Skip to main content

Proxmox User Permissions

To protect your virtual environment, Druva interacts directly with the Proxmox Virtual Environment (PVE) APIs. This connection gives Druva the necessary access to backup and recover virtual machines.

Supported Authentication Methods

Druva provides backup and restore capabilities using PAM realm users. Configuration supports two levels of access:

  • Administrator Privilege: Uses a high-level administrative account.

  • Custom Role: Uses a least-privilege account tailored with the minimum permissions required for backup and restore operations.

To perform backup and restore operations, the configured user must meet these baseline criteria:

  • Authentication Realm: PAM (Pluggable Authentication Modules)

  • Required User: PAM Authenticated User or user in the PAM realm (root user / custom user)

  • Required Role: Administrator / custom role

    For more information on how to create a custom role, see Define the custom backup and restore role.

  • Access Scope: Datacenter level (propagated to all nodes and storage)

Choosing your authentication method

Before configuring Druva, decide whether you want to connect using the default Root account or a Custom non-root user.

Using the root account

You can use the default root user with the built-in Administrator role, or you can create a custom user with Administrator role.

The Administrator role in Proxmox includes complete access to all resources and operations required for backup and restore. The following are the specific areas of the access:

The following are the specific areas of access:

  • Virtual Machine Management to

    • create/delete snapshots

    • create/delete VMs

    • modify VM configurations (CPU/RAM/Network) for recovery

    • manage power states (Start/Stop) during restores

  • Storage and Disk Access to

    • read/write VM disks

    • allocate storage volumes for restores

    • access backup metadata

  • Datacenter and Cluster Management to

    • access cluster-wide configurations

    • view resource inventory,

    • monitor node status to find VMs regardless of which physical server they are on

Using the custom account

You can create a custom account or can create a custom role having the following permissions.

Define the custom backup and restore role

Next, we create a specific role within Proxmox VE containing the exact granular permissions required for backup operations.

  1. Log into the Proxmox VE Web UI.

  2. Navigate to Datacenter > Permissions > Roles.

  3. Click Create.

  4. In the dialog box, configure:

    1. Name: druva_backup_restore

    2. Privileges: Select the relevant privileges required for data operations (for example, Datastore.Allocate, Datastore.AllocateSpace, Datastore.Audit, VM.Audit etc.)

  5. Click Create.

    You must add these roles to perform backup and restore.

    • Datastore.Allocate

    • Datastore.AllocateSpace

    • SDN.Allocate

    • SDN.Audit

    • SDN.Use

    • Sys.AccessNetwork

    • Sys.Audit

    • Sys.Modify

    • Sys.PowerMgmt

    • Sys.Syslog

    • VM.Allocate

    • VM.Audit

    • VM.Config.CPU

    • VM.Config.Disk

    • VM.Config.HWType

    • VM.Config.Memory

    • VM.Config.Network

    • VM.Config.Options

    • VM.Console

    • VM.GuestAgent.Audit

    • VM.GuestAgent.FileRead

    • VM.GuestAgent.FileSystemMgmt

    • VM.GuestAgent.FileWrite

    • VM.GuestAgent.Unrestricted

    • VM.PowerMgmt

    • VM.Snapshot

    • VM.Snapshot.Rollback

Create a custom user

Now, register the newly created Linux OS user inside the Proxmox user management interface.

  1. Navigate to Datacenter > Permissions > Users.

  2. Click Add.

  3. Fill out the Add: User modal with the following details:

    1. User name: proxmox_user

    2. Realm: Linux PAM standard authentication (pam)

    3. Expire: <expiry_date>

    4. Enabled: Checked

    5. First Name / Last Name: Optional (e.g., DruvaProxmox Proxmox)

    6. E-Mail: Optional (for example, druva_user@druva.org)

  4. Click Add.

Assign permissions to the user

The final step maps the user to the custom role at the root level so it propagates across the cluster resources.

  1. Navigate to Datacenter > Permissions.

  2. Click the Add dropdown button and select User Permission.

  3. In the Add: User Permission modal, configure:

    1. Path: / (This gives permissions across the entire datacenter root)

    2. User: proxmox_user@pam

    3. Role: druva_backup_restore

    4. Propagate: Checked (Ensures sub-nodes, VMs, and storages inherit this permission)

  4. Click Add.

Add a custom user to the Proxmox node

To create and configure a non-root Linux PAM user (proxmox_user) on the Proxmox host:

  1. Open the Proxmox Node Shell or SSH into your Proxmox host as root.

  2. Run the adduser command to create the user account:
    adduser proxmox_user

  3. Set a strong password when prompted, confirm it, and fill out (or skip) the user details.

  4. Add the user to the sudo administrative group:

    usermod -aG sudo proxmox_user

  5. Configure passwordless sudo access specifically for this user, ensuring that backup automation scripts or agents can run commands without providing a password prompt:
    proxmox_user ALL=(ALL) NOPASSWD:ALL

Verification

  1. Under Datacenter > Permissions, you should see an entry showing path / mapping proxmox_user@pam to the druva_backup_restore role with propagation set to true.

  2. The user can only perform backup workflows after setproxmoxcred command execution with the user.

Related Articles
Prerequisites for deploying Proxmox backup proxy
Deploy Proxmox backup proxy
Proxmox Error Codes
Getting started with protecting Proxmox virtual machines
Proxmox Support Matrix
Did this answer your question?