Skip to content

Create admin user

Planted: Last tended: Page Status: budding Tags: proxmox

It’s best practice to create an admin user to access Proxmox rather than relying on the default root account.  Additionally, assigning permissions through an administrative group, rather than individually, makes permission management more maintainable and scalable.  This practice might feel like overkill for a homelab, but it builds good habits and mirrors the practices you’d want to follow in a production environment.  The following sections will guide you through setting up an admin user and group with blanket permissions.

1. Create admin group

  1. navigate to Datacenter > Permissions > Groups
  2. click "Create"

  3. Create new "admin" group

    a. for name, type "admins"
    b. (optionally) add a group comment
    c. click "Create"

2. Create user

The steps below will guide you through creating a new user and making it a member of the admins group.

  1. navigate to Datacenter > Permissions > Users
  2. click "Add"

  3. Create new user

    a. type in username
    b. for Realm, select "PVE"
    c. type in desired password
    d. for Group, select the admin group created in the previous section
    e. click "Add"

Why do we use the PVE realm?

Proxmox Realms provide different authentication methods for users.  By default, Proxmox has 2 realms configured, PAM and PVE.

PAM realm users are stored on the PVE host.  To log into other PVE hosts in a cluster, you have to create the same user and credentials on each host.  The benefit of PAM users is that they can SSH into the PVE host.

PVE realm users are stored in the clustered/distributed storage along with the Proxmox cluster configuration.  These user types cannot SSH into a PVE host but can still access the host via the web console or Proxmox API.  Unless you have a specific use case, use PVE.

3. Assign permissions

The steps below assign the Administrator role at the / (root-level) path, effectively granting full Datacenter and Proxmox host access.  While this is fine for a homelab or development purposes, in production deployments, it's best to follow the principle of least privilege.  For example, if a user only needs to create and manage virtual machines, you could assign the PVEVMAdmin role at the /vms path.  

  1. Navigate to Datacenter > Permissions
  2. Click "Add"

  3. Assign permissions to "admins" group

    a. for Path, select / (root-level) path
    b. for Group, select the admins group you created in the first section
    c. for Role, select "Administrator" role
    d. click "Add"

grafts: