Replications to the cloud require certain users, roles, and permissions.

On the source vSphere site, you need the same credentials as the ones required for vSphere Replication. See vSphere Replication Roles Reference.

When you create a connection to the target virtual data center, you provide two pairs of credentials.

Connection Credentials

Used for authenticating within the cloud organization, these credentials initiate a user session with your cloud provider. The privileges for your user account are managed by your cloud provider.

com.vmware.hcs.{com.vmware.hcs}:ManageRight

com.vmware.hcs.{com.vmware.hcs}:ViewRight

Organization.View Organization Networks

Organization.View Organizations

Organization VDC.View Organization VDCs

Credentials to the cloud are required for each target site, once per user session, and not per operation in the vSphere Web Client. When the authenticated user session to a target site expires, users are prompted to input their credentials again.

System Monitoring Credentials

Used at runtime to let the source and the target site communicate. These credentials are stored in the vSphere Replication appliance on the source site. The user name that you provide must be assigned the vSphere Replication role, or the following rights in your cloud organization.

com.vmware.hcs.{com,vmware.hcs}:ManageRight

com.vmware.hcs.{com,vmware.hcs}:ViewRight

Organization.View Organization Networks

Organization.View Organizations

Organization VDC.View Organization VDCs

Although you can use the same credentials for both connection and system monitoring, a good practice is to use different pairs of credentials.