Re: [PVE-User] User permissions for some hosts

Re: [PVE-User] User permissions for some hosts

[Fabian Grünbichler]

On September 3, 2020 12:36 pm, Tobias Guth wrote:
> Hi,
> 
> I have posted some issue on the pve forum regarding user permissions on
> some pve hosts.
> (https://forum.proxmox.com/threads/permission-set-for-specific-hosts.75138/)
> 
> but no answer so far.
> 
> I try to give some usergroup the permission to create/delete/modify
> virtual machines on just 2 hosts of our cluster.
> But I have no luck to configure the right permissions that this group
> can not modify or delete virtual machines on the hosts.
> There is no namespace like /vms/nodes or /vms/node1, just /vms.

permissions don't work on that level. you might be able to somewhat work 
around it (e.g., with a storage that is only available on a subset of 
nodes), but that is more of a hack than anything else.

> Is there any way to configure this ?
> 
> And one more question. Was exatly does the propagade option with
> permissions ?
> Does it mean to propagade given permissions through out the cluster ?

propagate means set this role on subpaths as well, unless they have a 
more specific role set.

e.g., if you give some role A to user X on path /vms with propagate set, 
and additionally give role B to user X on path /vms/123, user X is 'A' 
for all VMs except 123, where they are 'B'. on recent PVE versions, you 
can use 'pveum user permissions' to get a list of effective permissions, 
either for all paths with an ACL (also available as button in the User 
management GUI), or for a specific path.