cancel
Showing results for 
Search instead for 
Did you mean: 

VM restore permissions missing for VM object

X2
Moderator
Moderator
   VIP   

I did a quick check on Vox and checked the Restore notes and restrictions on the VMware Admin guide and couldn't find relevant information. And Google's search results get polluted with pages writing about permissions required to restore/backup for VMware.

When I perform a VM restore (overwrite original) to vCenter, all the permissions associated with the VM appear in vCenter which are at Datacenter or vCenter level. However, we have one permission for almost every VM which is for that particular VM only (is a custom . It does not get restored!

Is that normal? Does the backup image not contain the meta-data for all the VM's permissions too?

PS: this has been the same since as far as I can remember (7.7.x - 8.1.2)

3 REPLIES 3

Michal_Mikulik1
Moderator
Moderator
Partner    VIP    Accredited Certified

Hello,

yes it is difficult to find explicit information about this topic. However I think that VM backup metadata does not include VMware permissions. Remember that during restore a VM is first created - like any other new VM - and then data are restored into it. So it contains permissions like a new VM.

Regards

Michal

X2
Moderator
Moderator
   VIP   

@Michal_Mikulik1  Thanks for the reply.

Missing VM metadata beats the purpose of the restore as the restored item is not the same as the one backed up (strictly speaking). I agree that when restoring a VM (with overwrite), the original VM is first deleted and then a new one created and restored using the backup image. However, a proper "restore" should recreate the VM the same as it was when it was backed up.

If this is an oversight, I would say it is a simple bug, Veritas should fix it. However, if it does not keep all the metadata for the VM, then the restore will always be half-baked. I have a case open for clarification.

Mouse
Moderator
Moderator
Partner    VIP    Accredited Certified

From a security perspective, custom VM permissions should not belong and indeed do not belong to the VM and its metadata. They are stored in vCenter.

If you think a bit deeper and beoynd your immediate requirements, you may find that restoring custom (not inherited) permissions could be a significant security issue. Case in point would be for a dodgy admin setting up a temporary vCenter and assigning all required permissions for a temp VM, back it up and restore to a production vCenter. If custom permissions would be carried over that easily it would compromise the entire security model of vCenter and virtual infrastructure.

I don't believe it's an NBU or VMware issue, considering potential security implications.