[pve-devel] [PATCH v2 docs 01/12] pveum: add SU privilege and SA role

[Fabian Grünbichler]

On March 11, 2022 12:24 pm, Oguz Bektas wrote:
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>  pveum.adoc | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/pveum.adoc b/pveum.adoc
> index a5c8906..5ad111a 100644
> --- a/pveum.adoc
> +++ b/pveum.adoc
> @@ -684,7 +684,8 @@ Roles
>  A role is simply a list of privileges. Proxmox VE comes with a number
>  of predefined roles, which satisfy most requirements.
>  
> -* `Administrator`: has full privileges
> +* `SuperAdministrator`: has full privileges (equivalent to 'root at pam', be careful when giving this role to a user!)
> +* `Administrator`: has all privileges except `SuperUser`

I'd make the descriptions shorter and add the warnings as proper 
warnings.

* `SuperAdministrator`: has full privileges including `SuperUser`

>  * `NoAccess`: has no privileges (used to forbid access)
>  * `PVEAdmin`: can do most tasks, but has no rights to modify system settings (`Sys.PowerMgmt`, `Sys.Modify`, `Realm.Allocate`)
>  * `PVEAuditor`: has read only access
> @@ -727,6 +728,7 @@ We currently support the following privileges:
>  
>  Node / System related privileges::
>  
> +* `SuperUser`: modify root-only configuration options (dangerous! don't give this privilege to untrusted users)
>  * `Permissions.Modify`: modify access permissions
>  * `Sys.PowerMgmt`: node power management (start, stop, reset, shutdown, ...)
>  * `Sys.Console`: console access to node

SuperUser is not Node/System related though? it also affects guest 
operations for example, so I'd add it either up front or last on its 
own, with a warning and longer description (allows root stuff, might 
require other basic privs in addition to SuperUser, danger danger, 
certain actions on users with this privs are restricted, ..)