+[[chapter_user_management]]
ifdef::manvolnum[]
-PVE({manvolnum})
-================
+pveum(1)
+========
include::attributes.txt[]
-
:pve-toplevel:
NAME
DESCRIPTION
-----------
endif::manvolnum[]
-
ifndef::manvolnum[]
User Management
===============
include::attributes.txt[]
-endif::manvolnum[]
-
-ifdef::wiki[]
:pve-toplevel:
-endif::wiki[]
+endif::manvolnum[]
// Copied from pve wiki: Revision as of 16:10, 27 October 2015
objects (VMs, storages, nodes, etc.) granular access can be defined.
+[[pveum_users]]
Users
-----
{pve} stores user attributes in `/etc/pve/user.cfg`.
Passwords are not stored here, users are instead associated with
-<<authentication-realms,authentication realms>> described below.
+<<pveum_authentication_realms,authentication realms>> described below.
Therefore a user is internally often identified by its name and
realm in the form `<userid>@<realm>`.
assigned to this user.
+[[pveum_groups]]
Groups
~~~~~~
much shorter access control list which is easier to handle.
-[[authentication-realms]]
+[[pveum_authentication_realms]]
Authentication Realms
---------------------
host your own verification server].
+[[pveum_permission_management]]
Permission Management
---------------------
representing the target of these actions.
+[[pveum_roles]]
Roles
~~~~~
natural tree, and permissions of higher levels (shorter path) can
optionally be propagated down within this hierarchy.
-[[templated-paths]]
+[[pveum_templated_paths]]
Paths can be templated. When an API call requires permissions on a
templated path, the path may contain references to parameters of the API
call. These references are specified in curly braces. Some parameters are
* `/vms`: Covers all VMs
* `/vms/{vmid}`: Access to specific VMs
* `/storage/{storeid}`: Access to a storages
-* `/pool/{poolname}`: Access to VMs part of a <<resource-pools,pool>
+* `/pool/{poolname}`: Access to VMs part of a <<pveum_pools,pool>>
* `/access/groups`: Group administration
* `/access/realms/{realmid}`: Administrative access to realms
* Permissions replace the ones inherited from an upper level.
+[[pveum_pools]]
Pools
~~~~~
Each(`and`) or any(`or`) further element in the current list has to be true.
`["perm", <path>, [ <privileges>... ], <options>...]`::
-The `path` is a templated parameter (see <<templated-paths,Objects and
-Paths>>). All (or , if the `any` option is used, any) of the listed
+The `path` is a templated parameter (see
+<<pveum_templated_paths,Objects and Paths>>). All (or , if the `any`
+option is used, any) of the listed
privileges must be allowed on the specified path. If a `require-param`
option is specified, then its specified parameter is required even if the
API call's schema otherwise lists it as being optional.
`<username>@<realm>`.
`["perm-modify", <path>]`::
-The `path` is a templated parameter (see <<templated-paths,Objects and
-Paths>>). The user needs either the `Permissions.Modify` privilege, or,
+The `path` is a templated parameter (see
+<<pveum_templated_paths,Objects and Paths>>). The user needs either the
+`Permissions.Modify` privilege, or,
depending on the path, the following privileges as a possible substitute:
+
* `/storage/...`: additionally requires 'Datastore.Allocate`
projects / pve-docs.git / blobdiff