NAME
Net::Proxmox::VE::Access - Functions for the 'access' portion of the API
VERSION
version 0.43
SYNOPSIS
# assuming $obj is a Net::Proxmox::VE object
my @dir_index = $obj->access();
my @domain_index = $obj->access_domains();
my $domain = $obj->access_domains($realm);METHODS
access
Without arguments, returns the 'Directory index'.
Note: Accessible by all authenticated users.
access_domains
Gets a list of access domains (aka the Authentication domain index)
@pools = $obj->access_domains();Note: Anyone can access that, because we need that list for the login box (before the user is authenticated).
No arguments are available.
A hash will be returned which will include the following:
- realm
-
String.
- string
-
String.
- comment
-
A comment. The GUI use this text when you select a domain (Realm) on the login window.
Optional.
- tfa
-
Enum. Available options: yubico, oath
Optional.
create_access_domains
Adds an authentication server. i.e. creates a new access domain
$ok = $obj->create_access_domains( %args );
$ok = $obj->create_access_domains( \%args );%args may items contain from the following list
- realm
-
String. The id of the authentication domain you wish to add, in pve-realm format. This is required.
- type
-
Enum. This is the server type and is one of: ad, ldap, openid, pam, or pve
This is required.
- base_dn
-
String. LDAP base domain name. Optional.
- comment
-
String. This is a comment associated with the new domain, this is optional.
- default
-
Boolean. Use this domain as the default. Optional.
- domain
-
String. AD domain name. Optional.
- port
-
Integer. Server port, user '0' if you want to use the default setting. Optional.
- secure
-
Boolean. Use secure LDAPS protocol. Optional.
- user_attr
-
String. LDAP user attribute name. Optional.
get_access_domains
Gets a single access domain
$ok = $obj->get_access_domains( $realm )Where $realm is a string in pve-realm format
update_access_domains
Updates (sets) a access domain's data
$ok = $obj->update_access_domains( $realm, %args );
$ok = $obj->update_access_domains( $realm, \%args );Where $realm is a string in pve-realm format
%args may items contain from the following list
- base_dn
-
String. LDAP base domain name. Optional.
- comment
-
String. This is a comment associated with the domain, this is optional.
- default
-
Boolean. Use this domain as the default. Optional.
- domain
-
String. AD domain name. Optional.
- port
-
Integer. Server port, user '0' if you want to use the default setting. Optional.
- secure
-
Boolean. Use secure LDAPS protocol. Optional.
- user_attr
-
String. LDAP user attribute name. Optional.
delete_access_domains
Deletes a single access domain
$ok = $obj->delete_access_domains( $realm )Where $realm is a string in pve-realm format
sync_access_domains
Syncs users and/or groups from the configured LDAP to user.cfg.
$ok = $obj->sync_access_domains( $realm, %args );
$ok = $obj->sync_access_domains( $realm, \%args );NOTE: Synced groups will have the name 'name-$realm', so make sure those groups do not exist to prevent overwriting.
%args may items contain from the following list
- realm
-
String. The id of the authentication domain you wish to add, in pve-realm format. This is required.
- dry-run
-
Boolean. If set, does not write anything. Default 0
- enable-new
-
Boolean. Enable newly synced users immediately. Default 1
- remove-vanished
-
String. A semicolon-seperated list of things to remove when they or the user vanishes during a sync. The following values are possible: 'entry' removes the user/group when not returned from the sync. 'properties' removes the set properties on existing user/group that do not appear in the source (even custom ones). 'acl' removes acls when the user/group is not returned from the sync. Instead of a list it also can be 'none' (the default).
Format: ([acl];[properties];[entry]) | none
- scope
-
Enum. Select what to sync.
Possible values: users, groups, both
access_groups
Gets a list of access groups (aka the Group index)
@pools = $obj->access_groups();Note: The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<<group>>.
create_access_groups
Creates a new access group
$ok = $obj->create_access_groups( %args );
$ok = $obj->create_access_groups( \%args );%args may items contain from the following list
- groupid
-
String. The id of the access group you wish to add, in pve-groupid format. This is required.
- comment
-
String. This is a comment associated with the new group, this is optional.
get_access_groups
Gets a single access group
$ok = $obj->get_access_groups( $groupid )Where $groupid is a string in pve-groupid format
update_access_groups
Updates (sets) a access group's data
$ok = $obj->update_access_groups( $groupid, %args );
$ok = $obj->update_access_groups( $groupid, \%args );Where $groupid is a string in pve-groupid format
%args may items contain from the following list
- comment
-
String. This is a comment associated with the group, this is optional.
delete_access_groups
Deletes a single access group
$ok = $obj->delete_access_groups( $groupid )Where $groupid is a string in pve-groupid format
access_roles
Gets a list of access roles (aka the Role index)
@pools = $obj->access_roles();Note: Accessible by all authententicated users.
create_access_roles
Creates a new access role
$ok = $obj->create_access_roles( %args );
$ok = $obj->create_access_roles( \%args );%args may items contain from the following list
- roleid
-
String. The id of the access role you wish to add, in pve-roleid format. This is required.
- privs
-
String. A string in pve-string-list format. Optional.
get_access_roles
Gets a single access role
$ok = $obj->get_access_roles( $roleid )Where $roleid is a string in pve-roleid format
update_access_roles
Updates (sets) a access role's data
$ok = $obj->update_access_roles( $roleid, %args );
$ok = $obj->update_access_roles( $roleid, \%args );Where $roleid is a string in pve-roleid format
%args may items contain from the following list
- privs
-
String. A string in pve-priv-list format, this is required.
- append
-
Booelean. Append privileges to existing. Optional.
delete_access_roles
Deletes a single access role
$ok = $obj->delete_access_roles( $roleid )Where $roleid is a string in pve-roleid format
access_users
Gets a list of users (aka the User index)
@pools = $obj->access_users();Note: You need 'Realm.AllocateUser' on '/access/realm/<<realm>>' on the realm of user <<userid>>, and 'User.Modify' permissions to '/access/groups/<<group>>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.
create_access_users
Creates a new user
$ok = $obj->create_access_users( %args );
$ok = $obj->create_access_users( \%args );%args may items contain from the following list
- userid
-
String. The id of the user you wish to add, in pve-userid format. This is required.
- comment
-
String. This is a comment associated with the new user, this is optional.
-
String. The users email address in email-opt format. Optional.
- enable
-
Boolean. If the user is enabled where the default is to be enabled. Disable with a 0 value. Optional.
- expire
-
Integer. Account expiration date in seconds since epoch. 0 means never expire. Optional.
- firstname
-
String. Optional.
- groups
-
String. A string in pve-groupid-list format. Optional.
- lastname
-
String. Optional.
- password
-
String. The users initial passowrd. Optional.
get_access_users
Gets a single user
$ok = $obj->get_access_users( $userid )Where $userid is a string in pve-userid format
update_access_users
Updates (sets) a user's configuration
$ok = $obj->update_access_users( $userid, %args );
$ok = $obj->update_access_users( $userid, \%args );Where $userid is a string in pve-userid format
%args may items contain from the following list
- append
-
Boolean. Optional.
- comment
-
String. This is a comment associated with the user, this is optional.
-
String. The users email address in email-opt format. Optional.
- enable
-
Boolean. If the user is enabled where the default is to be enabled. Disable with a 0 value. Optional.
- expire
-
Integer. Account expiration date in seconds since epoch. 0 means never expire. Optional.
- firstname
-
String. Optional.
- groups
-
String. A string in pve-groupid-list format. Optional.
- lastname
-
String. Optional.
delete_access_users
Deletes a single user
$ok = $obj->delete_access_users( $userid )Where $userid is a string in pve-userid format
get_access_acl
The returned list is restricted to objects where you have rights to modify permissions
$pool = $obj->get_access_acl();Note: The returned list is restricted to objects where you have rights to modify permissions.
update_access_acl
Updates (sets) an acl's data
$ok = $obj->update_access_acl( %args );
$ok = $obj->update_access_acl( \%args );%args may items contain from the following list
- path
-
String. Access control path. Required.
- roles
-
String. List of roles. Required.
- delete
-
Boolean. Removes the access rather than adding it. Optional.
- groups
-
String. List of groups. Optional.
- propagate
-
Boolean. Allow to propagate (inherit) permissions. Optional.
- users
-
String. List of users. Optional.
update_access_password
Updates a users password
$ok = $obj->update_password( %args );
$ok = $obj->update_password( \%args );Each user is allowed to change his own password. See proxmox api document for which permissions are needed to change the passwords of other people.
%args may items contain from the following list
- password
-
String. The new password. Required.
- userid
-
String. User ID. Required.
Note: Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user <<userid>>) and 'User.Modify' permission on /access/groups/<<group>> on a group where user <<userid>> is member of.
SEE ALSO
AUTHOR
Dean Hamstead <dean@fragfest.com.au>
COPYRIGHT AND LICENSE
This software is Copyright (c) 2025 by Dean Hamstead.
This is free software, licensed under:
The MIT (X11) License