VMware Cloud Community
CooLix
Contributor
Contributor
‎05-26-2021 05:50 AM

vSphere Replication 8.3 permission issues when creating a replication pair

Hi   All,

I've been reading  https://docs.vmware.com/en/vSphere-Replication/8.4/vsphere-replication-84-admin.pdf,   on page 96.  "Assign VRM Virtual Machine Replication User Role"

I have  set up Site A and Site B SRM and vSphere Replication. Everything works fine if I am logged on as a admin to vcenter. Both sites are  linked to the same AD and I'm using LDAP to populate the global  permissions.

Both sites have the same permissions configured as Global  Permissions at the top level.  So, VRM virtual machine replication user is configured the same  on both sites.  At the root folder with propagate on. I also have the   VRM target datastore user  role assigned to the datastore in Site B

The issue I have, is if I logon as a user, without vcenter admins, I get  permission denied when  I try and add  a new replication. I can remove existing replications without issue. When I attempt to create a Site A to Site B replication, the incoming  replication gets created on site B, but no outgoing connection on Site A. Which , I assume , is down to the  NoPermission error.

Since it's the same AD and the same AD group is added to the  roles , the user account has the same rights in both Site A and Site B vcenters.

Since it is a permissions issue, I decided to make the user a member of the  VRM admins role on both sites. Still the same. That role is also added as  Global Permission at the top level in vcenter. 

I've looked in the hms.log on the   VSRM and  all I get is   the same message "Permission to perform this operation is denied". No clue as to why or which privilege   I am missing.

 

Any ideas anyone?

The user account has access to vcenter  with full access to virtual machines only  from the root. 

0 Kudos
1 Reply
cpetry7c1
Contributor
Contributor
‎01-11-2022 02:11 PM

I'm running into this exact same issue with vCenter 6.7.0.51000, SRM 8.4.0, and vSphere Replication 8.3.1.

Were you able to figure this out?  I've switched the IDM source from AD integrated auth to AD as an LDAP source.  That didn't help.  I'm leaving it that way since AD integrated auth is deprecated.  

These are linked vCenters as well.

 

I can create replications with root/admin perms on everything, but if I try to specify a user/group all I get is some generic "NoPermission" error.  I can see the VM replica created on one side but not the other and I can't reconfigure it.  If I login with administrator I can delete and re-create it without any issues.

 

I think I'm going to try upgrading SRM/vSphere Replication to 8.5.  I find it odd that you have the same issue on 8.3.

0 Kudos