+my $check_cpu_model_access = sub {
+ my ($rpcenv, $authuser, $new, $existing) = @_;
+
+ return if !defined($new->{cpu});
+
+ my $cpu = PVE::JSONSchema::check_format('pve-vm-cpu-conf', $new->{cpu});
+ return if !$cpu || !$cpu->{cputype}; # always allow default
+ my $cputype = $cpu->{cputype};
+
+ if ($existing && $existing->{cpu}) {
+ # changing only other settings doesn't require permissions for CPU model
+ my $existingCpu = PVE::JSONSchema::check_format('pve-vm-cpu-conf', $existing->{cpu});
+ return if $existingCpu->{cputype} eq $cputype;
+ }
+
+ if (PVE::QemuServer::CPUConfig::is_custom_model($cputype)) {
+ $rpcenv->check($authuser, "/nodes", ['Sys.Audit']);
+ }
+};
+