchestrator

vCenter Server

Service account for access from vRealize Orchestrator to vCenter Server

Administrator

Standard

svc-vrops

vRealize Operations Manager

Parent Active Directory domain

Service account for integration of Active Directory in vRealize Operations Manager for user authentication

-

Standard

svc-vrops-vsphere

vRealize Operations Manager

vCenter Server

Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server in to vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server

vSphere Actions User

Standard

svc-vrops-nsx

vRealize Operations Manager

  • vCenter Server

  • NSX for vSphere

Service account that is available in the Active Directory domain and locally on NSX Manager for collecting data in vRealize Operations Manager from the NSX Manager instances about virtual networking.

  • Read-Only (vCenter Server)

  • Enterprise Administrator (NSX)

Standard

svc-vrops-vsan

vRealize Operations Manager

vCenter Server

Service account for monitoring and collecting metrics about vSAN datastores from vCenter Server in to vRealize Operations Manager

MPSD Metrics User

Standard

svc-vrops-mpsd

vRealize Operations Manager

vCenter Server

Service account for storage device monitoring of the vCenter Server instances in the SDDC from vRealize Operations Manager

MPSD Metrics User

Standard

svc-vrops-vra

vRealize Operations Manager

vRealize Automation

Service account for collecting data in vRealize Operations Manager about the workloads in vRealize Automation

  • IaaS Administrator

  • Infrastructure Architect

  • Software Architect

  • Tenant Administrator

  • Fabric Administrator

Standard

svc-vra-vrops

vRealize Automation

vRealize Operations Manager

Service account for retrieving statistics from vRealize Operations Manager in vRealize Automation for workload reclamation

Read-Only

Standard

svc-umds

vSphere Update Manager Download Service

--

Local service account for configuring the Update Manager Download Service on the host virtual machine

Administrator

Standard

User Accounts in the Parent Domain

Create the following user accounts in the parent Active Directory domain rainpole.local:

Table 2. User Accounts in the rainpole.local Parent Domain

User Name

Description

Service Account

Member of Groups

vra-admin-rainpole

Tenant administrator role in the SDDC for configuring vRealize Automation according to the needs of your organization including user and group management, tenant branding and notifications, and business policies

No

  • RAINPOLE\ug-vra-admins-rainpole

  • RAINPOLE\ug-vROAdmins

vra-arch-rainpole

Tenant blueprint architect role in the SDDC for creating the blueprints that tenants request from the service catalog

No

RAINPOLE\ug-vra-archs-rainpole

Users in the Child Domains

Create the following accounts for user access in each of the child Active Directory domain to provide centralized user access to the SDDC. In the Active Directory, you do not assign any special rights to these accounts other than the default ones.

Table 3. User Accounts in the Child Domains

User Name

Description

Service Account

Member of Groups

SDDC-Admin

Global administrative account across the SDDC.

No

RAINPOLE\ug-SDDC-Admins