Security Scopes Rebuild fails

[kosov.janko]

Dear Veeam team,

Our use case:
1. We assign in VM-123 VEM restore scope to user1.
2. Over time we assign this VM-123 VEM restore scope to additional 9 other users: user{2..10}.
3. After some time we delete this VM-123, without removing VM-123 VEM restore scope from users user{1..10} (its a rather tedious task).
4. We assign in VM-456 VEM restore scope to user{1..10}.

... But now the internal process "Security Scopes Rebuild" starts failing for those users user{1..10}, as the VM-123 does not exists any more... and the users do not see VM-456 now.

Question: Is there a purge / clean-up method, which would remove zombie VMs (VM does not exist on vCenter, but is mentioned in users' VM scope), so that "Security Scopes Rebuild" would be successful again? Ideally something that can be triggered periodically via API?

Or are we going the wrong way about this problem at all?

Thanks for your answers!

[oleg.feoktistov]

Hi,

You mean you need to remove VM-123 VEM restore scope as a whole when VMs this restore scope contains are no longer in vCenter?
If so, with RESP API you can get the restore scope ID by sending GET request to /security/accounts/{id}/scopes endpoint
and then delete it by sending DELETE request to /security/accounts/{id}/scopes/{id} endpoint.
You need to build a loop, though, to query that for each account you assigned this restore scope to.

Best regards,
Oleg

[kosov.janko]

Dear Oleg,

thank you for your answer. I'm aware of this possibility. But as mentioned... it is tedious...

Is there an alternative already implemented in Veeam...?

Br, Blaž

[oleg.feoktistov]

Currently there isn't. This implementation and endpoint structure is based on logic that we assign a restore scope to a user, not vice versa.

[kosov.janko]

Oleg thank you for your answer.

Additional question: how can I in user's restore scope, VM(s) that were already deleted?

[oleg.feoktistov]

Can you, please, clarify your question? I'm sorry, I couldn't understand it. Thank you!

[kosov.janko]

What is the best way to find zombie VMs in user's restore scope?

Should one do: https://helpcenter.veeam.com/docs/backu ... ml?ver=100
Will EnterpriseAccountHierarchyScope.State tell me that VM is missing from VC?

Or should I ask VEM for each VM found in scope if it still exists via https://helpcenter.veeam.com/docs/backu ... ml?ver=100

Thank you!

Br, Blaž

[veremin]

Or should I ask VEM for each VM found in scope if it still exists via https://helpcenter.veeam.com/docs/backu ... ml?ver=100

This, basically you need to compare two VM lists (restore scope and actual virtual infrastructure) and spot discrepancies there. Thanks!