X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=README;h=33643a66ab128ab180c87a974d510e6009655bcf;hp=f20c4de8111c7dee30518d215df6ad2f2db25677;hb=HEAD;hpb=68d5a86d1ad4bda368efa6ac7426f68302365a37 diff --git a/README b/README index f20c4de..3ce3eae 100644 --- a/README +++ b/README @@ -37,7 +37,7 @@ LDAP: example.com There are 2 special authentication domains name 'pve' and 'pam': - * pve: stores paswords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt); + * pve: stores passwords to "/etc/pve/priv/shadow.cfg" (SHA256 crypt); * pam: use unix 'pam' @@ -82,6 +82,7 @@ privileges: VM.Console: console access to VM VM.Monitor: access to VM monitor (kvm) VM.Backup: backup/restore VMs + VM.Clone: Clone VM or VM template VM.Audit: view VM config VM.Config.XXX: modify VM config @@ -95,6 +96,7 @@ privileges: VM.Config.Options: modify any other VM configuration Pool.Allocate: create/remove/modify a pool. + Pool.Audit: view a pool Datastore.Allocate: create/remove/modify a data store. Datastore.AllocateSpace: allocate space on a datastore @@ -130,7 +132,7 @@ privileges: role: - defines a sets of priviledges + defines a sets of privileges predefined roles: @@ -152,11 +154,19 @@ permission: ACL and Objects: ================ -An access control list (ACL) is a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. - -Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory, Storage, ... - -We can identify our objects by an unique (file system like) path, which also defines a tree like hierarchy relation. ACL can be inherited. Permissions are inherited if the propagate flag is set on the parent. Child permissions always overwrite inherited permissions. User permission takes precedence over all group permissions. If multiple group permission apply the resulting role is the union of all those group priviledges. +An access control list (ACL) is a list of permissions attached to an object. +The list specifies who or what is allowed to access the object and what +operations are allowed to be performed on the object. + +Object: A Virtual machine, Network (bridge, venet), Hosts, Host Memory, +Storage, ... + +We can identify our objects by an unique (file system like) path, which also +defines a tree like hierarchy relation. ACL can be inherited. Permissions are +inherited if the propagate flag is set on the parent. Child permissions always +overwrite inherited permissions. User permission takes precedence over all +group permissions. If multiple group permission apply the resulting role is the +union of all those group privileges. There is at most one object permission per user or group