During installation of Site Recovery Manager, users with the vCenter Server administrator role are granted the administrator role on Site Recovery Manager. At this time, only vCenter Server administrators can log in to Site Recovery Manager, unless they explicitly grant access to other users.
About this task
To allow other users to access Site Recovery Manager, vCenter Server administrators must grant them permissions in the Site Recovery Manager interface in the vSphere Web Client. You assign site-wide permission assignments on a per-site basis. You must add corresponding permissions on both sites.
Site Recovery Manager requires permissions on vCenter Server objects as well as on Site Recovery Manager objects. To configure permissions on the remote vCenter Server installation, start another instance of the vSphere Web Client. You can change Site Recovery Manager permissions from the same vSphere Web Client instance on both sites after you connect the protected and recovery sites.
Site Recovery Manager augments vCenter Server roles and permissions with additional permissions that allow detailed control over Site Recovery Manager specific tasks and operations. For information about the permissions that each Site Recovery Manager role includes, see Site Recovery Manager Roles Reference.
You can assign more granular permissions to users by assigning them permissions on specific Site Recovery Manager objects, including individual array managers, protection groups, and recovery plans. You can also allow users to access specific groups of protections groups, recovery plans, and array managers by assigning permissions to protection group and recovery plan folders, and to all of the array managers for a site.
- In the vSphere Web Client, select the objects on which to assign permissions.
Assign site-wide permissions
Click, and select a site.
Assign permissions to an individual protection group
Click Site Recovery, expand Inventories, click Protection Groups, and select a protection group.
Assign permissions to a protection group folder
Click Site Recovery, expand Inventory Trees, click Protection Groups and select a protection group folder. You can assign permissions to the root folder or to a subfolder.
Assign permissions to an individual recovery plan
Click Site Recovery, expand Inventories, click Recovery Plans, and select a recovery plan.
Assign permissions to a recovery plan folder
Click Site Recovery, expand Inventory Trees, click Recovery Plans and select a recovery plan folder. You can assign permissions to the root folder or to a subfolder.
Assign permissions to an individual array manager
Click, and select an array manager.
Assign permissions to all array managers for a site
Click Site Recovery, expand Inventory Trees, click Array Based Replication and select a site folder.
- In the Manage tab, click Permissions, then click the Add Permission icon.
- Identify a user or group for the role.
- Click Add in the Users and Groups column.
- From the Domain drop-down menu, select the domain that contains the user or group.
- Enter a user or user group name in the Search text box or select a name from the User/Group list.
- Click Add and click OK.
- Select a role from the Assigned Role drop-down menu to assign to the user or user group that you selected in 3.
The Assigned Role drop-down menu includes all of the roles that vCenter Server and its plug-ins make available. Site Recovery Manager adds several roles to vCenter Server.
Allow a user or user group to perform all Site Recovery Manager configuration and administration operations.
Assign the SRM Administrator role.
Allow a user or user group to manage and modify protection groups and to configure protection on virtual machines.
Assign the SRM Protection Groups Administrator role.
Allow a user or user group to perform recoveries and test recoveries.
Assign the SRM Recovery Administrator role.
Allow a user or user group to create, modify, and test recovery plans.
Assign the SRM Recovery Plans Administrator role.
Allow a user or user group to test recovery plans.
Assign the SRM Recovery Test Administrator role.
When you select a role, the hierarchical list displays the privileges that the role includes. Click a privilege in the hierarchical list to see a description of that privilege. You cannot modify the list of privileges that each role includes.
- Select Propagate to Children to apply the selected role to all of the child objects of the inventory objects that this role can affect.
For example, if a role contains privileges to modify folders, selecting this option extends the privileges to all the virtual machines in a folder. You might deselect this option to create a more complex hierarchy of permissions. For example, deselect this option to override the permissions that are propagated from the root of a certain node from the hierarchy tree, but without overriding the permissions of the child objects of that node.
- Click OK to assign the role and its associated privileges to the user or user group.
- Repeat 2 through 6 to assign roles and privileges to the users or user groups on the other Site Recovery Manager site.
You assigned a given Site Recovery Manager role to a user or user group. This user or user group has privileges to perform the actions that the role defines on the objects on the Site Recovery Manager site that you configured.
Combining Site Recovery Manager Roles
You can assign only one role to a user or user group. If a user who is not a vCenter Server administrator requires the privileges of more than one Site Recovery Manager role, you can create multiple user groups. For example, a user might require the privileges to manage recovery plans and to run recovery plans.
Create two user groups.
Assign the SRM Recovery Plans Administrator role to one group.
Assign the SRM Recovery Administrator role to the other group.
Add the user to both user groups.
By being a member of groups that have both the SRM Recovery Plans Administrator and the SRM Recovery Administrator roles, the user can manage recovery plans and run recoveries.