VMware Cloud Director Availability requires the following exact privileges for its specific users roles and rights and establishes the following sessions for performing disaster recovery (DR) operations.

VMware Cloud Director Availability Appliance root User Account

VMware Cloud Director Availability uses the root user account for access to both the virtual appliance console and the management interface. The initial deployment of each VMware Cloud Director Availability appliance sets up this account. The OVF Deployment wizard requires an initial password for the root user account, with an initial requirement being over three characters long. After the initial deployment, VMware Cloud Director Availability forces changing this initial password on the first login by using the root user, with the following requirements for the persistent root user account password.
  • The password must be over eight characters.
  • The password must contain digits, upper and lower case letters, and non-alphabetic characters.
  • The password cannot match any previous password.
  • The password must contain more than four new characters compared to the previous password.

VMware Cloud Director Availability Users

VMware Cloud Director Availability distinguishes users with administrative rights from regular users.

  • Groups in the vCenter single sign-on domain:
    To establish a user session with administrators rights in VMware Cloud Director Availability, the credentials for both the source and the destination sites must belong either to the ADMINISTRATORS or VRADMINISTRATORS groups. Applicable for both types of deployment:
    • For vSphere DR and migration between vCenter Server sites.
    • For replications with cloud sites backed by VMware Cloud Director.

    For example, the single sign-on user [email protected] is a member of the ADMINISTRATORS group.

    Specifically for vSphere DR and migration, VMware Cloud Director Availability supports users members of the following two groups:
    Group membership In the On-Premises to Cloud vCenter Replication Appliance In the provider vCenter Replication Management Appliance
    ADMINISTRATORS group On-premises ADMINISTRATORS users allow complete control. Provider ADMINISTRATORS users allow complete control.
    VRUSERS group

    On-premises VRUSERS have permissions to only:

    • Monitor replications
    • Manage replications
    • Monitor replication tasks
    • Monitor peer sites. Users members of VRUSERS cannot modify the existing paired sites nor pair new sites.
    Note: To pair with a provider site requires entering a provider user that belongs to VRUSERS or ADMINISTRATORS or VRADMINISTRATORS in that provider site. For most tenants, it is recommended to pair by using a user that belongs to the provider VRUSERS group.

    In summary, both users: an on-premises ADMINISTRATORS user plus a provider VRUSERS user are necessary for establishing a pairing from the on-premises site to the provider site.

    Provider VRUSERS have permissions to only:

    • Monitor replications
    • Manage replications
    • Monitor replication tasks
    • Monitor peer sites. Users members of VRUSERS cannot pair new sites nor modify the existing paired sites, even for pairings from on-premise sites that use the same provider VRUSERS user for establishing the trust. VRUSERS users have no permission to modify any pairings, regardless of the peer site type.
  • VMware Cloud Director organization users:
    In Cloud Director sites, the providers manage VMware Cloud Director Availability objects and the local VMware Cloud Director Availability appliances after authenticating as VMware Cloud Director System Administrator users. By default, the System Administrator role has all VMware Cloud Director rights. Users belonging to that role can manage any local and monitor any remote VMware Cloud Director Availability inventory object. From the local site, to manage remote VMware Cloud Director Availability objects, authenticate as a System Administrator to the remote site.
  • Tenant users:
    Tenants perform disaster recovery operations and manage the VMware Cloud Director Availability objects after authenticating as:
    • For vSphere DR and migration, as single-sign-on users belonging to the VRUSERS group, the tenants can perform disaster recovery operations in the local site, can manage any local VMware Cloud Director Availability object, and can monitor any remote VMware Cloud Director Availability object.
    • In Cloud Director sites, as Organization Administrator users, tenants can perform disaster recovery operations in the local site, can manage any local VMware Cloud Director Availability object, and can monitor any remote VMware Cloud Director Availability object that belongs to the VMware Cloud Director organization. From the local site, to manage remote VMware Cloud Director Availability objects, authenticate as an Organization Administrator user to the remote site.

      On-premises, for VMware Cloud Director Availability vSphere Client Plug-In authentication since version 4.5, once configured with vCenter Server Lookup service, the On-Premises to Cloud Director Replication Appliance creates the VrOnpremUsers group. Membership of this group allows access to the VMware Cloud Director Availability vSphere Client Plug-In. In previous versions, the tenants authenticate to the VMware Cloud Director Availability vSphere Client Plug-In with a user member of the Administrators group.

For vSphere DR and migration, VMware Cloud Director Availability creates both the VRADMINISTRATORS and the VRUSERS groups in the local vCenter Server instance during the appliance configuration with the vCenter Server Lookup service. In VMware Cloud Director sites, the VRUSERS group is not available and the VRADMINISTRATORS group must be manually created only if custom permissions are needed for vCenter Server.

vSphere Privileges for VMware Cloud Director Availability Administrators

Restricted rights for vSphere DR and migration:
For vSphere DR and migration, VMware Cloud Director Availability 4.5 and later allow login to the appliance management interface and to the vSphere plug-in by using a monitoring user granted with limited access to the system. The limited user can neither manage the replications nor the service.

After deployment or post-upgrade, registering the VMware Cloud Director Availability appliance with the vCenter Server Lookup service creates two additional new single-sign-on groups in vSphere: VrMonitoringUsers and VrMonitoringAdministrators.

To use the monitoring-only privileges of these groups, create a new single-sign-on user and make him a member of one of the two groups:

  • VrMonitoringUsers membership allows the users to monitor replications.
  • VrMonitoringAdministrators membership allows the administrators to monitor the replications and the system health.
The user privileges are as follows from highest to lowest: Read-write administrator > Read-only administrator > Read-write user > Read-only user.

As a provider or an on-premises administrator, allow the least privileges for the roles of the user accounts that register the vCenter Server Lookup service and operate VMware Cloud Director Availability. As a provider to prevent the tenants access to restricted infrastructure items, only allow the following minimum list of privileges as specified for audit certifications and security compliance of VMware Cloud Director Availability.

When using customized privileges for the service user account, the following privileges must apply to the user that operates with VMware Cloud Director Availability and registers it with the vCenter Server Lookup service:

Cryptographic operations:
  • Cryptographic operations.Manage keys
  • Cryptographic operations.Register host
Datastore privileges:
  • Datastore.Browse
  • Datastore.Configure datastore
  • Datastore.Low level file operations
Extension privileges:
  • Extension.Register extension
  • Extension.Unregister extension
  • Extension.Update extension
Global privileges:
  • Global.Disable methods
  • Global.Enable methods
Host configuration privileges:
  • Host.Configuration.Connection
Profile-driven storage privileges:
  • Profile-driven storage.Profile-driven storage view
Resource privileges:
  • Resource.Assign virtual machine to resource pool
Storage views privileges:
  • StorageViews.View
Virtual machine configuration privileges:
  • Virtual machine.Configuration.Add existing disk
  • Virtual machine.Configuration.Change Settings
  • Virtual machine.Configuration.Remove disk
Virtual machine inventory privileges:
  • Virtual machine.Inventory.Register
  • Virtual machine.Inventory.Unregister
Virtual machine interaction:
  • Virtual machine.Interaction.Power Off
  • Virtual machine.Interaction.Power On
Virtual machine state privileges:
  • Virtual machine.Snapshot management.Create snapshot
  • Virtual machine.Snapshot management.Remove snapshot
HBR privileges:
  • Host.Hbr.HbrManagement
  • VirtualMachine.Hbr.ConfigureReplication
  • VirtualMachine.Hbr.ReplicaManagement
  • VirtualMachine.Hbr.MonitorReplication
Note: After adding a custom role in vSphere, the role is created as a Read Only role with three system-defined privileges:
  • System.Anonymous
  • System.Read
  • System.View

    These privileges are not visible in the vSphere Client but are used to read specific properties of some managed objects. All the predefined roles in vSphere contain these three system-defined privileges.

For information about the roles privileges in vSphere, see Defined Privileges in the vSphere documentation.

VMware Cloud Director Roles Rights

VMware Cloud Director for users permissions publishes the predefined global tenant roles and the rights they contain to all organizations. System Administrator users can modify the rights and the global tenant roles from an individual organization. System Administrator users can modify, create, or remove predefined global tenant roles. For more information, see System Administrator Rights and Rights in Predefined Global Tenant Roles in the VMware Cloud Director documentation.

Restricted rights for Cloud Director sites:
VMware Cloud Director Availability 4.5 and later introduce two rights for the cloud site in VMware Cloud Director, according to its version:
User permissions in VMware Cloud Director Availability VMware Cloud Director 10.4 and earlier VMware Cloud Director 10.5 and later
Full permission user: VCDA_MODIFY_RIGHT

View and manage replications
Read-only user: VCDA_VIEW_RIGHT

View replications

To use these new rights in the cloud site, first the System Administrator user must publish the chosen right in a rights bundle in VMware Cloud Director. These rights cannot be used for on-premises users to log in to the On-Premises to Cloud Director Replication Appliance.

  1. To create or modify an existing rights bundle, in VMware Cloud Director, in the left pane under the Tenant Access Control section click Rights Bundles then click Add or select an existing bundle and click Edit.
  2. In the Add Rights Bundle window, under Rights in Bundle, under the Other category, select the right, according to the version of VMware Cloud Director as per the above table, then click Save.
    • VCDA_VIEW_RIGHT or View replications
    • VCDA_MODIFY_RIGHT or View and manage replications
  3. To publish the rights bundle to all tenants or to specific tenants, select it and click Publish.
  4. In the Publish Rights Bundle window, select the tenants to which to publish the new rights bundle and click Save.
    • Publish to Tenants
    • Publish to All Tenants

After the System Administrator publishes the rights bundle to one or more organizations, these organizations have access to use those rights when accessing VMware Cloud Director Availability in the cloud site.

Read-write rights:
VMware Cloud Director Availability allows read-write access to Organization Administrator users or to users whose role is assigned with VCDA_MODIFY_RIGHT or View and manage replications.
Read-only rights:
In the user interface, all management-related actions remain hidden for read-only users. A tenant user whose role is assigned with VCDA_VIEW_RIGHT or View replications is restricted to only viewing his own replications and has no permissions to modify.
Conflicting rights:
Determining the expected rights if a user role is assigned with conflicting rights, for example, both VCDA_VIEW_RIGHT or View replications and Organization Administrator, results in read-write access for that user. Similarly, assigning both VCDA_VIEW_RIGHT or View replications and VCDA_MODIFY_RIGHT or View and manage replications to the same user role again results in read-write access.
As a result:
  • Read-write users can either have assigned VCDA_MODIFY_RIGHT or View and manage replications to their custom role, or use the default Organization Administrator user.
  • Read-only users have assigned VCDA_VIEW_RIGHT or View replications to their role.
  • Assigning both VCDA_VIEW_RIGHT or View replications and either (VCDA_MODIFY_RIGHT or View and manage replications or Organization Administrator) to the same role results in read-write rights.
List of the rights of all the users that allow log in to the Cloud Director Replication Management Appliance:
  • Read-write tenant users have the same rights as the existing Organization Administrator user and allow both managing and monitoring only of their own replications.
  • Read-only tenant users are introduced with version 4.5 and allow only monitoring of their own replications.
  • Read-write provider users are the current provider login method and allow both managing and monitoring of all replications and of the system health.
  • Read-only provider users are introduced with version 4.5 and allow only monitoring of all replications and of the system health.

As a prerequisite, for tenant roles that only grant the VCDA_MODIFY_RIGHT or View and manage replications and are different than the default Organization Administrator, in VMware Cloud Director at minimum grant exactly the following rights:

  • General: Administrator Control
  • vApp: Edit VM Compute Policy *
  • vApp: Edit VM Properties
  • vApp: Delete
  • vApp: Edit VM Network
  • vApp: Edit Properties
  • vApp: Power Operations
  • vApp: View VM metrics
  • vApp: View ACL
  • Organization: View
  • Organization: Edit Association Settings
  • Organization Network: View
  • Organization vDC Network: View
  • Organization vDC Compute Policy: View
  • Organization vDC: View ACL
  • Access All Organization VDCs
  • Catalog: View Private and Shared Catalogs
  • Catalog: View ACL
  • Organization vDC Named Disk: Delete
  • Organization vDC Named Disk: Create
  • Organization vDC Named Disk: View Properties
  • Organization vDC Named Disk: Edit Properties
  • Organization vDC Gateway: View L2 VPN **
  • Organization vDC Gateway: Configure L2 VPN **
Note:
  • VMware Cloud Director Availability requires each and all of the above rights for the correct operation of the VMware Cloud Director tenant user.
  • For the VMware Aria Operations Management Pack for Cloud Director Availability to be able to use auto-discovery of the VMware Cloud Director Availability address, when using a read-only user for the management pack, you must also add the right View Tenant Portal Plugin, shown in the user interface as UI Plugins: View right.
  • * VMware Cloud Director Availability 4.3 and later require the vApp: Edit VM Compute Policy right that is not part of the Default Rights Bundle.
  • ** In VMware Cloud Director service, to stretch an L2 network to an SDDC in the VMware Cloud™ on AWS, VMware Cloud Director Availability 4.4 and later require both the Organization vDC Gateway: View L2 VPN and the Configure L2 VPN rights that are not part of the Default Rights Bundle.

VMware Cloud Director Availability Users Sessions Extension

In Cloud Director sites, each VMware Cloud Director Availability user session must have a VMware Cloud Director user and a VMware Cloud Director organization associated with the session. For more information about the sessions and authenticating to remote sites, see Extended Session Authentication in the User Guide.

See the Cloud Service disaster recovery operations that require an extension of the user session in the following table:

Operation Incoming Replication Outgoing Replication
Required Session on Source Site Required Session on Destination Site Required Session on Source Site Required Session on Destination Site
start Yes Yes Yes Yes
stop No Yes Yes Yes
reconfigure No Yes Yes Yes
failover No Yes Yes Yes
migrate Yes Yes Yes Yes
sync No Yes Yes Yes
pause No Yes Yes Yes
resume No Yes Yes Yes
reverse Yes Yes Yes Yes
failover test No Yes Yes Yes
failover test cleanup No Yes Yes Yes