User Permissions to add TPM stat

[HaConSupport]

If i create a new VM my user have the permission to add a TPM state during create process.
If the VM is created and i would like to add it afterwards the Field is grayed out.
I can't figure out which special permission is needed to add a TMP state after creating a VM.

My role ist PVEAdmin to the VM and Adminstrator for the pool where the VM is added to. (booth the build in roles)

I've already tried to find here "https://pve.proxmox.com/wiki/User_Management#pveum_permission_management" a solution but i can't.

Thank you for your help.

srv-07:~$ pveversion -v
proxmox-ve: 8.0.2 (running kernel: 6.2.16-12-pve)
pve-manager: 8.0.4 (running version: 8.0.4/d258a813cfa6b390)
proxmox-kernel-helper: 8.0.3
pve-kernel-5.15: 7.4-6
proxmox-kernel-6.2.16-12-pve: 6.2.16-12
proxmox-kernel-6.2: 6.2.16-12
pve-kernel-5.15.116-1-pve: 5.15.116-1
pve-kernel-5.13.19-1-pve: 5.13.19-3
ceph-fuse: 17.2.6-pve1+3
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown: residual config
ifupdown2: 3.2.0-1+pmx4
libjs-extjs: 7.0.0-4
libknet1: 1.25-pve1
libproxmox-acme-perl: 1.4.6
libproxmox-backup-qemu0: 1.4.0
libproxmox-rs-perl: 0.3.0
libpve-access-control: 8.0.4
libpve-apiclient-perl: 3.3.1
libpve-common-perl: 8.0.7
libpve-guest-common-perl: 5.0.3
libpve-http-server-perl: 5.0.4
libpve-rs-perl: 0.8.4
libpve-storage-perl: 8.0.2
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 5.0.2-4
lxcfs: 5.0.3-pve3
novnc-pve: 1.4.0-2
openvswitch-switch: 3.1.0-2
proxmox-backup-client: 3.0.2-1
proxmox-backup-file-restore: 3.0.2-1
proxmox-kernel-helper: 8.0.3
proxmox-mail-forward: 0.2.0
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.2
proxmox-widget-toolkit: 4.0.6
pve-cluster: 8.0.2
pve-container: 5.0.4
pve-docs: 8.0.4
pve-edk2-firmware: 3.20230228-4
pve-firewall: 5.0.3
pve-firmware: 3.8-2
pve-ha-manager: 4.0.2
pve-i18n: 3.0.5
pve-qemu-kvm: 8.0.2-5
pve-xtermjs: 4.16.0-3
qemu-server: 8.0.6
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.1.12-pve1

 

[ebaggs]

I ran into the same issue today and found from trial and error that the permission needed to add the TPM DIsk (and Virtio RNG) from the Web UI is the Sys.Console permission.

This permission check appears to only happen in the front end (graying out the option in the Web UI), but the backend doesn't actually check for this permission if you try to add a TPM disk as a raw API request. This seems potentially unintentional as Sys.Console doesn't seem like the correct permission to be checking for this anyways, but the front end source code specifically checks for that.

I've opened a ticket with Proxmox trying to understand if this is intentional, but hopefully this helps you or anyone else that stumbles onto this issue in the meanwhile