Proxmox: delegate authorizations to users

In this tutorial, we will see how to delegate actions to a user on a virtual machine using roles.

Proxmox is a complete hypervisor that allows you to manage authorizations on virtual machines quite finely.

We will assume that you need to authorize a person from the support service to be able to manage the power supply (shutdown / startup) and access to the console of a virtual computer.

Create the user in Proxmox

The first step will be to create an account.

From the console navigation, go to Datacenter / Permissions / Users. We arrive at the list of users. Click on the Add 1 button.

Start by entering the user’s identifier 1, choose the Realm Proxmox VE authentication Server 2 then enter the password of the user 3 and click on Add 4 .

Here we will choose Proxmox VE Server authentication and not PAM. To use Realm PAM, the user must be created at the system level, which is not necessary because we only want access to the Proxmox web interface.

The user is created.

Proxmox default roles

Roles in Proxmox group together authorizations (Privileges) that can then be applied to Users or Groups.

The privileges can be at the level:

  • Node / System
  • VM
  • Storage
  • ….

By default Proxmox offers several Roles which are available in the following location: Datacenter / Permissions / Roles.

To start in this tutorial, we will use the PVEVMUser role which is a planned role that could correspond to the needs of the support service.

Apply a role to a user on a virtual machine

To start I will connect with the Roman user from another browser.

As you can see, I don’t have access to anything.

We will configure the permission on VM 104, start by selecting VM 1 then go to Permissions 2.

At the moment it’s empty. Click on the Add 1 button then on User Permission 2.

Select the user 1 and the role 2 then click on Add 3.

The permission is added.

By returning to the browser where I opened the session with Romain I see VM 104, there is no need to reconnect to update the authorizations.

As you can see below, I have good access to the console and power settings.

You can access other parameters which are only readable.

Create a role in Proxmox

If you find the PVEVMUser role too permissive and you do not want to give access to the CDROM and Cloudinit configuration, we will see how to create a role with only access to the console and power supply.

From the Roles page in the Cluster section, click on Create 1.

Start by naming the Role 1 then click on the arrow to display the Privileges 2.

Select the following components: VM.PowerMgmt, VM.console, VM.Audit 1 then click on Create 2.

If VM.audit is not selected, the virtual machine will not be visible in the web interface.

The Role is created.

Apply the created Role

I will not go into detail

I applied the permission to roman on the CT 100 with the Role created.

Back on the browser with the Roman user, I now have access to the CT 100 with the rights configured in the Role.

You now know how to manage authorizations in Proxmox to delegate actions to users.

Leave a Comment