I would like to raise the topic of the proposal-discussion of user privileges for VM, in connection with the active phase of development of pve version 8 and the upcoming 9
1. VM.Config.Network: now, this privilege allows changing settings/adding new network devices, as well as configuring firewall rules for VM. In my tasks I miss a finer division of rights, I would suggest something like this:
- VM.Config.Network: adding and modifying network interfaces
- VM.Config.Network.Use: modifying existing network interfaces, except changing the firewall=[0|1] parameter
- VM.Config.Firewall: managing the firewall
2. Add implicit rights to check the VM status (running | stopped) for all "VM.*" privileges (get /nodes/{node}/qemu/{vmid}/status/current will return only status=XXX). Can be useful for various administrative tasks and for xtermjs|novnc
3. VM.* privilege rights without VM.Audit:
- show VM in resource list if any VM.* privileges are assigned (get available resource values: vmid, type, status, name, id, tags, node, template). Settings tabs corresponding to assigned privileges are available
- VM.Console: Console tab is available
- VM.Monitor, VM.Firewall, VM.Config.Options, VM.Backup, VM.Snapshot etc. - corresponding tabs are available
- VM.Config.* - Hardware tab is available
4. Currently, resource rights are cumulative (except NoAccess). But it would be nice to have the ability to "overwrite" rights on an individual resource, ignoring inheritance. PVE has a Propagate flag for assigning rights. Maybe you can use the propagate=false flag to specify overriding the rights on the end resource, or add your own flag. For example, a privilege for a specific VM with propagate=false and the PVEVMAudit role will override the PVEVMAdmin rights set on the pool
5. User management features:
- Prevent the user from changing the password/2FA
- Prevent the user from creating API tokens
1. VM.Config.Network: now, this privilege allows changing settings/adding new network devices, as well as configuring firewall rules for VM. In my tasks I miss a finer division of rights, I would suggest something like this:
- VM.Config.Network: adding and modifying network interfaces
- VM.Config.Network.Use: modifying existing network interfaces, except changing the firewall=[0|1] parameter
- VM.Config.Firewall: managing the firewall
2. Add implicit rights to check the VM status (running | stopped) for all "VM.*" privileges (get /nodes/{node}/qemu/{vmid}/status/current will return only status=XXX). Can be useful for various administrative tasks and for xtermjs|novnc
3. VM.* privilege rights without VM.Audit:
- show VM in resource list if any VM.* privileges are assigned (get available resource values: vmid, type, status, name, id, tags, node, template). Settings tabs corresponding to assigned privileges are available
- VM.Console: Console tab is available
- VM.Monitor, VM.Firewall, VM.Config.Options, VM.Backup, VM.Snapshot etc. - corresponding tabs are available
- VM.Config.* - Hardware tab is available
4. Currently, resource rights are cumulative (except NoAccess). But it would be nice to have the ability to "overwrite" rights on an individual resource, ignoring inheritance. PVE has a Propagate flag for assigning rights. Maybe you can use the propagate=false flag to specify overriding the rights on the end resource, or add your own flag. For example, a privilege for a specific VM with propagate=false and the PVEVMAudit role will override the PVEVMAdmin rights set on the pool
5. User management features:
- Prevent the user from changing the password/2FA
- Prevent the user from creating API tokens
Last edited: