Site Recovery Manager includes a set of roles. Each role includes a set of privileges, which allow users with those roles to complete different actions.

Roles can have overlapping sets of privileges and actions. For example, the Site Recovery Manager Administrator role and the Site Recovery Manager Protection Groups Administrator have the Create privilege for protection groups. With this privilege, the user can complete one aspect of the set of tasks that make up the management of protection groups.

Assign roles to users on Site Recovery Manager objects consistently on both sites, so that protected and recovery objects have identical permissions.

All users must have at least the System.Read privilege on the root folders of vCenter Server and the Site Recovery Manager root nodes on both sites.

Note: If you uninstall Site Recovery Manager Server, Site Recovery Manager removes the default Site Recovery Manager roles but the Site Recovery Manager privileges remain. You can still see and assign Site Recovery Manager privileges on other roles after uninstalling Site Recovery Manager. This is standard vCenter Server behavior. Privileges are not removed when you unregister an extension from vCenter Server.
Table 1. Site Recovery Manager Roles
Role Actions that this Role Permits Privileges that this Role Includes Objects in vCenter Server Inventory that this Role Can Access
Site Recovery Manager Administrator

The Site Recovery Manager Administrator grants permission to perform all Site Recovery Manager configuration and administration operations.

  • Configure advanced settings.
  • Configure connections.
  • Configure inventory preferences.
  • Configure placeholder datastores.
  • Configure array managers.
  • Manage protection groups.
  • Manage recovery plans.
  • Run recovery plans.
  • Perform reprotect operations.
  • Configure protection on virtual machines.
  • Edit protection groups.
  • Remove protection groups.
  • View storage policy objects.

The Site Recovery Manager Administrator user cannot edit inherited permissions. To restrict the access of a specific user or to grant access to a user, the Site Recovery Manager Administrator must add a new role.

Site Recovery Manager.Advanced Settings.Modify

Site Recovery Manager.Array Manager.Configure

Site Recovery Manager.Diagnostics.Export

Site Recovery Manager.Internal.Internal Access

Site Recovery Manager.Inventory Preferences.Modify

Site Recovery Manager.Placeholder Datastores.Configure

Site Recovery Manager.Protection Group.Assign to Plan

Site Recovery Manager.Protection Group.Create

Site Recovery Manager.Protection Group.Modify

Site Recovery Manager.Protection Group.Remove

Site Recovery Manager.Protection Group.Remove from Plan

Site Recovery Manager.Recovery History.Delete History

Site Recovery Manager.Recovery History .View Deleted Plans

Site Recovery Manager.Recovery Plan.Configure commands

Site Recovery Manager.Recovery Plan.Create

Site Recovery Manager.Recovery Plan.Modify

Site Recovery Manager.Recovery Plan.Recovery

Site Recovery Manager.Recovery Plan.Remove

Site Recovery Manager.Recovery Plan.Reprotect

Site Recovery Manager.Recovery Plan.Test

Site Recovery Manager.Remote Site.Modify

Datastore.Replication.Protect

Datastore.Replication.Unprotect.Stop

Resource.Recovery Use

Virtual Machine. SRM Protection.Protect

Virtual Machine. SRM Protection.Stop

Site Recovery Manager.Profile-driven storage.Profile-driven storage view

  • Virtual machines
  • Datastores
  • vCenter Server folders
  • Resource pools
  • Site Recovery Manager service instances
  • Networks
  • Site Recovery Manager folders
  • Protection groups
  • Recovery plans
  • Array managers
Site Recovery Manager Protection Groups Administrator

The Site Recovery Manager Protection Groups Administrator role allows users to manage protection groups.

  • Create protection groups.
  • Modify protection groups.
  • Add virtual machines to protection groups.
  • Delete protection groups.
  • Configure protection on virtual machines.
  • Remove protection from virtual machines.

Users with this role cannot perform or test recoveries or create or modify recovery plans.

Site Recovery Manager.Protection Group.Create

Site Recovery Manager.Protection Group.Modify

Site Recovery Manager.Protection Group.Remove

Datastore.Replication.Protect

Datastore.Replication.Unprotect.Stop

Resource.Recovery Use

Virtual Machine. SRM Protection.Protect

Virtual Machine. SRM Protection.Stop

  • Site Recovery Manager folders
  • Protection groups
Site Recovery Manager Recovery Administrator

The Site Recovery Manager Recovery Administrator role allows users to perform recoveries and reprotect operations.

  • Remove protection groups from recovery plans.
  • Test recovery plans.
  • Run recovery plans.
  • Run reprotect operations.
  • Configure custom command steps on virtual machines.
  • View deleted recovery plans.
  • Edit virtual machine recovery properties.

Users with this role cannot configure protection on virtual machines, or create or remove recovery plans.

Site Recovery Manager.Protection Group.Remove from plan

Site Recovery Manager.Recovery Plan.Modify

Site Recovery Manager.Recovery Plan.Test

Site Recovery Manager.Recovery Plan.Recovery

Site Recovery Manager.Recovery Plan.Reprotect

Site Recovery Manager.Recovery Plan.Configure commands

Site Recovery Manager.Recovery History.View deleted plans

  • Protection groups
  • Recovery plans
  • Site Recovery Manager service instances
Site Recovery Manager Recovery Plans Administrator

The Site Recovery Manager Recovery Plans Administrator role allows users to create and test recovery plans.

  • Add protection groups to recovery plans.
  • Remove protection groups from recovery plans.
  • Configure custom command steps on virtual machines.
  • Create recovery plans.
  • Test recovery plans.
  • Cancel recovery plan tests.
  • Edit virtual machine recovery properties.

Users with this role cannot configure protection on virtual machines, or perform recoveries or reprotect operations.

Site Recovery Manager.Protection Group.Assign to plan

Site Recovery Manager.Protection Group.Remove from plan

Site Recovery Manager.Recovery Plan.Configure Commands

Site Recovery Manager.Recovery Plan.Create

Site Recovery Manager.Recovery Plan.Modify

Site Recovery Manager.Recovery Plan.Remove

Site Recovery Manager.Recovery Plan.Test

Resource.Recovery Use

  • Protection groups
  • Recovery plans
  • vCenter Server folders
  • Datastores
  • Resource pools
  • Networks
Site Recovery Manager Test Administrator

The Site Recovery Manager Test Administrator role only allows users to test recovery plans.

  • Test recovery plans.
  • Cancel recovery plan tests.
  • Edit virtual machine recovery properties.

Users with this role cannot configure protection on virtual machines, create protection groups or recovery plans, or perform recoveries or reprotect operations.

Site Recovery Manager.Recovery Plan.Modify

Site Recovery Manager.Recovery Plan.Test

  • Recovery plans
Site Recovery Manager Remote User The Site Recovery Manager Remote User role grants users the minimum set of privileges needed for cross site Site Recovery Manager operations.

Datastore.Browse datastore

Datastore.Low level file operations

Datastore.Update virtual machine files

Datastore.Update virtual machine metadata

Host.vSphere Replication.Manage replication

Virtual Machine.Snapshot management.Remove snapshot

Virtual Machine.vSphere Replication.Configure replication

Virtual Machine.vSphere Replication.Manage replication

Virtual Machine.vSphere Replication.Monitor replication

  • Virtual machines
  • Datastores