You add and configure accounts associated with other solutions for activating the vRealize Operations Manager cloud accounts, management packs, and direct integrations.

Table 1. Design Decisions on Service Accounts for the vCenter Server Cloud Accounts in vRealize Operations Manager

Design Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-CO-MON-053

Define a custom vCenter Server role for vRealize Operations Manager that has the minimum privileges required to support collecting metrics and performing actions against vSphere endpoints across the SDDC, vRealize Operations to vSphere Integration – Actions.

vRealize Operations Manager accesses vSphere with the minimum set of permissions that are required to support performing actions against vSphere endpoints across the SDDC.

You must maintain the permissions required by the custom role.

SDDC-COM-CO-MON-054

Configure a service account in vCenter Server with global permissions, for application-to-application communication from vRealize Operations Manager to vSphere, svc-vrops-vsphere@rainpole.io, and assign the actions custom role, vRealize Operations to vSphere Integration – Actions.

Provides the following access control features:

  • The adapters in vRealize Operations Manager access vSphere with the minimum set of permissions that are required to collect metrics and perform permitted actions.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

  • You must maintain the life cycle and availability of the service account outside of the SDDC stack.

  • All vCenter Server instances must be in the same vSphere domain.

SDDC-COM-CO-MON-055

Configure each vCenter Server cloud account to use the vCenter Server service account,svc-vrops-vsphere@rainpole.io.

Enables integration and data collection of all vCenter Server instances in the SDDC in vRealize Operations Manager.

You must manage the password life cycle of this cloud account.

SDDC-COM-CO-MON-056

Define a custom vCenter Server role for vRealize Operations Manager that has the minimum privileges required to support collecting metrics from vSphere endpoints across the SDDC,vRealize Operations to vSphere Integration – Metrics.

vRealize Operations Manager accesses vSphere with the minimum set of permissions that are required to support collecting metrics from vSphere endpoints across the SDDC.

You must maintain the permissions required by the custom role.

SDDC-COM-CO-MON-057

Configure a service account in vCenter Server with global permissions, for application-to-application communication from the vSAN adapters in vRealize Operations Manager to vSphere,svc-vrops-vsan@rainpole.io, and assign the metrics custom role, vRealize Operations to vSphere Integration – Metrics.

Provides the following access control features:

  • The adapters in vRealize Operations Manager access vSphere with the minimum set of permissions that are required to collect metrics about vSAN inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

SDDC-COM-CO-MON-058

Configure the vSAN integration in the vCenter Server cloud account to use the vSAN service account, svc-vrops-vsan@rainpole.io.

Enables integration and data collection of all vSAN instances in the SDDC in vRealize Operations Manager.

You must manage the password life cycle of this endpoint.

Table 2. Design Decision on Service Accounts for Integration of vRealize Operations Manager with vRealize Automation

Design Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-CO-MON-059

Create a service account,svc-vrops-vra@rainpole.io, in the directory services and ensure it is synchronized in Workspace ONE Access.

The service account is used for application-to-application communication from vRealize Operations to vRealize Automation.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

You must maintain the synchronization and availability of the service account in Workspace ONE Access.

SDDC-COM-CO-MON-060

Assign the service account, svc-vrops-vra@rainpole.io, the Organization Owner organization role and Cloud Assembly Administrator service role for the application-to-application communication from vRealize Operations to vRealize Automation.

Provides the following access control features:

  • vRealize Operations accesses vRealize Automation with the minimum set of required permissions for the integration.

  • If there is a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the vRealize Operations and vRealize Automation integration.

None.

Table 3. Design Decision on Service Accounts for vRealize Operations Manager Management Packs

Design Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-CO-MON-061

Create a service account,svc-vrops-nsx@rainpole.io, in the directory services and ensure it is synchronized in Workspace ONE Access.

The service account is used for application-to-application communication from vRealize Operations Manager to NSX-T Data Center.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

You must maintain the synchronization and availability of the service account in Workspace ONE Access.

SDDC-COM-CO-MON-062

Configure a service account in NSX-T Data Center for application-to-application communication from vRealize Operations Manager to NSX-T Data Center, svc-vrops-nsx@rainpole.io, using the default NSX-T Data Center Enterprise Admins role.

  • Provides the following access control features: The adapters in vRealize Operations Manager access NSX-T Data Center with the minimum set of permissions that are required for metric collection and topology mapping.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

SDDC-COM-CO-MON-063

Configure the endpoint of the NSX-T management pack for vRealize Operations Manager to use svc-vrops-nsx@rainpole.io.

  • Enables integration and data collection of all NSX-T instances in the SDDC in vRealize Operations Manager.

You must manage the password life cycle of this endpoint.

SDDC-COM-CO-MON-064

Configure a service account in vCenter Server with global permissions, for application-to-application communication from the storage devices adapters in vRealize Operations Manager to vSphere, svc-vrops-mpsd@rainpole.io, and assign the metrics custom role, vRealize Operations to vSphere Integration – Metrics.

Provides the following access control features:

  • The adapters in vRealize Operations Manager access vSphere with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

SDDC-COM-CO-MON-065

Configure the endpoint of the Storage Devices management pack for vRealize Operations Manager to use the Storage Devices service account, svc-vrops-mpsd@rainpole.io.

Enables integration and data collection of all storage devices in the SDDC in vRealize Operations Manager.

You must manage the password life cycle of this endpoint.

SDDC-COM-CO-MON-066

Configure a Workspace ONE Access management pack adapter instance for each Workspace ONE Access instance using the local system domain admin account.

  • Enables integration and data collection of all Workspace ONE Access instances in the SDDC in vRealize Operations Manager.

  • Integration between vRealize Operations Manager and Workspace ONE Access is only supported with the local admin account.

You must manage the password life cycle of this endpoint.