ifdef::manvolnum[]
pveum(1)
========
-include::attributes.txt[]
:pve-toplevel:
NAME
ifndef::manvolnum[]
User Management
===============
-include::attributes.txt[]
-endif::manvolnum[]
-ifdef::wiki[]
:pve-toplevel:
-endif::wiki[]
+endif::manvolnum[]
// Copied from pve wiki: Revision as of 16:10, 27 October 2015
natural tree, and permissions of higher levels (shorter path) can
optionally be propagated down within this hierarchy.
-[[templated-paths]]
+[[pveum_templated_paths]]
Paths can be templated. When an API call requires permissions on a
templated path, the path may contain references to parameters of the API
call. These references are specified in curly braces. Some parameters are
* `/vms`: Covers all VMs
* `/vms/{vmid}`: Access to specific VMs
* `/storage/{storeid}`: Access to a storages
-* `/pool/{poolname}`: Access to VMs part of a <<resource-pools,pool>
+* `/pool/{poolname}`: Access to VMs part of a <<pveum_pools,pool>>
* `/access/groups`: Group administration
* `/access/realms/{realmid}`: Administrative access to realms
Each(`and`) or any(`or`) further element in the current list has to be true.
`["perm", <path>, [ <privileges>... ], <options>...]`::
-The `path` is a templated parameter (see <<templated-paths,Objects and
-Paths>>). All (or , if the `any` option is used, any) of the listed
+The `path` is a templated parameter (see
+<<pveum_templated_paths,Objects and Paths>>). All (or , if the `any`
+option is used, any) of the listed
privileges must be allowed on the specified path. If a `require-param`
option is specified, then its specified parameter is required even if the
API call's schema otherwise lists it as being optional.
`<username>@<realm>`.
`["perm-modify", <path>]`::
-The `path` is a templated parameter (see <<templated-paths,Objects and
-Paths>>). The user needs either the `Permissions.Modify` privilege, or,
+The `path` is a templated parameter (see
+<<pveum_templated_paths,Objects and Paths>>). The user needs either the
+`Permissions.Modify` privilege, or,
depending on the path, the following privileges as a possible substitute:
+
* `/storage/...`: additionally requires 'Datastore.Allocate`