Zerto and VMware Permissions
VMware roles and permissions are the core of VMware infrastructure security. Permissions are a combination of a user/group and a security role that is applied to some level of the VMware Infrastructure.
| • | VMware Privileges Required by Zerto |
VMware Privileges Required by Zerto
When Zerto accesses the vCenter Server, it requires the vSphere privileges assigned to Administrator roles, which includes the following privileges.
| Note: | The Zerto role must also be available. This role is added to the Administrator user during the Zerto installation. |
| Category | Privilege | Description |
| ALARM | ||
| Create alarm | When Zerto is installed in vSphere environments, all Zerto alerts are propagated as Alarms in vCenter. As such, upon installation, the alarms matching the alerts are created. Zerto controls enabling and disabling the alarms. See the correlation between alerts and alarms in Zerto - Guide to Alarms, Alerts and Events. | |
| Remove alarm | When Zerto is uninstalled, the alarm definitions added above are removed. | |
|
AUTHORIZATION (from vCenter 5.5 and 6.0) Permissions |
||
| Modify permission |
When Zerto is installed in vSphere environments, it creates seven different privileges that can be assigned to vCenter users that login to Zerto (or when viewing Zerto UI from within vSphere Client). !
Important: Starting with Zerto v8.5, new installations of Zerto will no longer authorize user operations based on their VC role and permissions. Customers who are using vCenter for Role-based Access (RBAC) and upgrade their environment are not affected by this change. |
|
| DATASTORE | ||
| Allocate space | Needed to allocate datastore space when Zerto creates or reconfigures VMs. | |
| Browse datastore | Needed for in-GUI datastore browser and VPG import. | |
| Configure datastore | Needed to create/remove directories within the Datastore. | |
| Remove file | Used for cleanup of volumes in a number of situations (for example, cleanup of VRAs, journals, folders, etc.). | |
| Low level file operations | Needed to move files managed by Zerto (for example, mirrors, journals, etc.) between folders. Specifically used in recovery operations (for example, Failover), but may be used during other procedures. | |
| Update virtual machine files | ||
| DATASTORE CLUSTER | ||
| Configure a datastore cluster | Used when installing VRAs to enable/disable storage DRS within datastore clusters | |
| EXTENSION | ||
| Register extension | Needed to create the vSphere Client plugin, 'ManagedBy' extension, and other features related to Zerto's integration with vCenter. | |
| Unregister extension | Needed to remove the vSphere Client plugin, 'ManagedBy' extension, and other features when removing ZVR. | |
| FOLDER | ||
| Create folder | Used during recovery operations to create VM folders. | |
| GLOBAL | ||
| Cancel task | Used to remove tasks created by ZVR to track operations. | |
| Diagnostics | Used when pulling diagnostic logs from vCenter/ESXi. | |
| Disable methods | Used to disable methods on protected objects like VRAs and 'Testing Recovery' VMs. | |
| Enable methods | Used to re-enable methods disabled by Zerto. | |
| Log event | Used for pushing Zerto events to vSphere for tracking. | |
| Host > Configuration | ||
| Advanced settings | Not used by Zerto. | |
| Virtual machine autostart configuration | Used when creating new VRAs/diskboxes. | |
| Change settings | Used during VRA deployment. | |
| Security profile and firewall | Used during VRA deployment. | |
| Query Patch | Used during VRA deployment. | |
| HOST > INVENTORY | ||
| Modify cluster | Used for settings affinity rules for VRAs, and disabling DRS/HA for recovery VMs before commit. | |
| NETWORK | ||
| Assign network | Used for assigning VMs to various networks. | |
| RESOURCE | ||
| Assign vApp to resource pool | Used for moving recovery vApps into the correct resource pools. | |
| Assign virtual machine to resource pool | Used for moving recovery VMs into the correct resource pool. | |
| Migrate a powered off virtual machine | Used for migrating VRAs back to the correct host if they've been moved off. Also for migrating recovery VMs back to the correct host when they are migrated by vCD when adding VMs into vCD vApp. | |
| Migrate a powered on virtual machine | Used for migrating VRAs back to the correct host if they've been moved off. Also for migrating recovery VMs back to the correct host when they are migrated by vCD when adding VMs into vCD vApp. | |
| SESSIONS | ||
| Validate session | Used for validating the current session between ZVM and vCenter. | |
| TASKS | ||
| Create task | Used for creating tracking tasks within vCenter. | |
| Update task | Used for updating tracking tasks created by Zerto. | |
| vApp | ||
| vApp application configuration | Used for configuring recovery vApps created by ZVR. | |
| Assign resource pool | Used for moving recovery vApps into the correct resource pool. | |
| Add virtual machine | Used for moving recovery VMs into the correct vApp. | |
| Create | Used for creating recovery vApps. | |
| Delete | Used for deleting recovery vApps (for example, when stopping FOT). | |
| Import | Used during VRA OVF deployment. | |
| Power off | Used for powering off recovery vApps (for example, when stopping FOT). | |
| Power on | Used for powering on recovery vApps. | |
| VIRTUAL MACHINE > CONFIGURATION | ||
| Add existing disk | Used to attach disks to VRAs/recovery VMs. | |
| Add new disk | Used to create new journal/mirror disks on VRAs. | |
| Add or remove device | Used for adding various devices (NIC, SCSI adapter, etc.) to recovery VMs. | |
| Advanced | Used to set ExtraConfig on Zerto appliances (ZCC/VRA/Diskbox). | |
| Change CPU count | Used to set number of CPUs on VRA deployment. | |
| Extend virtual disk | Used to resize mirror disks when disk resize occurs on protected site. | |
| Modify device settings | Used to change settings of existing devices, such as NICs or SCSI adapters, on VRAs. | |
| Configure managedBy | Used for setting the 'ManagedBy' property on VMs, such as the Zerto appliances and 'Testing Recovery' VMs. | |
| Memory | Used to configure memory for VRA VMs. | |
| Raw device | Used to assign RDM LUNs to VRAs and recovery VMs. | |
| Remove disk | Used to detach disks from VMs during recovery operations/rollbacks. | |
| Change resource | Used for configuring the resource allocation of a VM within a Resource Pool - specifically when creating a recovery vApp. | |
| Settings | Used to change VM settings not covered by other permissions. | |
| Swapfile placement | Used to set swapfile placement on recovery VMs where the protected VM has a custom setting. | |
| Upgrade virtual machine compatibility | Used to upgrade VRA VM hardware version when upgrading VRA version. | |
| VIRTUAL MACHINE > INTERACTION | ||
| Power off | Used for powering off VMs, such as when stopping/rolling back a Failover, or when shutting down protected VMs during a Failover/Move. | |
| Power on | Used for powering on VMs during recovery operations. | |
| VIRTUAL MACHINE > INVENTORY | ||
| Create from existing | Used to deploy Zerto appliances. | |
| Create new | Used to create recovery VMs. | |
| Register | Used to move VMs into VM folders during recovery operations. | |
| Remove | Used to remove existing VMs (uninstall Zerto appliance, remove recovery VMs when stopping FOT, rolling back FOL, or on protected site when committing FOL or Move with reverse protection). | |
| Unregister | Used to remove VMs from inventory. Only used as part of Undo events, after failed task. | |
| VIRTUAL MACHINE > SNAPSHOT MANAGEMENT | ||
|
Remove snapshot |
Used when setting up reverse protection. | |