We have demonstrated that we can create a dedicated service account user [email protected] to register NSX Manager with the vCenter and SSO services. This way, we avoid using the default SSO administrator [email protected] account for NSX services.

One of the reasons for creating a dedicated user is for traceability, as this user will be used by NSX for vSphere-related tasks, such as preparing ESXi hosts and creating logical switches, logical routers, and NSX Edge Service Gateways.

In the following screenshot, we can see that in NSX Managers | NSX Manager IP | Monitor | Audit Logs, a user corp.localgreg created a logical switch and created an NSX Edge Gateway called EdgeGateway01; however, in the recent tasks, we can see NSX used the VSPHERE.LOCAL nsx-svc service account to perform the vSphere tasks, such as Add Distributed Port Group, Update opaque data for set of entities, Deploy OVF template, and other NSX-related tasks in vSphere. With a dedicated service account user for NSX, the vSphere operations team are aware that these are NSX-related tasks:

To register the NSX Manager to SSO services, we added the nsx-svc user as an SSO administrator so this user can register the NSX Management service as a solution user. If the SSO user is not an SSO administrator, registering the NSX Manager to SSO services will throw an error, as shown in the following screenshot: