VMware SRM 5.0 Permissions Controls

While performing Lab testing we came across strange behavior which we discussed with VMware.
Just sharing with every one
Setup
We are having SRM 5.0 Setup on vSphere 5.0
We have done initial paring using Administrator Account
We have created Customised Recovery.Admin account to perform failover
Behavior
When we initiate Test Failover using Recovery.Admin account it logs that it was initiated by Administrator
Administrator is the account which was used to perform initial pairing of the sites
We were not sure whether it is normal behavior or not so we escalated to our Point of Contact in VMware
VMware Response
“In the prior release SRM would actually do everything in VC on behalf of the logged in user. This allowed fine granular permission controls in VC but proved to be extremely cumbersome to set up: SRM needs many very specific permissions on very specific objects just to be able to run a failover. If the administrator does not get it right, the recovery plan will fail, which is not good for RTO. Thus, in SRM 5.0 we decided to check our own permissions and override all VC permissions by doing everything under the admin user. This simplifies the setup and allows more logical permission control. If I have a permission to run a recovery plan, it should not matter whether or not I have a permission to write to a datastore.

One thought on “VMware SRM 5.0 Permissions Controls

Leave a Reply

Your email address will not be published.

%d bloggers like this: