10 .. image:: images/screenshots/pbs-gui-user-management.png
14 Proxmox Backup Server supports several authentication realms, and you need to
15 choose the realm when you add a new user. Possible realms are:
17 :pam: Linux PAM standard authentication. Use this if you want to
18 authenticate as Linux system user (Users need to exist on the
21 :pbs: Proxmox Backup Server realm. This type stores hashed passwords in
22 ``/etc/proxmox-backup/shadow.json``.
24 After installation, there is a single user ``root@pam``, which
25 corresponds to the Unix superuser. User configuration information is stored in the file
26 ``/etc/proxmox-backup/user.cfg``. You can use the
27 ``proxmox-backup-manager`` command line tool to list or manipulate
30 .. code-block:: console
32 # proxmox-backup-manager user list
33 ┌─────────────┬────────┬────────┬───────────┬──────────┬────────────────┬────────────────────┐
34 │ userid │ enable │ expire │ firstname │ lastname │ email │ comment │
35 ╞═════════════╪════════╪════════╪═══════════╪══════════╪════════════════╪════════════════════╡
36 │ root@pam │ 1 │ │ │ │ │ Superuser │
37 └─────────────┴────────┴────────┴───────────┴──────────┴────────────────┴────────────────────┘
39 .. image:: images/screenshots/pbs-gui-user-management-add-user.png
43 The superuser has full administration rights on everything, so you
44 normally want to add other users with less privileges. You can create a new
45 user with the ``user create`` subcommand or through the web interface, under
46 **Configuration -> User Management**. The ``create`` subcommand lets you specify
47 many options like ``--email`` or ``--password``. You can update or change any
48 user properties using the ``update`` subcommand later (**Edit** in the GUI):
51 .. code-block:: console
53 # proxmox-backup-manager user create john@pbs --email john@example.com
54 # proxmox-backup-manager user update john@pbs --firstname John --lastname Smith
55 # proxmox-backup-manager user update john@pbs --comment "An example user."
57 .. todo:: Mention how to set password without passing plaintext password as cli argument.
60 The resulting user list looks like this:
62 .. code-block:: console
64 # proxmox-backup-manager user list
65 ┌──────────┬────────┬────────┬───────────┬──────────┬──────────────────┬──────────────────┐
66 │ userid │ enable │ expire │ firstname │ lastname │ email │ comment │
67 ╞══════════╪════════╪════════╪═══════════╪══════════╪══════════════════╪══════════════════╡
68 │ john@pbs │ 1 │ │ John │ Smith │ john@example.com │ An example user. │
69 ├──────────┼────────┼────────┼───────────┼──────────┼──────────────────┼──────────────────┤
70 │ root@pam │ 1 │ │ │ │ │ Superuser │
71 └──────────┴────────┴────────┴───────────┴──────────┴──────────────────┴──────────────────┘
73 Newly created users do not have any permissions. Please read the next
74 section to learn how to set access permissions.
76 If you want to disable a user account, you can do that by setting ``--enable`` to ``0``
78 .. code-block:: console
80 # proxmox-backup-manager user update john@pbs --enable 0
82 Or completely remove the user with:
84 .. code-block:: console
86 # proxmox-backup-manager user remove john@pbs
94 By default new users do not have any permission. Instead you need to
95 specify what is allowed and what is not. You can do this by assigning
96 roles to users on specific objects like datastores or remotes. The
97 following roles exist:
100 Disable Access - nothing is allowed.
106 Can view things, but is not allowed to change settings.
109 Can do anything on datastores.
112 Can view datastore settings and list content. But
113 is not allowed to read the actual data.
116 Can Inspect datastore content and can do restores.
119 Can backup and restore owned backups.
121 **DatastorePowerUser**
122 Can backup, restore, and prune owned backups.
125 Can do anything on remotes.
128 Can view remote settings.
130 **RemoteSyncOperator**
131 Is allowed to read data from a remote.
133 .. image:: images/screenshots/pbs-gui-permissions-add.png
135 :alt: Add permissions for user
137 Access permission information is stored in ``/etc/proxmox-backup/acl.cfg``. The
138 file contains 5 fields, separated using a colon (':') as a delimiter. A typical
139 entry takes the form:
141 ``acl:1:/datastore:john@pbs:DatastoreBackup``
143 The data represented in each field is as follows:
145 #. ``acl`` identifier
146 #. A ``1`` or ``0``, representing whether propagation is enabled or disabled,
148 #. The object on which the permission is set. This can be a specific object
149 (single datastore, remote, etc.) or a top level object, which with
150 propagation enabled, represents all children of the object also.
151 #. The user for which the permission is set
152 #. The role being set
154 You can manage datastore permissions from **Configuration -> Permissions** in the
155 web interface. Likewise, you can use the ``acl`` subcommand to manage and
156 monitor user permissions from the command line. For example, the command below
157 will add the user ``john@pbs`` as a **DatastoreAdmin** for the datastore
158 ``store1``, located at ``/backup/disk1/store1``:
160 .. code-block:: console
162 # proxmox-backup-manager acl update /datastore/store1 DatastoreAdmin --userid john@pbs
164 You can monitor the roles of each user using the following command:
166 .. code-block:: console
168 # proxmox-backup-manager acl list
169 ┌──────────┬──────────────────┬───────────┬────────────────┐
170 │ ugid │ path │ propagate │ roleid │
171 ╞══════════╪══════════════════╪═══════════╪════════════════╡
172 │ john@pbs │ /datastore/disk1 │ 1 │ DatastoreAdmin │
173 └──────────┴──────────────────┴───────────┴────────────────┘
175 A single user can be assigned multiple permission sets for different datastores.
178 Naming convention is important here. For datastores on the host,
179 you must use the convention ``/datastore/{storename}``. For example, to set
180 permissions for a datastore mounted at ``/mnt/backup/disk4/store2``, you would use
181 ``/datastore/store2`` for the path. For remote stores, use the convention
182 ``/remote/{remote}/{storename}``, where ``{remote}`` signifies the name of the
183 remote (see `Remote` below) and ``{storename}`` is the name of the datastore on