[pve-devel] [PATCH v2 docs 01/12] pveum: add SU privilege and SA role
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Mar 17 10:36:36 CET 2022
On March 11, 2022 12:24 pm, Oguz Bektas wrote:
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> pveum.adoc | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/pveum.adoc b/pveum.adoc
> index a5c8906..5ad111a 100644
> --- a/pveum.adoc
> +++ b/pveum.adoc
> @@ -684,7 +684,8 @@ Roles
> A role is simply a list of privileges. Proxmox VE comes with a number
> of predefined roles, which satisfy most requirements.
>
> -* `Administrator`: has full privileges
> +* `SuperAdministrator`: has full privileges (equivalent to 'root at pam', be careful when giving this role to a user!)
> +* `Administrator`: has all privileges except `SuperUser`
I'd make the descriptions shorter and add the warnings as proper
warnings.
* `SuperAdministrator`: has full privileges including `SuperUser`
> * `NoAccess`: has no privileges (used to forbid access)
> * `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`)
> * `PVEAuditor`: has read only access
> @@ -727,6 +728,7 @@ We currently support the following privileges:
>
> Node / System related privileges::
>
> +* `SuperUser`: modify root-only configuration options (dangerous! don't give this privilege to untrusted users)
> * `Permissions.Modify`: modify access permissions
> * `Sys.PowerMgmt`: node power management (start, stop, reset, shutdown, ...)
> * `Sys.Console`: console access to node
SuperUser is not Node/System related though? it also affects guest
operations for example, so I'd add it either up front or last on its
own, with a warning and longer description (allows root stuff, might
require other basic privs in addition to SuperUser, danger danger,
certain actions on users with this privs are restricted, ..)
More information about the pve-devel
mailing list