Solved: Minimum permissions for restore using vStorage api

Stormchaser · ‎08-22-2011

Hi

There exist an Article from Symantec about this Problem ( http://www.symantec.com/business/support/index?page=content&id=TECH130493 ) ; but as i knew, it did not appear complete.

When i try to restore a *.vmdk-file i had to change to the root-privileges so that the operation will complete successfully. If not, the Job will Fail with (Permission) Error 5 ( Something like Creating *vmdk-file )

Did anyone had some experience or proposals for this Issue ?

Thanks for your Help

Thomas

Environment is :

Master-Server : SUN Solaris 10 NBU : 7.0.1 EE

VM-Proxy : Windows 2003 Std NBU CAL 7.0.1 / EEBInstaller.2105102.14

VMSphere ESXi : 4.1 / 260247

VM-Host : Windows 2003 Std

Marianne · ‎08-23-2011

Have a look at these 2 TechNotes regarding permissions for VM backups and restores:

http://www.symantec.com/docs/TECH130493

http://www.symantec.com/docs/TECH128513

In a secure environment, the ‘minimum’ requirements will probably not be sufficient.

The following extract from the 1^st TN says that :

"These are the minimum required permissions that has been found to be sufficient in the tests performed by Symantec for a basic vSphere environment. This is not a complete list. Additional privileges might be required if advanced features are in use. "

(notice the words ‘test’ and ‘basic vSphere environment’)

The second TN has the following recommendation:

"During restores, NetBackup can be instructed to provision the virtual machine anywhere in the vSphere cloud. NetBackup also provides options to handle the existing machine (whether to overwrite the original machine, reuse it UUID etc.). Hence the minimum permissions to provision the restored virtual machine anywhere in the vSphere could would be almost close to built-in Administrator role. Symantec recommends cloning the Administrator role and removing permissions related to operations that NetBackup should not perform based on business and security requirements."

IMHO, the VMware Admins should play a leading role in determining these permissions, as each environment is unique with unique security limitations.

Also have a look at the Recommendations under Option 1 and Option 2 in the 2^nd TechNote and see if the VM Admins are agreeable to be closer involved when restores are needed - similar to Database Administrators (SQL, Oracle, DB2) involvement when database restores need to be done.

Handy NetBackup Links

View solution in original post

pikachu · ‎08-23-2011

You either missed something or in your VC the account wasn't at the highest level.

Marianne · ‎08-23-2011

Have a look at these 2 TechNotes regarding permissions for VM backups and restores:

http://www.symantec.com/docs/TECH130493

http://www.symantec.com/docs/TECH128513

In a secure environment, the ‘minimum’ requirements will probably not be sufficient.

The following extract from the 1^st TN says that :

"These are the minimum required permissions that has been found to be sufficient in the tests performed by Symantec for a basic vSphere environment. This is not a complete list. Additional privileges might be required if advanced features are in use. "

(notice the words ‘test’ and ‘basic vSphere environment’)

The second TN has the following recommendation:

"During restores, NetBackup can be instructed to provision the virtual machine anywhere in the vSphere cloud. NetBackup also provides options to handle the existing machine (whether to overwrite the original machine, reuse it UUID etc.). Hence the minimum permissions to provision the restored virtual machine anywhere in the vSphere could would be almost close to built-in Administrator role. Symantec recommends cloning the Administrator role and removing permissions related to operations that NetBackup should not perform based on business and security requirements."

IMHO, the VMware Admins should play a leading role in determining these permissions, as each environment is unique with unique security limitations.

Also have a look at the Recommendations under Option 1 and Option 2 in the 2^nd TechNote and see if the VM Admins are agreeable to be closer involved when restores are needed - similar to Database Administrators (SQL, Oracle, DB2) involvement when database restores need to be done.

Handy NetBackup Links

Stormchaser · ‎08-24-2011

Hi Marianne

Some time it is a little bit tricky. The switches in the german version of VMware respektive 4.1are something different to them in the englisch. With your help and some deeper look into the log, i found the missing rights.

It's very interisting, that the different language-versions have different config-files.

Great Thanks for your Help

Thomas

pikachu · ‎08-24-2011

Could you take a screenshot and post them? I will create a GERMAN TN for this.

Stormchaser · ‎08-24-2011

Hi pikachu

Here is the screenshot. If you need the whole list, please let me know.

Kind regards

Thomas

pikachu · ‎08-24-2011

The entire list would be great. Not sure how much work that is going to be for you :(

Stormchaser · ‎08-25-2011

I hope you will enjoy with this list.

Running through all parameters i will hazard a guess, that there is an logic error in TECH130493 so that the part Virtual Machine > State neither include "Network" nor "Assign network"

Kind regards

Thomas

pikachu · ‎08-25-2011

Depending on verison of ESX/VC you run "network" shows up as it's own independent item.

VOX

Minimum permissions for restore using vStorage api