Access Control

Manage users, roles, and permissions in Proxmox VE using the built-in RBAC system.

Access Control

Proxmox VE uses a role-based access control (RBAC) system. Permissions are assigned by combining users, roles, and paths (resources).

Concepts

  • User: an account (e.g., admin@pve or john@pam)
  • Realm: authentication backend (pve = local, pam = Linux PAM, ldap = LDAP/AD)
  • Role: a set of privileges (e.g., PVEVMAdmin)
  • Path: a resource path (e.g., /, /vms/100, /nodes/node1)
  • Permission: user + role + path = what the user can do on that resource

Built-in roles

RoleDescription
AdministratorFull access to everything
PVEAdminManage VMs, storage, and cluster
PVEVMAdminFull VM management
PVEVMUserStart/stop/console VMs, no config changes
PVEDatastoreAdminManage storage
PVEAuditorRead-only access
NoAccessExplicitly deny access

Create a user

  1. Go to Datacenter → Permissions → Users
  2. Click Add
  3. Set User name, Realm (pve for local), and password
  4. Click Add

Via CLI:

pveum user add devops@pve --password SecurePass123! --comment "DevOps team"

Assign permissions

  1. Go to Datacenter → Permissions
  2. Click Add → User Permission
  3. Set Path (e.g., /vms to allow access to all VMs)
  4. Select User and Role
  5. Click Add

Via CLI:

# Give john@pve PVEVMAdmin on all VMs
pveum acl modify /vms -user john@pve -role PVEVMAdmin

# Give john@pve read-only on a specific VM
pveum acl modify /vms/100 -user john@pve -role PVEAuditor

Groups

Groups simplify permission management for teams:

pveum group add developers --comment "Development team"
pveum user modify john@pve -group developers
pveum acl modify /vms -group developers -role PVEVMUser

Two-factor authentication

Enable 2FA in Datacenter → Permissions → Two Factor:

  • TOTP (Google Authenticator, Authy)
  • WebAuthn (hardware key: YubiKey, etc.)
  • Recovery keys for backup access

Enforce 2FA for all users:

pveum realm modify pve --tfa type=totp

API tokens

Create API tokens for automation without sharing user passwords:

  1. Datacenter → Permissions → API Tokens → Add
  2. Select user, set token ID
  3. Optionally enable Privilege Separation to limit token scope
# Create token
pveum user token add john@pve automation --privsep 1

# Assign permissions to token
pveum acl modify /vms -token 'john@pve!automation' -role PVEVMAdmin

Audit log

All login attempts and permission changes are logged. View them in Datacenter → Cluster log or:

journalctl -u pvedaemon | grep -E "login|permission|acl"