Setting up Non-Root Admin User: Role Question - Admin vs. PVE Admin

[SInisterPisces]

Hello,

I'd like to create a non-root PAM/underlying Debian user who also has all the necessary permissions to control PVE.
I've learned how to assign roles to groups, and then assign users to groups, so theoretically I'm all set. However, as a new PVE user it's not clear to me what the role difference is between Administrator and PVEAdmin.

I'm the only user of my PVE cluster, so creating a separate user is purely for the purposes of privilege de-escalation; I don't want to have root access all the time when I'm using my cluster.

The wiki says:

https://pve.proxmox.com/wiki/User_Management#pveum_permission_management

Roles​

A role is simply a list of privileges. Proxmox VE comes with a number of predefined roles, which satisfy most requirements.

• Administrator: has full privileges
• PVEAdmin: can do most tasks, but has no rights to modify system settings (Sys.PowerMgmt, Sys.Modify, Realm.Allocate)

For the moment, I've given my new user the Administrator role. However, I don't want to give my daily user more privileges than I need to actually use my cluster to create and manage VMs/CTs without the need for privilege escalation.

If I give my user the PVEAdmin role, what would I not be able to do? Put another (hopefully easier to answer) way, if my primary user is a PVEAdmin, when/how often would I still need to drop into the root account in the PVE web interface?

Thanks!
I think from the wiki's use of "system settings," that I'd be fine as a PVEAdmin, as I should not need to tweak the system settings daily?

Thanks.

 

[LnxBil]

Depends on what you want to do additionally to "just" using VMs. If you just want to have the user create, modify and delete VMs, you can also have a look at PVEVMAdmin, all other permissions are rarely used in a day-to-day usage like PVEDatastoreAdmin (how often do you plan to change the datastore layout??) or update you system over the GUI (I never do, just ssh in)

 

[SInisterPisces]

Depends on what you want to do additionally to "just" using VMs. If you just want to have the user create, modify and delete VMs, you can also have a look at PVEVMAdmin, all other permissions are rarely used in a day-to-day usage like PVEDatastoreAdmin (how often do you plan to change the datastore layout??) or update you system over the GUI (I never do, just ssh in)

Thanks! I'm the only human person using these nodes, so my idea is to have a daily use account that can do everything I could possibly want to do with VMs and containers, including creating/destroying/cloning/templating, and leaving the root user for all the other more dangerous/system control operations.

I don't see the point of creating a whole set of users for just myself with different privileges. All the passwords for them would be stored in my password vault; anyone who got access to that would have access to everything anyway.

I'll go ahead and switch my daily user to PVEAdmin.

 

[ronsrussell]

In my case I would like to give permission to a user to only be able to use the console and/or to power off/on certain VM's. I have created a new Role with privileges 'VM.Console VM.PowerMgmt'. But when logging in with a user assigned this role none of the VM's are visable.