Pool Administrator?

voidindigo

Active Member
Sep 18, 2018
17
1
43
56
Hi all,

I've got a ProxMox 8.0.3 cluster set up and I want to add a group of contractors with its own administrator. Then create a Pool of VMs that the group can use, administered by the group admin. Optimally, I would like the group admin to be able to add & delete users and create & delete VMs but ONLY within scope of the Pool / Group they are part of.

I've been able to create users that can log in and see only the VMs within /pool/Contract which I believe will give me what I want for most users. But the admin can't create / delete VMs or users without adding top-level permissions (to / or specifically to /access , /storage , etc...) and then the Pool Admin gets to see all users & VMs.

Is it possible to have an admin that sees only what's within a specific Pool / Group?

Thanks!
 
Last edited:
You cannot have an admin on Pool level that is also an admin for the user management or the storage management. These two are global functionality and not restricted to pools.

You can restrict via permissions which storage entity a group of users can consume for the VMs in their pool.
 
Last edited:
Right, but only by the complete storage entity, yes? Meaning I would have to add a new completely separate storage entity, then assign Group permissions to /storage/new_storage ... yes?
 
Ok, something to think about... maybe I can split up existing storage. Thank you for the idea!

What I ran into that's really stopping me is if you assign any user (or user in a group) Permission to do "global" admin things (like modify other users) you have to give them write access to areas like /access, then they get read access to those areas, which gives them the ability to see all users on the system. What I think we would need is the ability to assign Read or Write or ReadWrite access to an area. Then we could assign ReadWrite access to a Pool or a Group and only Write access to /access (for updating users) ... and you could have a user that can see only certain things, but can update whatever they can see.

I understand that's not simple... just a suggestion that would fix my problem at the moment :)

Thanks again
 
maybe I can split up existing storage
I just did exactly that in our lab and it worked beautifully. A little distracting to have many storage pools listed in Root view in the GUI. Especially, given that it shows up once for every node in the cluster.
However, once isolated a per-user/pool presentation is simple and clear.


Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
  • Like
Reactions: voidindigo

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!