Tags permission

mvtab

New Member
Jul 11, 2024
15
2
3
Hello,

I was just curious about the strange permissions for tags:

With the VM.Config.Options permission on /vms, one can add any tags they want, except the registered ones. No matter the individual configuration of registered ones. This setting can only be restricted more, not less.

So, for example, if someone needs to assign a registered tag with an ansible playbook, the ansible bot requires Sys.Modify on / level.
This means it's more practicable to not have any registered tags, or else the bots can't use them without receiving extreme permissions.

What is the motivation behind this behavior? Shouldn't it be the other way around, that VM.Config.Options users can use the registered ones, and the Sys.Modify can use any?
 
Last edited:
VM.Config.Options is the minimum permission to edit a vm config, so thats at minimum needed for tags. The idea was that by default, users will be able to set any tags
since we want to be able to do some actions based on tags in the future (e.g. backups) there must be a mechanism that users cannot add/remove themselves to/from the backups, so the registered tags with higher permissions were introduced for that purpose

if you just want to restrict tags for the users, you can also use the 'pre defined list' in Datacenter -> Options and set the mode to 'list' or 'existing'

Sadly we don't really have (for now) a better permission to give for setting restricted tags, but you can ofc open an enhancement request here: https://bugzilla.proxmox.com
(no promises though ;) )

but as long as we don't actually bind any functionality to the registered tags, i think the list mode should suffice for your case?
 
  • Like
Reactions: mvtab

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!