VMware Cloud Community
cswaters1
Contributor
Contributor
‎05-07-2009 05:27 PM

Need help understanding the relationship between vCenter and SRM Permissions.

There is an SRM Permissions section on page 37 of the SRM Administrators guide, this section details the permissions that should be set "...To obtain the full ability of an administrator fo the protected site and the recovery site..."

Can some explain how these permissions should be set and what their relationships are with VirtualCenter?

My only real requirement is to provide management with the ability to initiate a test or run, what permissions in SRM and VirtualCenter are required to do this? I have tried using the SRM Recvoery Plans Administrator user (modified to include ability to run a recovery - as per release notes for update 1), but this setup only covers SRM permissions and not VirtualCenter.

What VC permissions do I need to set for this account to work?

Look forward to your response.

Thanks,

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
3 Replies
cswaters1
Contributor
Contributor
‎05-10-2009 08:26 PM

Can anyone help me please?

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos
76dragon
Enthusiast
Enthusiast
‎05-12-2009 02:21 AM

Hi Craig.

Initially by default I found that anyone with local admin or domain administrator rights could access both VC and the SRM side of things with unrestricted access, this of course is due to domain administrators being part of the local admin group on the VC server.

I didnt want to create a twisted web of rights and permissions for our internal system but I did want to lock it down so domain administrators could not select the "RUN" option by accident. I removed the domain administrators group from local admin group on the VC server and then went and cloned one of the SRM default roles (I forget which one now) but basically I created one custom role with FULL permissions and one with everything accept the ability to "RUN".

So on the Data Center side I had all my typical permissions setup and then on the Site recovery side at the top level set specific users up with the custom roles I created, these roles for SRM only had SRM permissions and did not require any of the other VC permissions.

So far so good, Others may have better suggestions, but this worked for me in an environment where only 2-3 people have access to the system. In a environment with alot more users/administrators you may find you need to setup additional roles with different types of permissions.

Hope this helps.

0 Kudos
cswaters1
Contributor
Contributor
‎05-18-2009 11:14 PM

Thanks for your reply 76dragon. I guess what my real question is...

I want to create a VC/SRM user who only has sufficient rights to test / run a migration and nothing else.

The idea is that this user logs in to the VI Client and then has the rights needed to go to any Recovery Plan and either test or run it - nothing else.

Does this make sense? I am struggling from the VC perspective on how I can set this up. Sure, I have created a SRM user with these privileges, but this will only work if someone with sufficient rights to VI are logged in and click on the Site Recovery Icon and authenticate using this SRM user...

Any help with this would be gratefully received. The implementation is for a site with a small IT Admin base, therefore there is no requirement for a multitude of roles, just something simple.

Look forward to your reply, thanks.

Craig.

Craig Waters | vExpert | Melbourne VMware User Group Leader | website: craigwaters.org | twitter: @cswaters1
0 Kudos