When you activate VMware Site Recovery at VMware Cloud on AWS, the permissions for the VMC.LOCAL\CloudAdminGroup group are automatically configured.
You can use the email@example.com account or any other direct member or transitive member of VMC.LOCAL\CloudAdminGroup to work with Site Recovery Manager and vSphere Replication at VMware Cloud on AWS.
- Read-only access to Mgmt-ResourcePool, Management VMs folder, vsanDatastore, networks in VMC Networks folder as VMware Cloud on AWS is handling the lifecycle of all management components in the SDDC;
- Access with CloudAdmin role to any non-management part of the vCenter Server inventory, such as: Compute-ResourcePool, Workloads and Templates VM folders, WorkloadDatastore, networks outside of the VMC Networks folder. For more information about the CloudAdmin role, see Roles and Permissions in the SDDC in the VMware Cloud on AWS Operations Guide.
When activated, VMware Site Recovery configures permissions for the VMC.LOCAL\SRM Administrators group and the VMC.LOCAL\HmsCloudAdministrators group with roles SrmAdministrator and HmsCloudAdmin for the same entities for which VMC.LOCAL\CloudAdminGroup has permissions with the role CloudAdmin. VMware Site Recovery adds VMC.LOCAL\CloudAdminGroup as member of both the VMC.LOCAL\SRM Administrators and the VMC.LOCAL\HmsCloudAdministrators groups. As a result any direct or transitive member of the VMC.LOCAL\CloudAdminGroup group can work with Site Recovery Manager and vSphere Replication.
Defining extra permissions for any group or individual user at any part of the vCenter Server inventory overrides this configuration and the group or individual user will not be able to use Site Recovery Manager and vSphere Replication, as the permissions override makes in effect only the single role given in that permission and results in the following error 'Permission to perform this operation was denied.'.
The recommended way to combine privileges from the SrmAdministrator and HmsCloudAdmin roles is through group membership and inheriting the permissions for the VMC.LOCAL\SRM Administrators group and the VMC.LOCAL\HmsCloudAdministrators group through being a member of the VMC.LOCAL\CloudAdminGroup group.
If you use identify provider federation and your own domain, you must use Hybrid Linked Mode to add the relevant groups as members of VMC.LOCAL\CloudAdminGroup, so that they can use Site Recovery Manager and vSphere Replication.