How
Site
Recovery Manager Handles Permissions
Site
Recovery Manager
Handles PermissionsSite
Recovery Manager
determines whether a user has permission to
perform an operation, such as configuring protection or running the individual
steps in a recovery plan. This permission check ensures the correct
authentication of the user, but it does not represent the security context in
which the operation is performed.
Site
Recovery Manager
performs operations in the security context of the user
ID that is used to connect the sites, or in the context of the ID under which
the
Site
Recovery Manager
service is running, for example, the local system ID.
After
Site
Recovery Manager
verifies that a user has the appropriate permissions on
the target vSphere resources,
Site
Recovery Manager
performs operations on behalf of users by using the
vSphere administrator role.
For operations that configure
protection on virtual machines,
Site
Recovery Manager
validates the user permissions when the user requests the
operation. Operations require two phases of validation.
- During configuration,Site Recovery Managerverifies that the user configuring the system has the correct permissions to complete the configuration on thevCenter Serverobject. For example, a user must have permission to protect a virtual machine and use resources on the secondaryvCenter Serverinstance that the recovered virtual machine uses.
- The user performing the configuration must have the correct permissions to complete the task that they are configuring. For example, a user must have permissions to run a recovery plan.Site Recovery Managerthen completes the task on behalf of the user as avCenter Serveradministrator.
As a result, a user who
completes a particular task, such as a recovery, does not necessarily require
permissions to act on vSphere resources. The user only requires the permission
to run a recovery in
Site
Recovery Manager
.
Site
Recovery Manager
performs the operations by using the user credentials
that you provide when you connect the protected and recovery sites.
Site
Recovery Manager
maintains a database of permissions for internal
Site
Recovery Manager
objects that uses a model similar to the one the
vCenter Server
uses.
Site
Recovery Manager
verifies its own
Site
Recovery Manager
privileges even on
vCenter Server
objects. For example,
Site
Recovery Manager
checks for the
permission on the target datastore rather than
checking multiple low-level permissions, such as
Allocate
space
.
Site
Recovery Manager
also verifies the permissions on the remote
vCenter Server
instance.
To use
.
Site
Recovery Manager
with
vSphere
Replication
, you must assign
vSphere
Replication
roles to users as well as
Site
Recovery Manager
roles. For information about
vSphere
Replication
roles, see
vSphere
Replication
Administration