add more privileges, improve docs

[pve-access-control.git] / PVE / AccessControl.pm

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 0dce3e62a0f3ad0760f8b2bde06af6ff23c385e0..47b010f98eb0b00bfe5c89bc76c4ac92ff7f4a0b 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -548,16 +548,23 @@ my $privgroups = {
     VM => {
        root => [],
        admin => [           
-           'VM.Modify', 
+           'VM.Config.Disk', 
+           'VM.Config.CDROM', 
+           'VM.Config.CPU', 
+           'VM.Config.Memory', 
+           'VM.Config.Network', 
+           'VM.Config.HWType',
+           'VM.Config.Options', # covers all other things 
            'VM.Allocate', 
            'VM.Migrate',
+           'VM.Monitor', 
        ],
        user => [
            'VM.Console', 
            'VM.PowerMgmt',
        ],
        audit => [ 
-           'VM.Audit' 
+           'VM.Audit',
        ],
     },
     Sys => {
@@ -588,10 +595,21 @@ my $privgroups = {
        ],
     },
     User => {
-       root => [],
+       root => [
+           'Realm.Allocate',
+       ],
        admin => [
            'User.Modify',
-           'User.Allocate',
+           'Group.Allocate', # edit/change group settings
+           'Realm.AllocateUser', 
+       ],
+       user => [],
+       audit => [],
+    },
+    Pool => {
+       root => [],
+       admin => [
+           'Pool.Allocate', # create/delete pools
        ],
        user => [],
        audit => [],