Hi all. I'm looking into the user management settings for Proxmox, and I'm really pleased to see such granular access available in managing accounts. I'm only considering using Proxmox in my homelab, but this is a great feature.
I'm trying to apply the old "principle of least privilege" approach, so I've created a limited access account after doing my initial installation, storage, VM, network etc administration on the root account. I read through the user management section of the wiki and used it to assign my limited access account the PVEVMAdmin and PVEAuditor roles, which seems to accomplish most of what I want to do at the moment.
However, one missing permission I'd like to give is the ability to see the IP(s) a running VM/container has associated with it on the 'Summary' page. When I view the summary page I get the "Requires 'VM.Monitor' Privileges" message (another great feature; actually telling the user which privilege they lack in order to do what they want!). So, the obvious answer is to assign the VM.Monitor privilege to my limited access user, but therein lies my question: what rights does that privilege actually grant?
I've tried to search for information about what the practical implications and permissions the VM.Monitor privilege actually gives to a user who's assigned it, but I haven't been able to find anything. All I can seem to find is a simple description of "VM.Monitor: access to VM monitor (kvm)" on the user management wiki page and the pveum docs/man page.
I'd welcome any help or input about what granting the VM.Monitor actually entails for user privileges (i.e. what it allows the user to do; can they make any changes to the kvm process, or is it a read-only privilege). Thanks.
I'm trying to apply the old "principle of least privilege" approach, so I've created a limited access account after doing my initial installation, storage, VM, network etc administration on the root account. I read through the user management section of the wiki and used it to assign my limited access account the PVEVMAdmin and PVEAuditor roles, which seems to accomplish most of what I want to do at the moment.
However, one missing permission I'd like to give is the ability to see the IP(s) a running VM/container has associated with it on the 'Summary' page. When I view the summary page I get the "Requires 'VM.Monitor' Privileges" message (another great feature; actually telling the user which privilege they lack in order to do what they want!). So, the obvious answer is to assign the VM.Monitor privilege to my limited access user, but therein lies my question: what rights does that privilege actually grant?
I've tried to search for information about what the practical implications and permissions the VM.Monitor privilege actually gives to a user who's assigned it, but I haven't been able to find anything. All I can seem to find is a simple description of "VM.Monitor: access to VM monitor (kvm)" on the user management wiki page and the pveum docs/man page.
I'd welcome any help or input about what granting the VM.Monitor actually entails for user privileges (i.e. what it allows the user to do; can they make any changes to the kvm process, or is it a read-only privilege). Thanks.
