Resource pool users unable to clone a VM


New Member
Aug 29, 2023

I have a use case that I am unable to get working as I had hoped. I have a user account 'student1' in the group 'student'. I also have a resource pool called 'student1'. The pool ACL is configured to use the '@student' group.

I have several VMs in the 'student1' resource pool. The problem I am having is that the 'student1' user cannot clone any VMs. I get an Error 'Permission check failed (403)'. I think the source of the problem, or at least my observation, is that the Resource Pool cannot be selected in the Clone VM input box (due to role permissions).

Should a user constrained by a resource pool be able to clone a VM? I wanted to give these users the abilities to use and manage VMs, but do so without seeing other students.

Here is the listing from my /etc/pve/user.cfg file:






To test, I added a new resource pool ACL where the 'student1' user was a 'PVEAdmin' role and it worked. But this wasn't desirable cause the account could see the actual 'student1' resource pool, and also all the other capabilities of this role. I believe the 'Pool.Audit' permission makes this possible.

Thank you for any assistance you can provide. I greatly appreciate your time.

Last edited:
I tried to set this up myself on PVE 8.0.4 with user@pam

The Pool.Audit permission is required to select the resource pool.
For the user, to view its own permissions, the Sys.Audit permission would be required. In my tests, I was unable to see it.

To clone a VM i also needed the SDN.Use permissions.

Here (part) of my /etc/pve/user.cfg



  • Like
Reactions: lectrician1
Hello stfl,

Thank you for testing this! I really appreciated that! I am still on Proxmox 7.4-16, but I was able to add the Pool.Audit and SDN.Use permissions to the 'student' role. This did allow me to successfully clone a VM, yes! As a test I removed the SDN.Use permission and the cloning still worked. I'll need to perform more testing, but at least things are working.

My hope was to be able to clone a VM but not have the user see their Pool in the left-side navigation area. Is that possible?

Again, thank you for your help!


SDN.Use permission is needed from PVE 8.0 onwards.

You can limit the user/group permissions to specific VMs. Otherwise, what you're trying to achieve is unfortunately not possible.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!