A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

Service Accounts

A service account is a standard Active Directory account that you configure in the following way:

  • The password never expires.

  • The user cannot change the password.

In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to the Active Directory domain.

Service Accounts for vRealize Suite 2019 and VMware Workspace ONE Access

This design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.

Table 1. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access

User Name

Description

Source

Destination

Required Role on the Destination

Password Complexity Category

svc-domain-join

Service account for performing domain-join operations for Workspace ONE Access connectors

Workspace ONE Access

Active Directory

  • Account Operators Group

  • Delegation to Join Computers to Domain for both the parent and child domains

Standard

svc-wsa-ad

Service account used for performing Active Directory bind operations in the Workspace ONE Access directory

Workspace ONE Access

Active Directory

-

Standard

svc-vrslcm-vsphere

A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center

vRealize Suite Lifecycle Manager

Management domain vCenter Server

vRealize Suite Lifecycle Manager User (Custom)

Standard

Workload domain vCenter Server

No Access

Standard

svc-vrli-vsphere

Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information

vRealize Log Insight

vCenter Server

Log Insight User (Custom)

Standard

svc-vrli-vrops

Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration

vRealize Log Insight

vRealize Operations Manager

Administrator

Standard

svc-vrops-vsphere

Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server into vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server

vRealize Operations Manager

vCenter Server

vSphere Actions User

Standard

svc-vrops-nsx

Service account that is available in the Active Directory domain and locally on NSX Manager for collecting data in vRealize Operations Manager from the NSX Manager instances about virtual networking.

Important:

Only applicable to NSX Data Center for vSphere.

vRealize Operations Manager

vCenter Server

Read-Only

Standard

NSX Data Center for vSphere

Security Administrator

Standard

svc-vrops-vsan

Service account for monitoring and collecting metrics about vSAN datastores from vCenter Server in vRealize Operations Manager

vRealize Operations Manager

vCenter Server

MPSD Metrics User

Standard

svc-vrops-mpsd

Service account for monitoring storage devices from vCenter Server in vRealize Operations Manager

vRealize Operations Manager

vCenter Server

MPSD Metrics User

Standard

svc-vrops-vra

Service account for monitoring vRealize Automation in vRealize Operations Manager

vRealize Operations Manager

vRealize Automation

  • Organization Owner

  • Cloud Assembly

  • Cloud Assembly Administrator

Standard

svc-vra-vrops

Service account for retrieving statistics from vRealize Operations Manager in vRealize Automation for workload placement and costs

vRealize Automation

vRealize Operations Manager

Read-Only

Standard

svc-vra-vsphere

Service account for access from vRealize Automation to vCenter Server.

vRealize Automation

Management domain vCenter Server

No Access

Standard

Workload domain vCenter Server

vRealize Automation to vSphere Integration (Custom)

Standard

svc-vro-vsphere

Service account for access from vRealize Orchestrator to vCenter Server

vRealize Orchestrator

Management domain vCenter Server

No Access

Standard

Workload domain vCenter Server

vRealize Orchestrator to vSphere Integration (Custom)

Standard