SDN Access rights

T

timresi

New Member
Feb 3, 2026
5
0
1
Hello,

I'm trying to restrict modification rights for a specific bridge but can't figure out how. The ultimate goal is to allow people to create new bridges, but not modify those dedicated to administration/production.
Someone know how can i process ?

I tried creating a new SDN zone to manage the path, which isn't possible if the bridge is configured directly on the node(can you confirm this?).
But when I grant PVESDNAdmin access rights, the zone appears, but I can't create any new bridges, just see thoses already created and allocate them to VMs.


Thank you for helping,
Tim.
 
how did you configure the ACLs?

to create a new VNET (bridge), you need SDN.Allocate on `/sdn/zones/{zone}`. if you want to give full privileges to a user for a zone, you need to set the propagate bit on the ACL as well, so that the contained VNETs are also covered. note that this is a fairly trustworthy level of access, it is still possible to cause havoc by misconfiguring things!
 
yeah, the UI hides the required elements atm unless you also have "Sys.Audit" on / it seems.. could you file a bug?
 
Tell me if this is suppose to work :

I created a new role, SDN-Role, with theses privileges :
SDN.Audit, SDN.Allocate, SDN.Use, Sys.AccessNetwork, Sys.Audit

Then I created a new permission, with the path /sdn/zones/my-zone , the group with my users, and the new role, with the propagate=True

And this isnt working.
I can see the zone with its VNets, but cant create new ones on Datacenter settings.

And what do you mean with "file a bug" ?

Thanks

Edit :
If I use / as the path, with my new role, I can manage SDN settings but also all settings of the Datacenter. But here I just need the SDN settings.
 
Last edited:
you currently need Sys.Audit on /, not just one the zone. the rest you can pin on the zone.

filing a bug means creating an entry in our bugzilla (https://bugzilla.proxmox.com) - you will then also be notified of progress there!
 
Ohh I understand now. I thought that with sys.audit and SDN rights it would only display the SDN part in the settings, but in fact it displays everything, there are simply no modification rights.
So atm it's not possible to only display settings which user have rights on ?

And thank you for that information. I guess there's no more bug then.
 
the granularity of the gating the UI does is a bit too coarse at the moment - that is the bug/possible enhancement.
 
You must log in or register to reply here.
Top Bottom
Back