+[[chapter_user_management]]
ifdef::manvolnum[]
-PVE({manvolnum})
-================
+pveum(1)
+========
include::attributes.txt[]
+:pve-toplevel:
NAME
----
pveum - Proxmox VE User Manager
-SYNOPSYS
+SYNOPSIS
--------
include::pveum.1-synopsis.adoc[]
DESCRIPTION
-----------
endif::manvolnum[]
-
ifndef::manvolnum[]
User Management
===============
include::attributes.txt[]
+:pve-toplevel:
endif::manvolnum[]
// Copied from pve wiki: Revision as of 16:10, 27 October 2015
objects (VMs, storages, nodes, etc.) granular access can be defined.
+[[pveum_users]]
Users
-----
{pve} stores user attributes in `/etc/pve/user.cfg`.
Passwords are not stored here, users are instead associated with
-<<authentication-realms,authentication realms>> described below.
+<<pveum_authentication_realms,authentication realms>> described below.
Therefore a user is internally often identified by its name and
realm in the form `<userid>@<realm>`.
assigned to this user.
+[[pveum_groups]]
Groups
~~~~~~
much shorter access control list which is easier to handle.
-[[authentication-realms]]
+[[pveum_authentication_realms]]
Authentication Realms
---------------------
host your own verification server].
+[[pveum_permission_management]]
Permission Management
---------------------
representing the target of these actions.
+[[pveum_roles]]
Roles
~~~~~
----
-Objects and Paths
-~~~~~~~~~~~~~~~~~
-
-Access permissions are assigned to objects, such as a virtual machines
-(`/vms/{vmid}`) or a storage (`/storage/{storeid}`) or a pool of
-resources (`/pool/{poolname}`). We use file system like paths to
-address those objects. Those paths form a natural tree, and
-permissions can be inherited down that hierarchy.
-
-
Privileges
~~~~~~~~~~
* `Datastore.Audit`: view/browse a datastore
-Permissions
-~~~~~~~~~~~
+Objects and Paths
+~~~~~~~~~~~~~~~~~
+
+Access permissions are assigned to objects, such as a virtual machines,
+storages or pools of resources.
+We use file system like paths to address these objects. These paths form a
+natural tree, and permissions of higher levels (shorter path) can
+optionally be propagated down within this hierarchy.
+
+[[templated-paths]]
+Paths can be templated. When an API call requires permissions on a
+templated path, the path may contain references to parameters of the API
+call. These references are specified in curly braces. Some parameters are
+implicitly taken from the API call's URI. For instance the permission path
+`/nodes/{node}` when calling '/nodes/mynode/status' requires permissions on
+`/nodes/mynode`, while the path `{path}` in a PUT request to `/access/acl`
+refers to the method's `path` parameter.
-Permissions are the way we control access to objects. In technical
-terms they are simply a triple containing `<path,user,role>`. This
-concept is also known as access control lists. Each permission
-specifies a subject (user or group) and a role (set of privileges) on
-a specific path.
+Some examples are:
-When a subject requests an action on an object, the framework looks up
-the roles assigned to that subject (using the object path). The set of
-roles defines the granted privileges.
+* `/nodes/{node}`: Access to {pve} server machines
+* `/vms`: Covers all VMs
+* `/vms/{vmid}`: Access to specific VMs
+* `/storage/{storeid}`: Access to a storages
+* `/pool/{poolname}`: Access to VMs part of a <<resource-pools,pool>
+* `/access/groups`: Group administration
+* `/access/realms/{realmid}`: Administrative access to realms
Inheritance
* Permissions replace the ones inherited from an upper level.
+[[pveum_pools]]
Pools
~~~~~