[SOLVED] Is it safe to delete a user?

C

Colin 't Hart

Well-Known Member
Jan 20, 2017
56
6
48
51
Frösön, Sweden
www.hiawathaavenue.com
Hi,

Our former system adminsitrator left our company; is it safe to delete his Proxmox accounts? These are in the PVE Authentication realm.
Don't all the permissions go via roles? And I understand it's not possible for such a user to "own" anything, correct?

Thanks,

Colin
 
As long as you have root access, you can delete the user. But you need to take care of any script or program that uses this account.
 
Colin 't Hart said:
Don't all the permissions go via roles? And I understand it's not possible for such a user to "own" anything, correct?
Click to expand...

If you delete all the permissions from this user and its group then yes, he cannot do anything anymore.
The permissions add roles to object paths (e.g., '/' == whole cluster, /vms/100' == vm/ct 100, ...), and that either for groups or users.

As a simply way to ensure he cannot access anything without deleting it, you may give this user the NoAccess role on the root path '/' and check 'propagate'.
We always give deny permissions higher priorities than allow permissions so he should not be able to do anything anymore.
 
My 2 cent ideea: never delete a user (if you do not want to remember .... what user I delete a year ago). In this cases I change the password with a new strong and long password. And I also monitor any usage of this user for many month. After 3 month I modified the shell for this user(like /dev/null). And after another 3 month I remove any login access.
If you remove a user, it is difficult to find what this user make at xx.yy.zzzz date.
 
guletz said:
My 2 cent ideea: never delete a user (if you do not want to remember .... what user I delete a year ago). In this cases I change the password with a new strong and long password. And I also monitor any usage of this user for many month. After 3 month I modified the shell for this user(like /dev/null). And after another 3 month I remove any login access.
If you remove a user, it is difficult to find what this user make at xx.yy.zzzz date.
Click to expand...
This is a "Proxmox VE authentication server" realm account, not a Linux user, so the above doesn't apply.
 
t.lamprecht said:
If you delete all the permissions from this user and its group then yes, he cannot do anything anymore.
The permissions add roles to object paths (e.g., '/' == whole cluster, /vms/100' == vm/ct 100, ...), and that either for groups or users.

As a simply way to ensure he cannot access anything without deleting it, you may give this user the NoAccess role on the root path '/' and check 'propagate'.
We always give deny permissions higher priorities than allow permissions so he should not be able to do anything anymore.
Click to expand...
Thanks. You've confirmed my understanding that the user accounts don't "own" any objects that would be removed by deleting an account.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom