You use information security and access control configurations to prevent unauthorized access and accidental or malicious damage to the backup data.

Because the image-level backups use vCenter Server, provision a service account for your VADP-compatible solution that has only the correct level of access.

Table 1. Design Decisions on Information Security and Access Control for Cloud Operations and Automation Backup

Decision ID

Design Decision

Design Justification

Design Implication


Configure an Active Directory backed service account in vCenter Server for application-to-application communication from your VADP-compatible backup solution to vSphere.

Provides the following access control features:

  • Provide the VADP- compatible backup solution with a minimum set of permissions that are required to perform backup and restore operations.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.


Use global permissions when you create the service account in vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.