You use a service account for authentication and authorization of vRealize Automation to vCenter Server and vRealize Operations Manager for orchestrating and creating virtual objects in the SDDC.

Authorization and Authentication Management Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-CMP-015

Configure a service account svc-vra in vCenter Server for application-to-application communication from vRealize Automation with vSphere.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

SDDC-CMP-016

Use local permissions when you create the svc-vra service account in vCenter Server.

The use of local permissions ensures that only the Compute vCenter Server instances are valid and accessible endpoints from vRealize Automation.

If you deploy more Compute vCenter Server instances, you must ensure that the service account has been assigned local permissions in each vCenter Server so that this vCenter Server is a viable endpoint within vRealize Automation.

SDDC-CMP-017

Configure a service account svc-vra-vrops on vRealize Operations Manager for application-to-application communication from vRealize Automation for collecting health and resource metrics for tenant workload reclamation.

vRealize Automation accesses vRealize Operations Manager with the minimum set of permissions that are required for collecting metrics to determine the workloads that are potential candidates for reclamation.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.