encryption can be configured.
+[[pveum_tfa_auth]]
Two factor authentication
-------------------------
https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation_Servers/[
host your own verification server].
+[[pveum_user_configured_totp]]
User configured TOTP authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A user can choose to use 'TOTP' as a second factor on login via the 'TFA' button
in the user list, unless the realm enforces 'YubiKey OTP'.
+[thumbnail="screenshot/gui-datacenter-users-tfa.png"]
+
After opening the 'TFA' window, the user is presented with a dialog to setup
'TOTP' authentication. The 'Secret' field contains the key, which can simply be
generated randomly via the 'Randomize' button. An optional 'Issuer Name' can be
recommended to test the configuration with multiple browsers, as changing the
'AppId' later will render existing 'U2F' registrations unusable.
+[[pveum_user_configured_u2f]]
Activating U2F as a user
~~~~~~~~~~~~~~~~~~~~~~~~
You can see the whole set of predefined roles on the GUI.
-Adding new roles can be done via both GUI and the command line, like
-this:
+Adding new roles can be done via both GUI and the command line.
+[thumbnail="screenshot/gui-datacenter-role-add.png"]
+For the GUI just navigate to 'Permissions -> User' Tab from 'Datacenter' and
+click on the 'Create' button, there you can set a name and select all desired
+roles from the 'Privileges' dropdown box.
+
+To add a role through the command line you can use the 'pveum' CLI tool, like
+this:
[source,bash]
----
pveum roleadd PVE_Power-only -privs "VM.PowerMgmt VM.Console"
`["perm", <path>, [ <privileges>... ], <options>...]`::
The `path` is a templated parameter (see
-<<pveum_templated_paths,Objects and Paths>>). All (or , if the `any`
+<<pveum_templated_paths,Objects and Paths>>). All (or, if the `any`
option is used, any) of the listed
privileges must be allowed on the specified path. If a `require-param`
option is specified, then its specified parameter is required even if the
-----------------
Most users will simply use the GUI to manage users. But there is also
-a full featured command line tool called `pveum` (short for ``**P**roxmox
+a fully featured command line tool called `pveum` (short for ``**P**roxmox
**VE** **U**ser **M**anager''). Please note that all Proxmox VE command
line tools are wrappers around the API, so you can also access those
-function through the REST API.
+functions through the REST API.
Here are some simple usage examples. To show help type: