Tags permission

[mvtab]

Hello,

I was just curious about the strange permissions for tags:

With the VM.Config.Options permission on /vms, one can add any tags they want, except the registered ones. No matter the individual configuration of registered ones. This setting can only be restricted more, not less.

So, for example, if someone needs to assign a registered tag with an ansible playbook, the ansible bot requires Sys.Modify on / level.
This means it's more practicable to not have any registered tags, or else the bots can't use them without receiving extreme permissions.

What is the motivation behind this behavior? Shouldn't it be the other way around, that VM.Config.Options users can use the registered ones, and the Sys.Modify can use any?

 

[dcsapak]

VM.Config.Options is the minimum permission to edit a vm config, so thats at minimum needed for tags. The idea was that by default, users will be able to set any tags
since we want to be able to do some actions based on tags in the future (e.g. backups) there must be a mechanism that users cannot add/remove themselves to/from the backups, so the registered tags with higher permissions were introduced for that purpose

if you just want to restrict tags for the users, you can also use the 'pre defined list' in Datacenter -> Options and set the mode to 'list' or 'existing'

Sadly we don't really have (for now) a better permission to give for setting restricted tags, but you can ofc open an enhancement request here: https://bugzilla.proxmox.com
(no promises though )

but as long as we don't actually bind any functionality to the registered tags, i think the list mode should suffice for your case?