Of course! We will write a detailed blog post about setting up users and permissions via the Proxmox web interface (WebAuth). — Hello, Proxmox VE admins! 🧑💻 Proxmox VE, a powerful virtualization platform, provides various features to manage not only single users but also multiple team members efficiently and securely. One of the core features is the Web GUI User Authentication (WebAuth) system. In this post, we will go into detail about how to create users, assign roles, and fine-grained control of access to specific resources via the Proxmox web interface. Use this guide to make your Proxmox environment more secure and efficient! 🛡️🔑 — ### Table of Contents 1. Understanding Proxmox User Authentication (WebAuth) 1.1 What is an Authentication Realm? 1.2 Core Components of the Proxmox Security Model 2. Step-by-Step Guide to Creating Users and Setting Permissions 2.1 Accessing the Proxmox Web GUI 2.2 Creating a New User 2.3 (Optional) Creating a Group 2.4 Understanding and Verifying Roles 2.5 Granting Permissions 2.6 Testing Login with a New User Account 3. Proxmox User Management Best Practices 4. Troubleshooting Tips 5. Conclusion — ### 1. Understanding Proxmox User Authentication (WebAuth) Proxmox's user authentication system is very flexible and powerful. It supports several types of “Authentication Realms”, which allow you to combine users, groups, roles, and permissions to meet complex requirements. #### 1.1 What is an Authentication Realm? Proxmox calls the way it stores and authenticates user information a “Realm”. PVE (Proxmox VE Authentication Server): This is Proxmox's own internal user database. This is the most common, and the main focus of this guide, as it allows you to create and manage users directly from the web GUI. It is represented in the format username@pve. PAM (Pluggable Authentication Modules): This is the user account of the Linux system. The root account exists by default as root@pam, and Linux user accounts that SSH into the Proxmox server also belong to this Realm. LDAP/AD (Lightweight Directory Access Protocol / Active Directory): This is used in large enterprise environments to integrate with an existing centralized user management system. #### 1.2 Core Components of the Proxmox Security Model The Proxmox authorization system is made up of the following components. It is important to understand them: Users: These are individual accounts that log into and interact with the Proxmox system. For example, devops-team@pve. 🧑💻 Groups: This is the unit of management for grouping multiple users. When permissions are granted to a group, all users belonging to that group inherit those permissions, allowing for efficient management. 👥 Roles: A set of predefined permissions. Proxmox provides various built-in roles like Administrator, PVEVMAdmin, PVEAuditor, etc. For example, the PVEVMAdmin role contains permissions required for VM management, such as creating, deleting, starting, and stopping virtual machines. 📜 Permissions: The actual setting that grants a Role to a User/Group for an Object at a specific Path. For example, grant the PVEVMUser role to the devops-team@pve user for VM 101 at the /vms/101 path. 🔑 — ### 2. Step-by-step guide to creating a user and granting permissions Now, let's follow the step-by-step process of actually creating a user and granting permissions through the Proxmox web GUI. #### 2.1 Accessing the Proxmox Web GUI First, open a web browser and access the IP address or domain name of your Proxmox VE server, for example https://your-proxmox-ip:8006. Log in using the root user (Realm: PAM) and the password you configured during the installation. #### 2.2 Creating a new user Let's create a new user in Proxmox. This user will be stored in the Proxmox internal database (the pve Realm). 1. Select Datacenter from the left menu of the web GUI. 2. Click the Permissions tab in the center panel. 3. Click the Users tab and click the Add button at the top. ➕🧑💻 4. In the Add: User window that appears, fill in the information as follows: Username: (required) Enter a name for the new user. For example: devops-team Realm: (required) Select pve. (Default will be pve.) Password: (Required) Enter a password for this user. Confirm: (Required) Re-enter the password. Email: (Optional) Enter an email address for the user. This can be used for password resets, etc. Enabled: (Default: checked) Keeps this account enabled. Disabling this account will prevent logins. Expire: (Optional) You can set an expiration date for the account. Comment: (Optional) Add a description for the account. 5. Once you have filled in all the information, click the Add button. You have now created a new user called devops-team@pve! #### 2.3 (Optional) Create a Group If you need to grant the same permissions to multiple users, it can be very efficient to create and manage groups. 1. In Datacenter > Permissions, click the Groups tab. 2. Click the Create button at the top. 👨👩👧👦 3. In the Create: User Group window, enter a Name. For example, dev-engineers 4. Enter a Comment and click Create. The dev-engineers group has now been created. Let’s add the devops-team@pve user we created earlier to this group. 1. Go back to the Datacenter > Permissions > Users tab. 2. Select the devops-team@pve user and click the Add to Group button at the top. 3. Select the dev-engineers group from the drop-down menu and click Add. The devops-team@pve user is now a member of the dev-engineers group. #### 2.4 Understanding and Verifying Roles Proxmox provides various built-in roles that can be used to grant permissions for specific operations. 1. In Datacenter > Permissions, click the Roles tab. 📜 2. Here you can see the list of different roles provided by Proxmox. You can click on each role to see what privileges (privileges) it contains. Administrator: Super administrator with full privileges. This is very powerful, so grant it carefully. PVEVMAdmin: Full administrative privileges on Virtual Machines (VMs) and Containers (CTs). (Create, delete, start, stop, snapshot, etc.) PVEVMUser: Basic user privileges on VMs/CTs. (Console access, start/stop, create snapshot, etc.) PVEDatastoreAdmin: Storage administrative privileges. PVEAuditor: Read-only access to system logs, settings, etc. It is a security best practice to combine these roles to grant the minimum privileges required to users or groups. #### 2.5 Granting Permissions Now it’s time to grant permissions to the user (devops-team@pve) or group (dev-engineers) you created for specific resources (VMs, nodes, storage, etc.). 1. In Datacenter > Permissions, click the Permissions tab. 2. Click the Add button at the top and select User Permission or Group Permission. In this example, we will grant permissions directly to the devops-team@pve user. Select User Permission. In the Add: User Permission window, set the following: Path: The path to the resource to which you want to grant permissions. You can select it from the drop-down menu or type it in directly. /: Permissions for the entire Proxmox cluster. (Use with extreme caution, use this when granting maximum permissions!) /nodes/your-node-name: Permissions for a specific node (physical server). /vms/VMID: Permissions for a specific virtual machine (VM) or container (CT). Example: /vms/101 /storage/storage-id: Permissions for a specific storage. Example: /storage/local-lvm User/Group: The user (devops-team@pve) or group (dev-engineers) to grant the permission to. Role: The role to grant the permission to (e.g. PVEVMAdmin, PVEVMUser, PVEDatastoreAdmin, etc.) Propagate: (Optional) Whether this permission should be propagated down descendants. Typically checked. Example scenarios: Example 1: Grant access only to a specific VM (with ID 101) 🎯💻 Allow user devops-team@pve to manage only VM ID 101. Path: /vms/101 (or select VM 101 from the dropdown) User: devops-team@pve Role: PVEVMAdmin (full administrative privileges on the VM) or PVEVMUser (user privileges, including console access) Propagate: Checked Example 2: Grant administrative privileges on all resources (VMs, storage) on a specific node (pve01) 🌐⚙️ Enable the user devops-team@pve to have administrative privileges on all VMs and storage on the node called pve01. Path: /nodes/pve01 (replace with your node name) User: devops-team@pve Role: PVEVMAdmin, PVEDatastoreAdmin (you need to add both permissions) or Administrator (very powerful, be careful) Propagate: Checked Tip: Granting the PVEVMAdmin role to the /nodes/pve01 path will grant administrative permissions to all VMs/CTs on that node. If you want to grant storage permissions as well, you'll need to separately add the PVEDatastoreAdmin role to the /nodes/pve01 path. Example 3: Granting administrative permissions to a specific group (dev-engineers) for local-lvm storage 💾 Configure all users belonging to the dev-engineers group to only access and manage the storage named local-lvm. Path: /storage/local-lvm (or select local-lvm storage from the dropdown) Group: dev-engineers Role: PVEDatastoreAdmin Propagate: Check Set the desired permissions and click Add button. #### 2.6 Test logging in with the new user account Now log out of the root@pam account and log in with the newly created user to verify that the permissions have been applied properly. ✅ 1. In the Proxmox web GUI, click on root@pam in the top right corner and select Logout. 2. In the login screen, enter devops-team (or the username you created) in Username, select pve in Realm, enter your password and Login. 3. After logging in, verify that the resources (VMs, storages, nodes, etc.) can be seen and manipulated only within the scope of the permissions granted to the user. For example, if you grant permissions only to a specific VM, other VMs will not be visible or you will receive a “Permission denied” message when accessing them. — ### 3. Proxmox User Management Best Practices Here are some tips to make your Proxmox environment more secure and efficient. 🔒🔄 Principle of Least Privilege: Grant users and groups only the minimum privileges necessary. Never grant all users the Administrator role. Use Strong Passwords: Encourage all users to use complex and strong passwords, and instruct them to change them periodically. Use Groups: It is much better for management efficiency to grant permissions to groups rather than individual users. Divide the groups by team or role. Review Permissions Regularly: Team members and roles may change over time. Review the permission settings in Proxmox regularly and remove unnecessary permissions. Consider enabling Two-Step Verification (MFA): Proxmox offers the ability to enable Two-Step Verification (TOTP, Google Authenticator, etc.) for PVE Realm users. This is a very important step that can greatly enhance security. (Go to Datacenter > Permissions > Users, select a user, and configure it in the TFA tab.) Remove unnecessary accounts: Immediately disable or delete accounts that have left the company or that no longer require access to Proxmox. — ### 4. Troubleshooting Tips 💡 “Permission denied” errors: If you are receiving a “Permission denied” error when trying to perform a certain action, it is likely that the user (or group) does not have the required permissions, or the permission path is incorrectly set. Double-check the permissions set in Datacenter > Permissions > Permissions. Account locking: If you have forgotten your password or your account is locked, you can reset the password for the user by logging in as root@pam and check the account status. * Check the Logs: When an issue occurs, checking the system logs (/var/log/syslog or /var/log/daemon.log) of the Proxmox server can provide useful clues. — ### 5. Conclusion 🚀✨ The user authentication (WebAuth) system of the Proxmox web GUI is a powerful tool that allows you to manage your Proxmox VE environment with multiple users safely and efficiently. By understanding the core concepts of users, groups, roles, and permissions, and setting them in detail while following the principle of least privilege, you can strengthen security and reduce management burden. We hope that you have thoroughly learned the basics of Proxmox user management through this guide. Please follow along slowly and find the optimal permission settings for your Proxmox environment! We hope that you will build a safe and efficient Proxmox environment! — G
