You configure a central source for authentication in vRealize Operations Manager such as an Active Directory service. vRealize Operations Manager also authenticates to vCenter Server and can use a local user inventory.

You can allow users to authenticate in vRealize Operations Manager in the following ways:

Import users or user groups from an LDAP database

Users can use their LDAP credentials to log in to vRealize Operations Manager.

Use vCenter Server user accounts

After a vCenter Server instance is registered with vRealize Operations Manager, the following vCenter Server users can log in to vRealize Operations Manager:

Users that have administration access in vCenter Server.

Users that have one of the vRealize Operations Manager privileges, such as PowerUser, assigned to the account which appears at the root level in vCenter Server.

Create local user accounts in vRealize Operations Manager

vRealize Operations Manager performs local authentication using the account information stored in its global database.

Authorization and Authentication Management Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-MON-014

Use Active Directory authentication.

Provides access to vRealize Operations Manager by using standard Active Directory accounts.

Ensures that authentication is available even if vCenter Server becomes unavailable.

You must manually configure the Active Directory authentication.

SDDC-OPS-MON-015

Configure a service account svc-vrops in vCenter Server for application-to-application communication from vRealize Operations Manager with vSphere and NSX for vSphere.

Provides the following access control features:

The adapters in vRealize Operations Manager access vSphere and NSX for vSphere with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

SDDC-OPS-MON-016

Configure a service account svc-mpsd-vrops in vCenter Server for application-to-application communication from the Storage Devices Adapters in vRealize Operations Manager with vSphere.

Provides the following access control features:

The adapters in vRealize Operations Manager access vSphere with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

SDDC-OPS-MON-017

Use global permissions when you create the svc-vrops and svc-mpsd-vrops service accounts in vCenter Server.

Simplifies and standardizes the deployment of the service accounts across all vCenter Server instances in the same vSphere domain.

Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.

SDDC-OPS-MON-018

Configure a service account svc-vrops-vra in vRealize Automation for application-to-application communication from the vRealize Automation Adapter in vRealize Operations Manager with vRealize Automation.

Provides the following access control features:

The adapter in vRealize Operations Manager accesses vRealize Automation with the minimum set of permissions that are required for collecting metrics about provisioned virtual machines and capacity management.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

If you add more tenants to vRealize Automation, you must maintain the service account permissions to guarantee that metric uptake in vRealize Operations Manager is not compromised.

SDDC-OPS-MON-019

Configure a local service account svc-vrops-nsx in each NSX instance for application-to-application communication from the NSX-vSphere Adapters in vRealize Operations Manager with NSX.

Provides the following access control features:

The adapters in vRealize Operations Manager access NSX for vSphere with the minimum set of permissions that are required for metrics collection and topology mapping.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability

Access to all vRealize Operations Manager Web interfaces requires an SSL connection. By default, vRealize Operations Manager uses a self-signed certificate. Replace the default self-signed certificates with a CA-signed certificate to provide secure access to the vRealize Operations Manager user interface.

Using CA-Signed Certificates Design Decision

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-MON-020

Replace the default self-signed certificates with a CA-signed certificate.

Ensures that all communication to the externally facing Web UI is encrypted.

You must contact a certificate authority.