encryption can be configured.
+[[pveum_tfa_auth]]
Two factor authentication
-------------------------
https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation_Servers/[
host your own verification server].
+[[pveum_user_configured_totp]]
User configured TOTP authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A user can choose to use 'TOTP' as a second factor on login via the 'TFA' button
in the user list, unless the realm enforces 'YubiKey OTP'.
+[thumbnail="screenshot/gui-datacenter-users-tfa.png"]
+
After opening the 'TFA' window, the user is presented with a dialog to setup
'TOTP' authentication. The 'Secret' field contains the key, which can simply be
generated randomly via the 'Randomize' button. An optional 'Issuer Name' can be
recommended to test the configuration with multiple browsers, as changing the
'AppId' later will render existing 'U2F' registrations unusable.
+[[pveum_user_configured_u2f]]
Activating U2F as a user
~~~~~~~~~~~~~~~~~~~~~~~~
You can see the whole set of predefined roles on the GUI.
-Adding new roles can be done via both GUI and the command line, like
-this:
+Adding new roles can be done via both GUI and the command line.
+[thumbnail="screenshot/gui-datacenter-role-add.png"]
+For the GUI just navigate to 'Permissions -> User' Tab from 'Datacenter' and
+click on the 'Create' button, there you can set a name and select all desired
+roles from the 'Privileges' dropdown box.
+
+To add a role through the command line you can use the 'pveum' CLI tool, like
+this:
[source,bash]
----
pveum roleadd PVE_Power-only -privs "VM.PowerMgmt VM.Console"