Stage 1: Examine current account permissions
- Ensure that the Site Recovery Manager Managed Object Browser is enabled.
- Open the SRM MOB
- For Windows-based SRM use https://<SRM-fqdn|IP>:9086/mob where 9086 is the default port that the SRM service is listening.
- For the SRM virtual appliance use https://<SRM-fqdn|IP>:443/mob.
- Log into MOB using vCenter administrator credentials.
- Review the current permissions by navigating to the permissions section of the MOB.
- In the Properties table, select the permission link.
- Look for the specific user you are concerned with. Note the roleId value set for that user.NOTE: The entity is of type "DrServiceInstance" and the roleId is "-1"
- There are lots or roleIds defined in vCenter. Identify which roleId you need to set for a specific user:
- Connect to ihttps://<vCenter FQDN or IP>/mob
- Under the Properties table, select the content link
- Select the AuthorizationManager link
- Select the roleList link
- You see a list of all vCenter roles with roleIDs, These roles match those visible in the vCenter, Administration, Role UI.
- Note the roleID value matching the role you want the user to possess.
Note: In this example, SRM specific roles could be seen with roleIds range [1101, 1106] This may not be the case for your environment as it depends on which other solutions are installed in your environment.
Stage 2: Create a new user
- Return to the SRM MOB home page.
- Select the content link by DrServiceInstanceContent as shown..
- Select the DrAuthorizationManager link.
- Select the DrSetEntityPermissions link to invoke that method.
- The following dialog box will popup:
- Modify the items In this dialog box to suit your need:
- Set the MOID in both the entity and permission sections to be the same. If working with a global permission set the MOID to "DrServiceInstance" as seen for the other users in step 4 of Stage 1.
- Set the principle in the permission section to the account you are setting the permissions on in the DOMAIN\User format.
- If the principle is a domain group, set the group tag to true, else leave it as false.
- If all child entities have the same permissions, set the propagate flag to true. For example, if you set permission for SRM root object “DrServiceInstance” then this flag must be true so this permission will be global and applied on all SRM objects like Protection Group, Recovery Plans and folders. This matches the meaning of the same parameter seen through the disaster recovery UI.
- Set roleId to the integer number representing desired the role (as identified in step 5 of Stage 1). Such as, ‘Administrators’, ‘ReadOnly-Access’ and so forth. Example:, ‘-1’ represents the vCenter Administrator role with full access rights and ‘1101’ represents the SRM Administrator Role.
- When finished, select the Invoke Method link.
- If the result is successful ti will display the message "Method Invocation Result: void"
Example:
How to set SRM global permission for a Recovery Admin user:
We will use principal VSPHERE.LOCAL\nonadminuser for which we want to set a global permission with “SRM Recovery Administrator” role which means this user will be able to run Recovery Plans only and won’t be able to perform any configuration changes.
For this purpose we need to set the following parameters for
ManagedObjectReference:DrManagedEntity method:
<entity type="DrManagedEntity">DrServiceInstance</entity>
DrSetEntityPermissions method:
<entity type="DrManagedEntity">DrServiceInstance</entity>
<principal>VSPHERE.LOCAL\nonadminuser</principal>
<group>false</group>
<roleId>1105</roleId>
<propagate>true</propagate>
Or as shown below:
As described above this can be confirmed in the SRM permissions pane of the UI: