Permissions to manage Pool and create CTs and VMs

[teclab-at]

Dear All,

What I want:
Create a user that can manage a pool (named power), create CTs and VMs.

What I have achieved:
I have create a test user with four paths and different Roles. That's what I needed to give test user the capability to create own CT, VMs and add users from existing Realms:


Finally I will create a group instead of test user. But I wonder if I have done it right.

• Is there a simpler way?
• Are these Roles appropiate? For example I changed /access to PVEUserAdmin but don't see any difference.
• Am I missing a Path for something?

Any feedback very much appreciated. Thank You!

 

[itNGO]

Hi,

it looks like you’ve set up the permissions correctly, but I have a few suggestions to simplify and improve your configuration.

1. Is there a simpler way?
Yes, instead of assigning roles to an individual user, you could create a group (e.g., power-admins), assign the necessary roles to that group, and then add users to it. This makes permission management easier in the long run.

2. Are these roles appropriate?
• You mentioned that changing /access to PVEUserAdmin made no difference. That’s expected because:
• PVEAdmin already has most administrative rights (except some security-critical settings).
• PVEUserAdmin mainly focuses on user management, but since PVEAdmin is broader, you wouldn’t notice a difference.
• If your goal is pool management and VM/CT creation, PVEAdmin is usually sufficient.

3. Am I missing a path?
Your current setup looks good, but if you encounter issues with VM/CT creation, consider adding:
• /vms → Might be necessary if the user has issues creating VMs.
• /nodes/<nodename> → If the user needs to manage specific nodes, this might be required.
• /system → If networking changes or other system-wide settings are needed.

4. Testing & Troubleshooting
• Try logging in as test@pve and ensure you can create and manage CTs/VMs in the pool.
• If any issues arise, check Proxmox’s permission logs (journalctl -xe) to see if something is being denied.

Final Recommendation

• Consider using groups instead of assigning roles directly to users.
• If everything works as expected, your setup is fine, and you don’t need to change /access.
• If issues persist, try adding permissions for /vms or /nodes/<nodename>.

Regards