I’m a new Zerto user and when I’m told a product requires “Administrator” privileges to vCenter I have a problem with that. This is a big gaping security hole that needs to be plugged. I did my own product testing and discovered there are only a couple of additional settings from what is listed in the Security / Hardening guidelines for a vSphere 6.0 implementation. Those are:
Global – Disable Methods
Global – Enable Methods
Zerto – <All entries>
I created a new role assigned the permissions and was able to install, protect, failover and failback. If I find any other permissions as I continue my testing I will be sure to post them here.
If anyone else has limited Zerto access to their vSphere environment I would appreciate hearing your experiences.
Thanks very much for your sharing your experiences and feedback. I’ll compare your notes to ours internally and see if I can provide any further clarification (and documentation updates).
Thanks again! Keep the feedback coming!
I have downloaded and finished my testing on Version 5 of the VMware product. One additional permission was required:
Host / Configuration / Query patch
With that in place, installation, test failovers, and failovers have been successful. I’m not sure why Zerto doesn’t understand why granting full on Administrator permissions is a security risk. Especially when this level of access is not required.
Thanks and if anyone has found additional permissions I may have missed, please let me know.
Thanks for posting this. Has the latest hardening guide been updated with the input above?
The “Security and Hardening with Zerto Virtual Replication Version 5.0 Update 1” guide also shows this, which I don’t see in my vCenter Roles/Privileges where the documentation says they are:
Authorization > Modify Permission
Authorization > Modify Role
Authorization > Reassign role permissions
^^^ The above is actually under Permissions > Modify Permission | Modify Role | Re-Assign Role Permissions
So, with all of the above, there’s still something blocking deployment of VRAs. Given all the sections in the hardening guide to customize for the role, I ended up just enabling each of those top level privileges and I got everything to work, so will work my way backwards to see if I can find what exactly is missing from the hardening guide. Standby.