14.9. Real World Examples

It is possible that an administrator would want to create a group of users with full administrator rights (without using the root account).

To do this, first define the group:

pveum group add admin -comment "System Administrators"

Then assign the role:

pveum acl modify / -group admin -role Administrator

Finally, you can add users to the new admin group:

pveum user modify testuser@pve -group admin

You can give read only access to users by assigning the PVEAuditor role to users or groups.

Example 1: Allow user joe@pve to see everything

pveum acl modify / -user joe@pve -role PVEAuditor

Example 2: Allow user joe@pve to see all virtual machines

pveum acl modify /vms -user joe@pve -role PVEAuditor

If you want to delegate user management to user joe@pve, you can do that with:

pveum acl modify /access -user joe@pve -role PVEUserAdmin

User joe@pve can now add and remove users, and change other user attributes, such as passwords. This is a very powerful role, and you most likely want to limit it to selected realms and groups. The following example allows joe@pve to modify users within the realm pve, if they are members of group customers:

pveum acl modify /access/realm/pve -user joe@pve -role PVEUserAdmin
pveum acl modify /access/groups/customers -user joe@pve -role PVEUserAdmin

Permissions on API tokens are always a subset of those of their corresponding user, meaning that an API token can’t be used to carry out a task that the backing user has no permission to do. This section will demonstrate how you can use an API token with separate privileges, to limit the token owner’s permissions further.

Give the user joe@pve the role PVEVMAdmin on all VMs:

pveum acl modify /vms -user joe@pve -role PVEVMAdmin

Add a new API token with separate privileges, which is only allowed to view VM information (for example, for monitoring purposes):

pveum user token add joe@pve monitoring -privsep 1
pveum acl modify /vms -token 'joe@pve!monitoring' -role PVEAuditor

Verify the permissions of the user and token:

pveum user permissions joe@pve
pveum user token permissions joe@pve monitoring

An enterprise is usually structured into several smaller departments, and it is common that you want to assign resources and delegate management tasks to each of these. Let’s assume that you want to set up a pool for a software development department. First, create a group:

pveum group add developers -comment "Our software developers"

Now we create a new user which is a member of that group:

pveum user add developer1@pve -group developers -password

Then we create a resource pool for our development department to use:

pveum pool add dev-pool --comment "IT development pool"

Finally, we can assign permissions to that pool:

pveum acl modify /pool/dev-pool/ -group developers -role PVEAdmin

Our software developers can now administer the resources assigned to that pool.