03-05-2019 01:15 PM - edited 03-05-2019 01:23 PM
I did a quick check on Vox and checked the Restore notes and restrictions on the VMware Admin guide and couldn't find relevant information. And Google's search results get polluted with pages writing about permissions required to restore/backup for VMware.
When I perform a VM restore (overwrite original) to vCenter, all the permissions associated with the VM appear in vCenter which are at Datacenter or vCenter level. However, we have one permission for almost every VM which is for that particular VM only (is a custom . It does not get restored!
Is that normal? Does the backup image not contain the meta-data for all the VM's permissions too?
PS: this has been the same since as far as I can remember (7.7.x - 8.1.2)
03-06-2019 08:02 AM
Hello,
yes it is difficult to find explicit information about this topic. However I think that VM backup metadata does not include VMware permissions. Remember that during restore a VM is first created - like any other new VM - and then data are restored into it. So it contains permissions like a new VM.
Regards
Michal
03-12-2019 02:02 PM
@Michal_Mikulik1 Thanks for the reply.
Missing VM metadata beats the purpose of the restore as the restored item is not the same as the one backed up (strictly speaking). I agree that when restoring a VM (with overwrite), the original VM is first deleted and then a new one created and restored using the backup image. However, a proper "restore" should recreate the VM the same as it was when it was backed up.
If this is an oversight, I would say it is a simple bug, Veritas should fix it. However, if it does not keep all the metadata for the VM, then the restore will always be half-baked. I have a case open for clarification.
03-12-2019 04:36 PM
From a security perspective, custom VM permissions should not belong and indeed do not belong to the VM and its metadata. They are stored in vCenter.
If you think a bit deeper and beoynd your immediate requirements, you may find that restoring custom (not inherited) permissions could be a significant security issue. Case in point would be for a dodgy admin setting up a temporary vCenter and assigning all required permissions for a temp VM, back it up and restore to a production vCenter. If custom permissions would be carried over that easily it would compromise the entire security model of vCenter and virtual infrastructure.
I don't believe it's an NBU or VMware issue, considering potential security implications.