A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

A service account is a standard Active Directory account that you configure in the following way:

The password never expires.

The user cannot change the password.

The account must have the right to join computers to the Active Directory domain. 

This validated design introduces a set service accounts that are used in a one- or bi-directional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.

Service Accounts in VMware Validated Design for Software-Defined Data Center
You configure service accounts for communication between the management components of the SDDC. The service accounts have only the rights that are limited only to exchanging data.

Application-to-Application or Application Service Accounts in the VMware Validated Design

Username

Source

Destination

Description

Required Role

svc-nsxmanager

NSX for vSphere Manager

vCenter Server

Service account for registering NSX Manager with vCenter Single Sign-on on the Platform Services Controller and vCenter Server for the management cluster and for the compute and edge clusters

Administrator

svc-loginsight

vRealize Log Insight

vCenter Server

Service account for using the Active Directory as an authentication source in vRealize Log Insight and for connecting vRealize Log Insight to vCenter Server and ESXi in order to forwarding log information

Log Insight User

svc-vdp

vSphere Data Protection

vCenter Server

Service account for registering vSphere Data Protection with vCenter Server for the management cluster

vSphere Data Protection User

svc-srm

Site Recovery Manager

vCenter Server

Service account for connecting Site Recover Manager to vCenter Server and to pair sites in Site Recovery Manager

Single Sign-On Administrator

svc-vr

vSphere Replication

vCenter Server

Service account for connecting vSphere Replication to vCenter Server and to pair vSphere Replication instances

Single Sign-On Administrator

svc-vra

vRealize Automation

vCenter Server

vRealize Automation

Service account for access from vRealize Automation to vCenter Server. This account is a part of the vRealize Automation setup process.

Administrator

svc-vro

vRealize Orchestrator

vCenter Server

Service account for access from vRealize Orchestrator to vCenter Server

Administrator

svc-vrops

vRealize Operation Manager

Management Packs: vSphere, NSX-vSphere

vCenter Server

Service account for connecting vRealize Operations Manager to the Management vCenter Server and Compute vCenter Server

Read-Only

svc-mpsd-vrops

vRealize Operations Manager

Management Pack: MPSD

vCenter Server

Service account for storage device monitoring of the Management vCenter Server and Compute vCenter Server from vRealize Operations Manager

MPSD Metrics User

svc-vrops-nsx

vRealize Operations Manager

Management Pack: NSX-vSphere

NSX for vSphere

Local service account for connecting the NSX for vSphere adapter for vRealize Operations Manager to the Management and Compute NSX Managers

Enterprise Administrator

svc-vrops-vra

vRealize Operations Manager

Management Pack: vRA

vRealize Automation

Service account for connecting the vRealize Automation adapter for vRealize Operations Manager to vRealize Automation

Tenant administrator

IaaS administrator

Fabric administrator

Software Architect

svc-vrli-vrops

vRealize Log Insight

vRealize Operations Manager

Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, and for alerts and Launch in Context integration

Administrator

svc-vra-vrops

vRealize Automation

vRealize Operations Manager

Service account for integration of health statistics from vRealize Operations Manager in the vRealize Automation portal

Read-Only

svc-umds

vSphere Update Manager Download Service

--

Local service account for configuring the Update Manager Download Service on the host virtual machine

Administrator

Create the following user accounts in the parent Active Directory domain rainpole.local:

User Accounts in the rainpole.local Parent Domain

User Name

Description

Service Account

Member of Groups

ITAC-TenantAdmin

Tenant administrator role in the SDDC for configuring vRealize Automation according to the needs of your organization including user and group management, tenant branding and notifications, and business policies.

No

RAINPOLE\ug-ITAC-TenantAdmins

RAINPOLE\ug-vROAdmins

ITAC-TenantArchitect

Tenant blueprint architect role in the SDDC for creating the blueprints that tenants request from the service catalog.

No

RAINPOLE\ug-ITAC-TenantArchitects

Create the following accounts for user access in each of the child Active Directory domain, sfo01.rainpole.local and lax01.rainpole.local, to provide centralized user access to the SDDC. In the Active Directory, you do not assign any special rights to these accounts other than the default ones.

User Accounts in the sfo01.rainpole.local and lax01.rainpole.local Child Domains

User Name

Description

Service Account

Member of Groups

SDDC-Admin

Global administrative account across the SDDC.

No

RAINPOLE\ug-SDDC-Admins