Okay, forgive me if this is a silly question, but I've googled and looked at the online help, and came up empty. When I have used proxmox before, I just used root. I need to deploy a server with proxmox for me and two other people to use. I created the unix accounts for them with passwords. Check. I added a group 'Users' in the proxmox GUI and created proxmox users for each of the 3 accounts, placing them in the 'Users' group. Check. Now what? The only obvious place I see to apply these is in the Datacenter view, where I can add a Permission entry for the various items there, listing 'Users' and giving 'PVEAdmin'. So far, so good. Something is still missing though, since if I logout as root and login as one of the other users, the 'Create VM' button at the top right of the screen is grayed out. I assume there is (at least one) step I left out, but it isn't obvious (to me at least) what?
How to grant non-root users privileges to do most things?
- Thread starter dswartz
- Start date
While in Datacenter, take a look at Roles tab. There is a list of roles that can be assigned to users (or groups of users).
Depending on what you want your users to do, go to Permissions tab and create a user/group permission and grant them a particular Role.
Description of Roles:
https://pve.proxmox.com/wiki/User_Management
Depending on what you want your users to do, go to Permissions tab and create a user/group permission and grant them a particular Role.
Description of Roles:
https://pve.proxmox.com/wiki/User_Management
Which Role did you give to that user?
What is the path for the Permission you've created?
Edit:
Perhaps PVEVMAdmin or Administrator might be the role(s) you are after.
From above wiki page:
In theory, any role with VM.Allocate privilege should allow one to create a new VM. At least according to the wiki.
What is the path for the Permission you've created?
Edit:
Perhaps PVEVMAdmin or Administrator might be the role(s) you are after.
From above wiki page:
- Administrator: has all privileges
- PVEAdmin: can do most things, but miss rights to modify system settings (Sys.PowerMgmt, Sys.Modify, Realm.Allocate)
- PVEVMAdmin: fully administer VMs
In theory, any role with VM.Allocate privilege should allow one to create a new VM. At least according to the wiki.
Last edited:
I was wondering about the dialog that asks for a path. I have no idea what I'm supposed to put there. All I want is to create 3 users who all have PVEAdmin rights over the whole ball of wax. Nowhere I could find does it say how to do that (maybe I just didn't look in the right place?)
If you read that wiki page more closely, you will find the following section:
If I remember correctly a path of "/" (without quotes) refers to everything.
Last edited:
I have highlighted the relevant part above.
Did you now update the path field of your Permission(s) that grant PVEAdmin role to your chosen users?
By that I mean you have to Remove and then Add again the permission with correct path.
Just as an example (on Proxmox 3.3 box) via web interface, I have just done this:
Created a group called "admins"
Created a user called "test" and assigned to "admins" group all in one dialog box
Created a Group Permission with "/" for path, for group "admin", with assigned role of Administrator (with propagate on)
I can login as test and CreateVM just fine.
Last edited:
Yes, I read that. None of which answers my question as to why the 'Create VM' button is grayed out
You stated you had no clue what to put into PATH field. What did you put in there to begin with?
You can't create a Permission without filling something into the "path" field.
What do your Permissions look like now?
Last edited:
At least in my test environment (PVE v3.3) I can't create a permission with an empty path. So if you didn't create a permission that granted access, how did you expect anything to work?
I don't know how to explain this any more clearly than I already have. I *didn't* set any path because I didn't know what to set it to. '/' seemed dangerous (after years of working on unix-y systems, doing anything recursive to '/' seems risky). You explained exactly what needed to be done, for which I'm grateful.
Can I use another path instead of "/" for security reasons?
e.g. I created a user and I assigned a role ("Sys.Modify" and "VM.Monitor" permissions only). I will use API in order to give vnc access. That works only if I set "/" and I need an alternative solution about path.
e.g. I created a user and I assigned a role ("Sys.Modify" and "VM.Monitor" permissions only). I will use API in order to give vnc access. That works only if I set "/" and I need an alternative solution about path.
