There are three things to understand here:
1) Permissions in SRM inventory. If you go to SRM screen and look on Permissions tab you can see that you can (and must) give permissions there to be able to operate SRM. Permissions can be granted on Protection Groups and Recovery Plans also. These permissions are separate from vCenter permissions.
2) vCenter permissions that are related to SRM. To be able to configure VM protection, you must have Virtual Machine --> Configuration --> Replicate privileges. Can be granted at different levels in vCenter inventory.
3) "Regular" vCenter permissions required to complete SRM tasks. You need various priveleges, such as rescan HBAs, create / delete VMs, etc to be able to protect VMs and perform failover / test. Can be granted at different levels in vCenter inventory.
Regarding your specific case, as you have "Administrator" role at vCenter inventory, 2) and 3) are OK. Regarding 1), by default only Local Administrators group is given "Administrator" role at SRM inventory (this role includes all SRM permissions of course). Make sure you are member of this group, or if you work with domain group, grant needed permissions to that group(s). I recommend you to give Run / Test permisiions to a very limited group of people, as performing these tasks has a dramatic impact on the environment.
This an excellent description of how I need to apply the permissions and for this I thank you.
Maybe you should write the SRM manuals as you've made it much clearer to me.
One more question.
I created my own AD group and role with SRM permissions to replace the default Administrators group but I can delete it.
It says 'The requested change cannot be completed because it could leave the system without full administrative privileges for a user or group'.
So this means that anyone who is a member of my vCenter local administrators group - i.e. domain admins has access to run recovery plans.
Is this by desgin? Should I need to remove the group?
I get a similar error if I try to remove the group from the vCenter top level.
Yes, this is by design. You must have user / group that is granted "Administrator" role at top level of inventory.
What you can do is to create local / domain user account and grant it "Administrator" role. This will allow you to remove a default permission given to local administrators group.