You use a service account for authentication and authorization of Site Recovery Manager to vCenter Server for orchestrated disaster recovery of the SDDC.

Table 1. Design Decisions about Authorization and Authentication Management for Site Recovery Manager and vSphere Replication

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-DR-007

Configure a service account svc-srm in vCenter Server for application-to-application communication from Site Recovery Manager with vSphere.

Provides the following access control features:

  • Site Recovery Manager accesses vSphere with the minimum set of permissions that are required to perform disaster recovery failover orchestration and site pairing.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

SDDC-OPS-DR-008

Use global permissions when you create the svc-srm service account in vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Server instances in the same vSphere domain.

  • Provides a consistent authorization layer.

  • If you deploy more Site Recovery Manager instances, reduces the efforts in connecting them to the vCenter Server instances.

All vCenter Server instances must be in the same vSphere domain.