Granting AD users DRaaS permissions
search cancel

Granting AD users DRaaS permissions

book

Article ID: 329601

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

Specific steps are needed, in a VSR deployment, in order to successfully provide AD user sessions with the permissions needed to manage VSR. This KB gathers together the steps from the documentation that are specific to this use case.

Symptoms:
Disaster Recovery as a Service (DRaaS) using VMware Site Recovery (VSR) -- both Site Recovery Manager (SRM) and vSphere Replication

VMware Cloud (VMC)

Amazon Web Services (AWS)

Using AD user account to perform some VSR operation, this may fail with a similar message in the GUI:

ERROR
Operation Failed
Permission to perform this operation was denied.
You do not hold privilege ...

Resolution

The links provide more detail, but the needed steps have been summarized and provided below.

Note: These instructions also work with cloud-to-cloud VSR deployments. For this use case, when you see 'on-premises' in the steps below, consider this as the site where your AD is managed. If both your SDDCs are version 1.12+, then you can use the following instructions, instead of the steps below, to link your vCenters: Use vCenter Linking in an SDDC Group

In the following document, it mentions that you have two options for configuring Hybrid Linked Mode. You can use only one of these options at a time.

Configuring Hybrid Linked Mode
 
  • You can install the Cloud Gateway Appliance and use it to link from your on-premises data center to your cloud SDDC.
  • You can link your VMware Cloud on AWS SDDC to your on-premises vCenter Server. In this case, you must add an identity source to the SDDC LDAP domain.

With DRaaS, the Cloud Gateway Appliance is not compatible, so this option must not be used.

Configuring Hybrid Linked Mode from the Cloud SDDC

As an alternative to using the Cloud Gateway Appliance, you can configure Hybrid Linked Mode from the cloud SDDC.

In this case, you use your cloud SDDC's vSphere Client to view and manage your complete inventory. When you link from the cloud SDDC, you can link only one on-premises domain.

Add an Identity Source to the SDDC LDAP Domain

The first step toward configuring Hybrid Linked Mode from your SDDC is to add your on-premises LDAP domain as an identity source for the SDDC vCenter Server.

When the identity source is added, on-premises users can authenticate to the SDDC, but have the "No access" role. Add permissions for a group of users to give them the Cloud Administrator role.

Link to an On-Premises Data Center
 
  1. Login to the vSphere Client for your SDDC -> Menu -> Administration to display the Administration page.
  2. Under Hybrid Cloud, select Linked Domains.
  3. Connect to the on-premises Platform Services Controller.

On-premises AD groups that are added to the SDDC vCenter CloudAdmin role will also inherit the permissions needed to manage VSR. Hybrid Linked Mode Prerequisites
 
  1. Decide which of your on-premises users will have Cloud Administrator permissions.
  2. Add these users to a group within your identity source.
  3. Ensure that this group has access to your on-premises environment.
  4. In the SDDC vCenter -> Menu -> Administration -> Access Control -> Global Permissions -> add the AD group to the CloudAdmin role.

Now, when you login to the SDDC vCenter with one of those AD user accounts, you will have the needed permissions to manage VSR.

Additional Information

[VMC on AWS] Unable to add on-premises Active Directory over LDAP as an identity source when linking from Cloud SDDC KB 81797