Defining Role-based Access Control
By default, Zerto Virtual Replication manages permissions that exist in the vCenter Server. When it is installed, Zerto Virtual Replication adds privileges to vSphere and assigns these privileges to the Administrator role, which enables the administrator to perform specific actions in Zerto Virtual Replication. These privileges include:
■ Manage VPG: Creating, editing, and deleting a VPG, and adding checkpoints to a VPG.
■ Failover Test: Performing a test failover.
■ Live Failover: Performing failovers.
■ Move: Performing VPG moves.
■ Manage cloud connector: Installing and uninstalling Zerto Cloud Connectors (ZCCs). For details, see
Defining DRaaS Components.
■ Manage Sites: Editing the site configuration, including site details, pairing and unpairing sites, updating the license, and editing advanced site settings.
■ Manage VRA: Installing, updating and uninstalling Virtual Replication Appliances.
■ View: Viewing information about an entity.
You can also set basic permissions for a ZORG, as described in
Defining ZORG Permissions.
If you want to extend these default permissions, you can activate Zerto Virtual Replication role-based access control in the Zerto Cloud Manager. Zerto Virtual Replication enables you to apply permissions to specific authorizable entities, such as ZORGs, VPGs, and sites, that you want to control access to. Privileges define an operation or a set of operations that can be performed, such as managing a VPG or VRA. A role is a set of privileges. Roles can be assigned to individual users or groups of users. Users and groups of users are defined in the local Active Directory. A permission is composed of an authorizable entity, a user or group, and a role.
Note: Once activated, the Zerto Virtual Replication role-based access control replaces the basic permissions. If the Zerto Virtual Replication role-based access control is deactivated, the default Zerto Virtual Replication permissions are re-activated.
You can update the privileges associated with both new roles that you create and the roles supplied with Zerto Virtual Replication. You can manage the permissions assigned to each Zerto Virtual Replication authorizable entity. These permissions are defined in the Zerto Cloud Manager and affect the Zerto Virtual Manager sites defined in the Zerto Cloud Manager.
The following apply to Zerto Virtual Replication role-based access control:
■ The Zerto Cloud Manager and all the Zerto Virtual Manager sites defined in the Zerto Cloud Manager are defined in the same Active Directory domain. After you activate role-based access control, you must log in to the Zerto Virtual Manager sites defined in the Zerto Cloud Manager with the Active Directory domain user. If you deactivate role-based access control, when you log in to the Zerto Virtual Manager sites defined in the Zerto Cloud Manager, you must use the vCenter Server user again.
■ Users managing the Zerto Cloud Manager are a type of super user and Zerto-defined permissions do not limit the functions they can perform.
■ A permission assigned to a child entity overrides the permission assigned to its parent entities.
■ When users are assigned several permissions, or are members of several groups, they can perform all the functions associated with all those permissions and all those groups.
■ Permissions apply both when using the Zerto User Interface and with Zerto APIs.
Enabling and managing role-based access is described in the following topics: