VMware Cloud Community
thomps01
Enthusiast
Enthusiast
Jump to solution

SRM Permissions & Roles - Do I actually need to use them?

If my AD account is already a member of the vCenter administror role which has administrative access to everything, do I need to bother with the SRM roles?

I keep re-reading the manual and it's just not clear to me.


I see there are lots of roles, but there doesn't appear to be a role which provides all SRM features in one hit.


Cheers     

Reply
0 Kudos
1 Solution

Accepted Solutions
mal_michael
Commander
Commander
Jump to solution

Hi,

There are three things to understand here:

1) Permissions in SRM inventory. If you go to SRM screen and look on Permissions tab you can see that you can (and must) give permissions there to be able to operate SRM. Permissions can be granted on Protection Groups and Recovery Plans also. These permissions are separate from vCenter permissions.

2) vCenter permissions that are related to SRM. To be able to configure VM protection, you must have Virtual Machine --> Configuration --> Replicate privileges. Can be granted at different levels in vCenter inventory.

3) "Regular" vCenter permissions required to complete SRM tasks. You need various priveleges, such as rescan HBAs, create / delete VMs, etc to be able to protect VMs and perform failover / test. Can be granted at different levels in vCenter inventory.

Regarding your specific case, as you have "Administrator" role at vCenter inventory, 2) and 3) are OK. Regarding 1), by default only Local Administrators group is given "Administrator" role at SRM inventory (this role includes all SRM permissions of course). Make sure you are member of this group, or if you work with domain group, grant needed permissions to that group(s). I recommend you to give Run / Test permisiions to a very limited group of people, as performing these tasks has a dramatic impact on the environment.

Michael.

View solution in original post

Reply
0 Kudos
4 Replies
mal_michael
Commander
Commander
Jump to solution

Hi,

There are three things to understand here:

1) Permissions in SRM inventory. If you go to SRM screen and look on Permissions tab you can see that you can (and must) give permissions there to be able to operate SRM. Permissions can be granted on Protection Groups and Recovery Plans also. These permissions are separate from vCenter permissions.

2) vCenter permissions that are related to SRM. To be able to configure VM protection, you must have Virtual Machine --> Configuration --> Replicate privileges. Can be granted at different levels in vCenter inventory.

3) "Regular" vCenter permissions required to complete SRM tasks. You need various priveleges, such as rescan HBAs, create / delete VMs, etc to be able to protect VMs and perform failover / test. Can be granted at different levels in vCenter inventory.

Regarding your specific case, as you have "Administrator" role at vCenter inventory, 2) and 3) are OK. Regarding 1), by default only Local Administrators group is given "Administrator" role at SRM inventory (this role includes all SRM permissions of course). Make sure you are member of this group, or if you work with domain group, grant needed permissions to that group(s). I recommend you to give Run / Test permisiions to a very limited group of people, as performing these tasks has a dramatic impact on the environment.

Michael.

Reply
0 Kudos
thomps01
Enthusiast
Enthusiast
Jump to solution

Michael,


This an excellent description of how I need to apply the permissions and for this I thank you.

Maybe you should write the SRM manuals as you've made it much clearer to me.

Reply
0 Kudos
thomps01
Enthusiast
Enthusiast
Jump to solution

One more question.

I created my own AD group and role with SRM permissions to replace the default Administrators group but I can delete it.

It says 'The requested change cannot be completed because it could leave the system without full administrative privileges for a user or group'.

So this means that anyone who is a member of my vCenter local administrators group - i.e. domain admins has access to run recovery plans.

Is this by desgin? Should I need to remove the group?

I get a similar error if I try to remove the group from the vCenter top level.

Reply
0 Kudos
mal_michael
Commander
Commander
Jump to solution

Hi,

Yes, this is by design. You must have user / group that is granted "Administrator" role at top level of inventory.

What you can do is to create local / domain user account and grant it "Administrator" role. This will allow you to remove a default permission given to local administrators group.

Michael.

Reply
0 Kudos