VMware Cloud Director Availability requires privileges for the following users roles and rights and establishes the following sessions for performing disaster recovery (DR) operations.

VMware Cloud Director Availability Appliance root User Account

VMware Cloud Director Availability uses the root user account for access to both the virtual appliance console and the management interface. The initial deployment of each VMware Cloud Director Availability appliance sets up this account. The OVF Deployment wizard requires an initial password for the root user account, with an initial requirement being over three characters long. After the initial deployment, VMware Cloud Director Availability forces changing this initial password on the first login by using the root user, with the following requirements for the persistent root user account password.
  • The password must be over eight characters.
  • The password must contain digits, upper and lower case letters, and non-alphabetic characters.
  • The password cannot match any previous password.
  • The password must contain more than four new characters compared to the previous password.

VMware Cloud Director Availability Users

VMware Cloud Director Availability distinguishes administrator users from regular users.

For vSphere DR and migration, VMware Cloud Director Availability supports users members of the following groups:
User member of: In the On-Premises to Cloud vCenter Replication Appliance In the provider vCenter Replication Management Appliance
ADMINISTRATORS group On-premises ADMINISTRATORS users allow complete control. Provider ADMINISTRATORS users allow complete control.
VRUSERS group

On-premises VRUSERS have permissions to only:

  • Monitor replications
  • Manage replications
  • Monitor replication tasks
  • Monitor peer sites. Users members of VRUSERS cannot modify the existing paired sites nor pair new sites.
Note: To pair with a provider site requires entering a provider user that belongs to VRUSERS or ADMINISTRATORS or VRADMINISTRATORS in that provider site. For most tenants, it is recommended to pair by using a user that belongs to the provider VRUSERS group.

In summary, both users: an on-premises ADMINISTRATORS user plus a provider VRUSERS user are necessary for establishing a pairing from the on-premises site to the provider site.

Provider VRUSERS have permissions to only:

  • Monitor replications
  • Manage replications
  • Monitor replication tasks
  • Monitor peer sites. Users members of VRUSERS cannot pair new sites nor modify the existing paired sites, even for pairings from on-premise sites that use the same provider VRUSERS user for establishing the trust. VRUSERS users have no permission to modify any pairings, regardless of the peer site type.
  • To establish a user session with administrative rights in VMware Cloud Director Availability, the credentials for both the source and the destination sites must belong either to the ADMINISTRATORS or VRADMINISTRATORS groups. This applies for both vSphere DR and migration and for replications with cloud sites backed by VMware Cloud Director.

    For example, the single sign-on user Administrator@vsphere.local is a member of the ADMINISTRATORS group.

  • In VMware Cloud Director sites, providers manage VMware Cloud Director Availability objects and the local VMware Cloud Director Availability appliances after authenticating as VMware Cloud Director System Administrator users. By default, the System Administrator role has all VMware Cloud Director rights. Users belonging to that role can manage any local and monitor any remote VMware Cloud Director Availability inventory object. To manage VMware Cloud Director Availability objects in the remote site, authenticate as a System Administrator to the remote site.

  • Tenants perform disaster recovery operations and manage the VMware Cloud Director Availability objects after authenticating as:
    • For vSphere DR and migration, as VRUSERS single-sign-on users the tenants can perform disaster recovery operations in the local site, can manage any local VMware Cloud Director Availability object, and can monitor any remote VMware Cloud Director Availability object.
    • In VMware Cloud Director sites, as Organization Administrator users, tenants can perform disaster recovery operations in the local site, can manage any local VMware Cloud Director Availability object, and can monitor any remote VMware Cloud Director Availability object that belongs to the VMware Cloud Director organization. To manage remote VMware Cloud Director Availability objects, authenticate as an Organization Administrator user to the remote site.

For vSphere DR and migration, VMware Cloud Director Availability creates both the VRADMINISTRATORS and the VRUSERS groups in the local vCenter Server instance during the appliance configuration with the vCenter Server Lookup service. In VMware Cloud Director sites, the VRUSERS group is not available and the VRADMINISTRATORS group must be manually created only if custom permissions are needed for vCenter Server.

vSphere Privileges for VMware Cloud Director Availability Administrators

Restricted rights

For vSphere DR and migration, VMware Cloud Director Availability 4.5 and later allow login to the appliance management interface and to the vSphere plug-in by using a monitoring user granted with limited access to the system. The limited user can neither manage the replications nor the service.

After deployment or post-upgrade, registering the VMware Cloud Director Availability appliance with the vCenter Server Lookup service creates two additional new single-sign-on groups in vSphere: VrMonitoringUsers and VrMonitoringAdministrators.

To use the monitoring-only privileges of these groups, create a new single-sign-on user and make him a member of one of the two groups:

  • VrMonitoringUsers membership allows the users to monitor replications.
  • VrMonitoringAdministrators membership allows the administrators to monitor the replications and the system health.
The user privileges are as follows from highest to lowest: Read-write administrator > Read-only administrator > Read-write user > Read-only user.

As a provider or an on-premises administrator, allow the least privileges for the roles of the user accounts that register the vCenter Server Lookup service and operate VMware Cloud Director Availability. As a provider to prevent the tenants access to restricted infrastructure items, only allow the following minimum list of privileges as specified for audit certifications and security compliance of VMware Cloud Director Availability.

When using customized privileges for the service user account, the following privileges must apply to the user that operates with VMware Cloud Director Availability and registers it with the vCenter Server Lookup service:

Cryptographic Operations
  • Cryptographic operations.Manage keys
  • Cryptographic operations.Register host
Datastore Privileges
  • Datastore.Browse
  • Datastore.Configure datastore
  • Datastore.Low level file operations
Extension Privileges
  • Extension.Register extension
  • Extension.Unregister extension
  • Extension.Update extension
Global Privileges
  • Global.Disable methods
  • Global.Enable methods
Host Configuration Privileges
  • Host.Configuration.Connection
Profile-driven Storage Privileges
  • Profile-driven storage.Profile-driven storage view
Resource Privileges
  • Resource.Assign virtual machine to resource pool
Storage Views Privileges
  • StorageViews.View
Virtual Machine Configuration Privileges
  • Virtual machine.Configuration.Add existing disk
  • Virtual machine.Configuration.Change Settings
  • Virtual machine.Configuration.Remove disk
Virtual Machine Inventory Privileges
  • Virtual machine.Inventory.Register
  • Virtual machine.Inventory.Unregister
Virtual Machine Interaction
  • Virtual machine.Interaction.Power Off
  • Virtual machine.Interaction.Power On
Virtual Machine State Privileges
  • Virtual machine.Snapshot management.Create snapshot
  • Virtual machine.Snapshot management.Remove snapshot
HBR Privileges
  • Host.Hbr.HbrManagement
  • VirtualMachine.Hbr.ConfigureReplication
  • VirtualMachine.Hbr.ReplicaManagement
  • VirtualMachine.Hbr.MonitorReplication
Note: After adding a custom role in vSphere, the role is created as a Read Only role with three system-defined privileges:
  • System.Anonymous
  • System.Read
  • System.View

    These privileges are not visible in the vSphere Client but are used to read specific properties of some managed objects. All the predefined roles in vSphere contain these three system-defined privileges.

For information about the roles privileges in vSphere, see Defined Privileges in the vSphere documentation.

VMware Cloud Director Roles Rights

VMware Cloud Director for users permissions publishes the predefined global tenant roles and the rights they contain to all organizations. System Administrator users can modify the rights and the global tenant roles from an individual organization. System Administrator users can modify, create, or remove predefined global tenant roles.

For more information, see System Administrator Rights and Rights in Predefined Global Tenant Roles in the VMware Cloud Director documentation.

Restricted rights
VMware Cloud Director Availability 4.5 introduces two rights in VMware Cloud Director for the cloud site:
  • VCDA_MODIFY_RIGHT for a full permission user in VMware Cloud Director Availability.
  • VCDA_VIEW_RIGHT for a read-only user in VMware Cloud Director Availability.

To use these new rights in the cloud site, first the System Administrator user must publish the chosen right in a rights bundle in VMware Cloud Director. These rights cannot be used for on-premises users to log in to the On-Premises to Cloud Director Replication Appliance.

  1. To create or modify an existing rights bundle, in VMware Cloud Director, in the left pane under the Tenant Access Control section click Rights Bundles then click Add or select an existing bundle and click Edit.
  2. In the Add Rights Bundle window, under Rights in Bundle, under the Other category, select the right and click Save.
    • VCDA_VIEW_RIGHT
    • VCDA_MODIFY_RIGHT
  3. To publish the rights bundle to all tenants or to specific tenants, select it and click Publish.
  4. In the Publish Rights Bundle window, select the tenants to which to publish the new rights bundle and click Save.
    • Publish to Tenants
    • Publish to All Tenants

After the System Administrator publishes the rights bundle to one or more organizations, these organizations have access to use those rights when accessing VMware Cloud Director Availability in the cloud site.

Read-write rights
VMware Cloud Director Availability allows read-write access to Organization Administrator users or to users whose role is assigned with VCDA_MODIFY_RIGHT.
Read-only rights
In the user interface, all management-related actions remain hidden for read-only users. A tenant user whose role is assigned with VCDA_VIEW_RIGHT is restricted to only viewing his own replications and has no permissions to modify.
Conflicting rights
Determining the expected rights if a user role is assigned with conflicting rights, for example, both VCDA_READ_RIGHT and Organization Administrator, results in read-write access for that user. Similarly, assigning both VCDA_READ_RIGHT and VCDA_MODIFY_RIGHT to the same user role again results in read-write access.
As a result:
  • Read-write users can either have assigned VCDA_MODIFY_RIGHT to their custom role, or use the default Organization Administrator user.
  • Read-only users have assigned VCDA_READ_RIGHT to their role.
  • Assigning both VCDA_READ_RIGHT and either (VCDA_MODIFY_RIGHT or Organization Administrator) to the same role results in read-write rights.
List of the rights of all the users that allow log in to the Cloud Director Replication Management Appliance:
  • Read-write tenant users have the same rights as the existing Organization Administrator user and allow both managing and monitoring only of their own replications.
  • Read-only tenant users are introduced with version 4.5 and allow only monitoring of their own replications.
  • Read-write provider users are the current provider login method and allow both managing and monitoring of all replications and of the system health.
  • Read-only provider users are introduced with version 4.5 and allow only monitoring of all replications and of the system health.

As a prerequisite, for tenant roles that only grant the VCDA_MODIFY_RIGHT and are different than the default Organization Administrator, in VMware Cloud Director at minimum grant exactly the following rights:

  • General: Administrator Control
  • vApp: Edit VM Compute Policy *
  • vApp: Edit VM Properties
  • vApp: Delete
  • vApp: Edit VM Network
  • vApp: Edit Properties
  • vApp: Power Operations
  • vApp: View VM metrics
  • vApp: View ACL
  • Organization: View
  • Organization: Edit Association Settings
  • Organization Network: View
  • Organization vDC Network: View
  • Organization vDC Compute Policy: View
  • Organization vDC: View ACL
  • Access All Organization VDCs
  • Catalog: View Private and Shared Catalogs
  • Catalog: View ACL
  • Organization vDC Named Disk: Delete
  • Organization vDC Named Disk: Create
  • Organization vDC Named Disk: View Properties
  • Organization vDC Named Disk: Edit Properties
  • Organization vDC Gateway: View L2 VPN **
  • Organization vDC Gateway: Configure L2 VPN **
Note:
  • VMware Cloud Director Availability requires each and all of the above rights for the correct operation of the VMware Cloud Director tenant user.
  • For the vRealize Operations Management Pack for Cloud Director Availability to be able to use auto-discovery of the VMware Cloud Director Availability address, when using a read-only user for the management pack, you must also add the right View Tenant Portal Plugin, shown in the user interface as UI Plugins: View right.
  • * VMware Cloud Director Availability 4.3 and later require the vApp: Edit VM Compute Policy right that is not part of the Default Rights Bundle.
  • ** In VMware Cloud Director service, to stretch an L2 network to an SDDC in the VMware Cloud™ on AWS, VMware Cloud Director Availability 4.4 and later require both the Organization vDC Gateway: View L2 VPN and the Configure L2 VPN rights that are not part of the Default Rights Bundle.

VMware Cloud Director Availability Users Sessions Extension

Each VMware Cloud Director Availability user session must have a VMware Cloud Director user and a VMware Cloud Director organization associated with the session.

For more information about the sessions and authenticating to remote sites, see Extended Session Authentication in the User Guide.

See the Cloud Service disaster recovery operations that require an extension of the user session in the following table.

Operation Incoming Replication Outgoing Replication
Required Session on Source Site Required Session on Destination Site Required Session on Source Site Required Session on Destination Site
start Yes Yes Yes Yes
stop No Yes Yes Yes
reconfigure No Yes Yes Yes
failover No Yes Yes Yes
migrate Yes Yes Yes Yes
sync No Yes Yes Yes
pause No Yes Yes Yes
resume No Yes Yes Yes
reverse Yes Yes Yes Yes
failover test No Yes Yes Yes
failover test cleanup No Yes Yes Yes