A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.
Service Accounts
A service account is a standard Active Directory account that you configure in the following way:
-
The password never expires.
-
The user cannot change the password.
In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to the Active Directory domain.
Service Accounts for vRealize Suite 2019 and VMware Workspace ONE Access
This design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.
| User Name |
Description |
Source |
Destination |
Required Role on the Destination |
Password Complexity Category |
|---|---|---|---|---|---|
| svc-domain-join |
Service account for performing domain-join operations for Workspace ONE Access connectors |
Workspace ONE Access |
Active Directory |
|
Standard |
| svc-wsa-ad |
Service account used for performing Active Directory bind operations in the Workspace ONE Access directory |
Workspace ONE Access |
Active Directory |
- |
Standard |
| svc-vrslcm-vsphere |
A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center |
vRealize Suite Lifecycle Manager |
Management domain vCenter Server |
vRealize Suite Lifecycle Manager User (Custom) |
Standard |
| Workload domain vCenter Server |
No Access |
Standard |
|||
| svc-vrli-vsphere |
Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information |
vRealize Log Insight |
vCenter Server |
Log Insight User (Custom) |
Standard |
| svc-vrli-vrops |
Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration |
vRealize Log Insight |
vRealize Operations Manager |
Administrator |
Standard |
| svc-vrops-vsphere |
Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server into vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server |
vRealize Operations Manager |
vCenter Server |
vSphere Actions User |
Standard |
| svc-vrops-nsx |
Service account that is available in the Active Directory domain and locally on NSX Manager for collecting data in vRealize Operations Manager from the NSX Manager instances about virtual networking.
Important:
Only applicable to NSX Data Center for vSphere. |
vRealize Operations Manager |
vCenter Server |
Read-Only |
Standard |
| NSX Data Center for vSphere |
Security Administrator |
Standard |
|||
| svc-vrops-vsan |
Service account for monitoring and collecting metrics about vSAN datastores from vCenter Server in vRealize Operations Manager |
vRealize Operations Manager |
vCenter Server |
MPSD Metrics User |
Standard |
| svc-vrops-mpsd |
Service account for monitoring storage devices from vCenter Server in vRealize Operations Manager |
vRealize Operations Manager |
vCenter Server |
MPSD Metrics User |
Standard |
| svc-vrops-vra |
Service account for monitoring vRealize Automation in vRealize Operations Manager |
vRealize Operations Manager |
vRealize Automation |
|
Standard |
| svc-vra-vrops |
Service account for retrieving statistics from vRealize Operations Manager in vRealize Automation for workload placement and costs |
vRealize Automation |
vRealize Operations Manager |
Read-Only |
Standard |
| svc-vra-vsphere |
Service account for access from vRealize Automation to vCenter Server. |
vRealize Automation |
Management domain vCenter Server |
No Access |
Standard |
| Workload domain vCenter Server |
vRealize Automation to vSphere Integration (Custom) |
Standard |
|||
| svc-vro-vsphere |
Service account for access from vRealize Orchestrator to vCenter Server |
vRealize Orchestrator |
Management domain vCenter Server |
No Access |
Standard |
| Workload domain vCenter Server |
vRealize Orchestrator to vSphere Integration (Custom) |
Standard |
