How to force users to select a pool when creating a VM, instead of allowing null values to be placed in the default pool

[Batten]

I recently deployed an experimental platform for students on PVE. Although most permissions have been configured and separate resource pools have been allocated for each student account, unfortunately, VM isolation still has flaws.
When a student forgets to choose to add a virtual machine to their own pool, their virtual machine will be exposed to the monitoring of all users and can do anything to their virtual machine.

It is obvious that this user isolation has failed, and there is no way to save students when they are missing, because when creating virtual machines, the virtual machine pool can be empty and can be created without selection.

I don't know if PVE has this feature, or if there are other ways to prevent users from seeing virtual machines in the default pool?

Here are the permission configurations in my PVE：

 

[fabian]

you give your students access to all VMs, they have access to all VMs. remove the ACL giving access to /vms with propagation, then the user will only be able to create guests in the pool, and attempts to create one without a pool set will fail.

you also don't need to set NoAccess on all those top-level paths, NoAccess is the default, it only needs to be set explicitly if you want to reset privilege inheritance somewhere (e.g., give a user access to all vms via /vms with propagation, but then restrict access to /vms/123)

you can also add storages to pools, then you don't need to give separate ACLs for them for the students either (this is also planned for vnets, but not yet implemented )