You use a service account for authentication and authorization of vSphere Data Protection for backup and restore operations.

Authorization and Authentication Management Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-BKP-010

Configure a service account svc-vdp in vCenter Server for application-to-application communication from vSphere Data Protection with vSphere.

Provides the following access control features:

vSphere Data Protection accesses vSphere with the minimum set of permissions that are required to perform backup and restore operations.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

SDDC-OPS-BKP-011

Use global permissions when you create the svc-vdp service account in vCenter Server.

Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain.

Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.