The vCenter Server must limit the use of the built-in SSO administrative account. (Cat II impact)
Use of the SSO administrator account should be limited as it is a shared account and individual accounts must be used wherever possible.
Verify the built-in SSO administrator account is only used for emergencies and situations where it is the only option due to permissions. If the built-in SSO administrator account is used for daily operations or there is no policy restricting its use, this is a finding.
Develop a policy to limit the use of the built-in SSO administrator account.
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.