User Management Delegation

D

Diabolic487

New Member
Jun 10, 2025
6
3
3
Hello! I am trying to set up some method of user management delegation where I am able to assign a user as a group/pool administrator such that they are able to create/modify/delete users within the confines of their limited scope (ie, a pool). I found this thread from last year where the user had the same requirements as I do, suggesting that this is not possible directly on Proxmox.

V

Thread 'Pool Administrator?'

Hi all,

I've got a ProxMox 8.0.3 cluster set up and I want to add a group of contractors with its own administrator. Then create a Pool of VMs that the group can use, administered by the group admin. Optimally, I would like the group admin to be able to add & delete users and create & delete VMs but ONLY within scope of the Pool / Group they are part of.

I've been able to create users that can log in and see only the VMs within /pool/Contract which I believe will give me what I want for most users. But the admin can't create / delete VMs or users without adding top-level...

My question then is this: Is it possible to mimic this behaviour using third party tools? For example, are there any LDAP applications that allow this sort of user management that can then be synced to Proxmox? My first attempt at this was to use Authentik, but it seems to have similar limitations in that creating and deleting users is a global operation that requires global permissions rather than scoped permissions. Would appreciate any assistance on the matter.
 
  • Like
Reactions: aabraham
Diabolic487 said:
Hello! I am trying to set up some method of user management delegation where I am able to assign a user as a group/pool administrator such that they are able to create/modify/delete users within the confines of their limited scope (ie, a pool). I found this thread from last year where the user had the same requirements as I do, suggesting that this is not possible directly on Proxmox.

V

Thread 'Pool Administrator?'

Hi all,

I've got a ProxMox 8.0.3 cluster set up and I want to add a group of contractors with its own administrator. Then create a Pool of VMs that the group can use, administered by the group admin. Optimally, I would like the group admin to be able to add & delete users and create & delete VMs but ONLY within scope of the Pool / Group they are part of.

I've been able to create users that can log in and see only the VMs within /pool/Contract which I believe will give me what I want for most users. But the admin can't create / delete VMs or users without adding top-level...

My question then is this: Is it possible to mimic this behaviour using third party tools? For example, are there any LDAP applications that allow this sort of user management that can then be synced to Proxmox? My first attempt at this was to use Authentik, but it seems to have similar limitations in that creating and deleting users is a global operation that requires global permissions rather than scoped permissions. Would appreciate any assistance on the matter.
Click to expand...
Hi Diablic487, would OpenID and/or OpenLDAP fit your needs? Two good OpenID providers are Keycloak and Zitadel (links below). LDAP might also be suited to your needs and PVE does have something of "native" for support for OpenLDAP, in that we offer a container template for OpenLDAP by Turnkey Linux.

Keycloak: https://www.keycloak.org/
Zitadel: https://zitadel.com/

Please note that support for Zitadel has not landed yet.
 
Thanks for the links, I'll look into them! I am not particularly stuck on a specific technology or protocol, I primarily want my goal achieved however I am able to do so. It seems like delegating user management into scopes is not a very common pattern so perhaps tools just don't exist for that use case?
 
  • Like
Reactions: aabraham
Diabolic487 said:
Thanks for the links, I'll look into them! I am not particularly stuck on a specific technology or protocol, I primarily want my goal achieved however I am able to do so. It seems like delegating user management into scopes is not a very common pattern so perhaps tools just don't exist for that use case?
Click to expand...
If you don't want to do it via scopes, then using OpenLDAP is probably a better choice, considering that it is much easier delegating different privileges via a web GUI.
 
Yes, I believe a web GUI would be ideal for my use case. Does OpenLDAP support scoped user management capabilities such as creating and deleting users only within a certain group? Like the thread I posted earlier, I have contractors that want to manage their own users and I don't want to give them any privileges outside of that narrow context.

More specifically, what I am looking to avoid is having to do their user management for them, if that is possible.
 
Diabolic487 said:
Yes, I believe a web GUI would be ideal for my use case. Does OpenLDAP support scoped user management capabilities such as creating and deleting users only within a certain group? Like the thread I posted earlier, I have contractors that want to manage their own users and I don't want to give them any privileges outside of that narrow context.

More specifically, what I am looking to avoid is having to do their user management for them, if that is possible.
Click to expand...
I'm not quite sure which LDAP clients exist to allow you to do that, but OpenLDAP has been around for many years, somebody probably made some client(s) that allow(s) you to do that.
 
Diabolic487 said:
Yes, I believe a web GUI would be ideal for my use case. Does OpenLDAP support scoped user management capabilities such as creating and deleting users only within a certain group? Like the thread I posted earlier, I have contractors that want to manage their own users and I don't want to give them any privileges outside of that narrow context.

More specifically, what I am looking to avoid is having to do their user management for them, if that is possible.
Click to expand...
Maybe this link helps you: https://www.turnkeylinux.org/openldap
 
You must log in or register to reply here.
Top Bottom