Permission to change VM boot order

D

DerDieDas

Member
Dec 3, 2019
19
2
23
44
Hello all,

I want to give a user permission to change the boot order under the VMs "options" menue:
1643882187862.png

The user cannot change it if I set the permissions for this user to VM.Config.Options (according to https://pve.proxmox.com/wiki/User_Management this user should be able to "modify any other VM configuration ").
How can I set the correct permissions so that the user can change this by herself?

Best,
Andy
 
AFAICS, you need 'VM.Config.Disk' permissions for the boot order
 
  • Like
Reactions: DerDieDas
Any solution to prevent someone to change the Bandwidth limits of the Disk itself, when giving the permissions mention above to allow for boot order change?
 
If something like VM.Config.AuditDisk would be available, so at least you could change the boot order.
Despite that, the thing I don't get is, you can change the boot order if you don't have permission to change the network device, but you need Modify on the disk to change the boot order.
 
Last edited:
Hi,
Ne00n said:
If something like VM.Config.AuditDisk would be available, so at least you could change the boot order.
Despite that, the thing I don't get is, you can change the boot order if you don't have permission to change the network device, but you need Modify on the disk to change the boot order.
Click to expand...
as you suggested, this would require a new more fine-grained permission. But what is your use case for this?

Ne00n said:
If something like VM.Config.AuditDisk would be available, so at least you could change the boot order.
Despite that, the thing I don't get is, you can change the boot order if you don't have permission to change the network device, but you need Modify on the disk to change the boot order.
Click to expand...
We had to use some permission for it and I guess the disk permission was chosen, because it seemed the most natural.
 
fiona said:
Hi,

as you suggested, this would require a new more fine-grained permission. But what is your use case for this?
Click to expand...
As you give the user edit permissions, so he can change the boot order.
The user can also edit the I/O limits you had set.

Which would be not ideal, for just giving the user the option to change the boot order.
 
Last edited:
Ne00n said:
As you give the user edit permissions, so he can change the boot order.
The user can also edit the I/O limits you had set.

Which would be not ideal, for just giving the user the option to change the boot order.
Click to expand...
Yes, I understand that. That's why a more fine-grained permission would be required. My question is why? What is the concrete scenario for giving the user control over the boot order without giving them control over disks?
 
fiona said:
Yes, I understand that. That's why a more fine-grained permission would be required. My question is why? What is the concrete scenario for giving the user control over the boot order without giving them control over disks?
Click to expand...
I just said why, If you set I/O limits, you may not want to give the user permission to change these.
However you may want to give the user permission to change the boot order.
 
No you didn't say why you require that. Just that you require that ;)

EDIT: An example to explain why would be "user should be able to add CD ROM to bootorder on demand for rescue boot, but not be able to otherwise touch disks". But in that case you could just always have the CD-ROM in the boot order with a low priority and then you don't need to give the user permission to change it, they can just select in the BIOS.

If you have a real-world use case where you actually do require this separation (you still didn't provide one), feel free to open a feature request on our bugtracker for it: https://bugzilla.proxmox.com/
 
Last edited:
fiona said:
No you didn't say why you require that. Just that you require that ;)

EDIT: An example to explain why would be "user should be able to add CD ROM to bootorder on demand for rescue boot, but not be able to otherwise touch disks". But in that case you could just always have the CD-ROM in the boot order with a low priority and then you don't need to give the user permission to change it, they can just select in the BIOS.

If you have a real-world use case where you actually do require this separation (you still didn't provide one), feel free to open a feature request on our bugtracker for it: https://bugzilla.proxmox.com/
Click to expand...
Okay, if you give a user access to the proxmox panel, he obviously can change all settings he has access too.
Including if you give him permissions to the disk settings, which you need for the boot order.

Means, he can remove the I/O limits, you set, to prevent abuse or limit abuse on a host node.
Right, you set them for a reason, the User should not be able to change these just for boot order permissions.
 
Ne00n said:
Okay, if you give a user access to the proxmox panel, he obviously can change all settings he has access too.
Including if you give him permissions to the disk settings, which you need for the boot order.

Means, he can remove the I/O limits, you set, to prevent abuse or limit abuse on a host node.
Right, you set them for a reason, the User should not be able to change these just for boot order permissions.
Click to expand...
Why do require a low-privileged user to change the boot order? That's the use case I'm asking for. I'm not against the feature, but a feature requires a valid use-case :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back