User Access
When you sign up for VMware Cloud Services, and request access to the VMware Cloud Disaster Recovery service, you can begin to invite users to the service. As an organization owner, you can assign roles to your organization users, which grant them then permissions to perform specific operations in VMware Cloud Disaster Recovery.
When you invite other users to the service, you assign them organization roles which specify privileges that an organization member has over organization assets, and service roles, which gives users the permission to access and use the VMware Cloud Disaster Recovery service.
For more information about VMware Cloud Service roles, and how to add them to your users, see Identity and Access Management and Edit User Roles.
Note: When you modify a VMware Cloud Disaster Recovery user roles in the VMware Cloud console, the changes take approximately 15 minutes to be applied. To apply the changes faster, the user can log out and then log back in to the VMware Cloud console, and then access the VMware Cloud Disaster Recovery service.
Organization and VMware Cloud on AWS Service Roles
There are two specific operations in VMware Cloud Disaster Recovery that require a user to have the following roles:
Creating an API token requires the following organization and VMware Cloud on AWS service roles:
- Organization Role: Organization Owner
- VMware Cloud on AWS Service Roles:
- Administrator
- NSX Cloud Admin
Creating a subscription requires the following organization role:
- Organization owner
VMware Cloud Disaster Recovery Service Roles
The following table provides an overview of VMware Cloud Disaster Recovery roles and the features each role permits. Match the user role in each column with the capabilities in each row.
Note: VMware Cloud Disaster Recovery roles are additive. For example, if you want a user to create snapshots for backup and also have the ability to configure and run DR plans, you need to assign both DR admin and Backup admin roles to the user account.
|
DR Admin |
DR Tester |
Backup Admin |
SDDC Admin |
Auditor |
Administrator |
|
|
Configure API token (requires either Backup Admin or SDDC Admin) |
X | X | ||||
|
Edit Plans |
X |
X |
X |
|||
|
Plan test |
X |
X |
X |
X |
||
|
Plan recovery |
X |
X |
||||
|
Edit PGs |
X |
X |
||||
|
Replicate and restore |
X |
X |
||||
|
Edit protection sites |
X |
X |
||||
|
Edit SDDC |
X |
X |
||||
|
View compliance checks |
X | X |
X |
X |
X |
X |
|
Reports |
X | X |
X |
X |
X |
X |
|
View data |
X | X |
X |
X |
X |
X |
Service Roles and Permitted Operations
The below table provides a more detailed description of all operations permitted for each VMware Cloud Disaster Recovery service role.
Note: If you apply the Administrator or the Auditor roles to a user account, then you cannot add any other roles to the account.
|
Role |
Permitted Operations |
|---|---|
|
Administrator |
This user role can perform all operations listed in this table, except for creating an API token and creating a subscripton. |
|
Auditor |
Note: All other roles include this level of access. |
|
DR admin |
DR Plans
Test recovery
Recovery
|
|
Backup admin |
API token
Protected sites
Protection groups
VMs
|
|
Plan tester |
DR Plans
Test recovery
Alarms
|
|
SDDC admin |
SDDCs
API token
|