Active Directory User Accounts

A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

Service Accounts

A service account is a standard Active Directory account that you configure in the following way:

The password never expires.
The user cannot change the password.

In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to the Active Directory domain.

Service Accounts for vRealize Suite 2019 and VMware Workspace ONE Access

This design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.

Table 1. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access
User Name	Description	Source	Destination	Required Role on the Destination	Password Complexity Category
svc-domain-join	Service account for performing domain-join operations for Workspace ONE Access connectors	Workspace ONE Access	Active Directory	Account Operators Group Delegation to Join Computers to Domain for both the parent and child domains	Standard
svc-wsa-ad	Service account used for performing Active Directory bind operations in the Workspace ONE Access directory	Workspace ONE Access	Active Directory	-	Standard
svc-vrslcm-vsphere	A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center	vRealize Suite Lifecycle Manager	Management domain vCenter Server	vRealize Suite Lifecycle Manager User (Custom)	Standard
svc-vrslcm-vsphere		vRealize Suite Lifecycle Manager	Workload domain vCenter Server	No Access	Standard
svc-vrli-vsphere	Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information	vRealize Log Insight	vCenter Server	Log Insight User (Custom)	Standard
svc-vrli-vrops	Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration	vRealize Log Insight	vRealize Operations Manager	Administrator	Standard
svc-vrops-vsphere	Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server into vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server	vRealize Operations Manager	vCenter Server	vSphere Actions User	Standard
svc-vrops-nsx	Service account that is available in the Active Directory domain and locally on NSX Manager for collecting data in vRealize Operations Manager from the NSX Manager instances about virtual networking. Important: Only applicable to NSX Data Center for vSphere.	vRealize Operations Manager	vCenter Server	Read-Only	Standard
svc-vrops-nsx		vRealize Operations Manager	NSX Data Center for vSphere	Security Administrator	Standard
svc-vrops-vsan	Service account for monitoring and collecting metrics about vSAN datastores from vCenter Server in vRealize Operations Manager	vRealize Operations Manager	vCenter Server	MPSD Metrics User	Standard
svc-vrops-mpsd	Service account for monitoring storage devices from vCenter Server in vRealize Operations Manager	vRealize Operations Manager	vCenter Server	MPSD Metrics User	Standard
svc-vrops-vra	Service account for monitoring vRealize Automation in vRealize Operations Manager	vRealize Operations Manager	vRealize Automation	Organization Owner Cloud Assembly Cloud Assembly Administrator	Standard
svc-vra-vrops	Service account for retrieving statistics from vRealize Operations Manager in vRealize Automation for workload placement and costs	vRealize Automation	vRealize Operations Manager	Read-Only	Standard
svc-vra-vsphere	Service account for access from vRealize Automation to vCenter Server.	vRealize Automation	Management domain vCenter Server	No Access	Standard
svc-vra-vsphere		vRealize Automation	Workload domain vCenter Server	vRealize Automation to vSphere Integration (Custom)	Standard
svc-vro-vsphere	Service account for access from vRealize Orchestrator to vCenter Server	vRealize Orchestrator	Management domain vCenter Server	No Access	Standard
svc-vro-vsphere		vRealize Orchestrator	Workload domain vCenter Server	vRealize Orchestrator to vSphere Integration (Custom)	Standard