user-management

Group Management

Manage user groups including POSIX and non-POSIX groups with support for nested membership. Groups can contain users, other groups, and Kerberos services. Features include external group membership for Active Directory trust integration, group membership managers for delegated administration, automatic GID assignment, and flexible membership management for organizing users and services.

10 commands
user-management

Overview

Groups in FreeIPA provide flexible mechanisms for organizing users, services, and other groups into logical collections for access control, policy application, and administrative delegation. Groups serve as fundamental building blocks in the IPA authorization model, appearing in HBAC rules, sudo rules, role assignments, and traditional POSIX file permissions.

FreeIPA supports three distinct group types, each serving different use cases within the identity management ecosystem. POSIX groups provide traditional UNIX group functionality with numeric group identifiers for file system permissions and process ownership. Non-POSIX groups offer lightweight organizational containers without file system semantics, useful for policy grouping and IPA-specific authorizations. External groups bridge trust boundaries, allowing users from Active Directory or other trusted domains to be mapped into the local IPA authorization framework.

Groups can contain multiple membership types simultaneously. Direct members include individual user accounts, while nested group membership allows groups to contain other groups, creating hierarchical organizational structures. Service members enable groups to contain Kerberos service principals, useful for managing collections of services with shared access requirements. This flexible membership model supports complex organizational topologies while maintaining clear authorization boundaries.

Group Types and Characteristics

POSIX Groups

POSIX groups represent traditional UNIX groups with numeric group identifiers (GID). These groups appear in file system permissions, process group ownership, and standard UNIX authorization contexts. When IPA clients retrieve user information through SSSD, POSIX group memberships are evaluated and presented to the operating system for access control decisions.

Each POSIX group requires a unique GID number within the IPA domain. IPA automatically assigns GID values from configured ID ranges when not explicitly specified, ensuring uniqueness across the domain. Manual GID assignment is supported for migration scenarios or specific organizational requirements. Changing a group’s GID after creation is possible but requires careful consideration, as existing file system permissions referencing the old GID will not automatically update.

POSIX groups support both direct and nested membership. In traditional POSIX environments, only direct user members are visible through standard system interfaces like getent group. However, IPA’s SSSD integration can optionally resolve nested group membership, making indirect members visible to the operating system based on configuration.

Non-POSIX Groups

Non-POSIX groups provide organizational containers without UNIX group semantics. These groups lack GID numbers and do not appear in traditional file system permissions. Non-POSIX groups are primarily used within IPA’s own authorization model for HBAC rules, sudo rules, role membership, and other IPA-managed policies.

Non-POSIX groups can be converted to POSIX groups using group-mod --posix, which assigns a GID and enables UNIX group functionality. This conversion is one-way; POSIX groups cannot be demoted to non-POSIX status. This design ensures that once a GID is assigned and potentially referenced in file permissions, it remains stable and consistent.

Non-POSIX groups are particularly useful when creating organizational structures that have no file system implications. For example, a “developers” group might be POSIX for file permissions, while a “developers-americas” subgroup might be non-POSIX if it only affects HBAC rules or role assignments.

External Groups

External groups enable integration with Active Directory trusts and other external identity sources. These special groups accept members identified by Security Identifiers (SID) from trusted domains rather than IPA user accounts. External groups must be marked as both non-POSIX and external during creation.

External groups cannot directly participate in POSIX authorization contexts. Instead, they are nested within regular POSIX groups to grant access to trusted domain users. This two-tier model maintains clean separation between external identity sources and local authorization policies. External users authenticate against their home domain but receive authorization through IPA group membership.

When adding external members, FreeIPA accepts several identifier formats: raw SID values, DOMAIN\username format, or username@domain format. IPA attempts to resolve user/group names to SIDs using the trusted domain’s Global Catalog, enabling administrators to use familiar names rather than opaque SID values.

Group Naming Constraints

Group names must follow specific formatting rules enforced at creation and modification:

  • Cannot consist solely of numeric digits
  • Must begin with a letter, number, underscore (_), or period (.)
  • May contain letters, numbers, underscores, periods, or hyphens (-)
  • May end with a letter, number, underscore, period, hyphen, or dollar sign ($)

These constraints ensure compatibility with LDAP naming requirements, POSIX group name conventions, and Kerberos principal formatting. Group names are case-sensitive within IPA’s directory but are typically managed in lowercase to avoid confusion.

Group ID (GID) Management

POSIX groups require unique numeric group identifiers. FreeIPA manages GID allocation through configured ID ranges, automatically assigning sequential GID values when not explicitly specified. Manual GID assignment is supported through the --gid option during group creation.

GID changes are supported but have significant implications. File system objects record ownership by numeric GID, not group name. Changing a group’s GID does not update existing file permissions, potentially orphaning files with the old GID. Before modifying a GID, administrators should inventory affected systems and plan permission updates.

IPA enforces GID uniqueness within each ID range. Attempting to create or modify a group with a duplicate GID fails with an error. This ensures that GID-based authorization remains unambiguous across the domain.

Nested Group Membership

Groups can contain other groups as members, creating hierarchical organizational structures. Nested membership enables administrators to build complex authorization topologies while maintaining clear organizational boundaries. For example, “engineering” might contain “developers” and “qa-team” as subgroups, which themselves contain individual user accounts.

In POSIX contexts, nested group resolution behavior depends on SSSD configuration. The ldap_group_nesting_level parameter controls how deeply SSSD resolves nested membership when presenting group information to the operating system. IPA’s HBAC and sudo evaluations always resolve nested groups regardless of SSSD settings.

Circular group membership (A contains B, B contains A) is prevented by IPA’s membership validation logic. Attempting to create circular references fails with an error indicating the membership would create a loop.

Service principals can be group members, enabling administrators to create groups of related services for access control purposes. In POSIX contexts, only user members are visible; service members only affect IPA-specific authorization contexts.

Group Membership Managers

Membership managers enable delegated group administration without granting full group modification privileges. Users or groups designated as membership managers can add or remove members from a specific group but cannot modify other group attributes like description, GID, or group type.

This delegation model supports organizational workflows where team leads manage their team’s membership without requiring full administrative access. For example, a project manager might be designated as membership manager for their project’s group, allowing them to add new team members without involving central IT staff.

Both individual users and groups can be membership managers. Assigning a group as membership manager enables anyone in that manager group to administer the target group’s membership. This creates flexible delegation hierarchies.

Membership managers can add or remove all membership types: users, groups, services, and (for external groups) external SIDs. The membership manager privilege applies uniformly across all member types.

External Group Integration with Active Directory

External groups bridge Active Directory trusts, mapping AD users and groups into IPA’s authorization framework. This integration enables trusted domain users to access IPA-managed resources while maintaining authentication against their home domain.

The typical integration pattern involves three components:

  1. An external non-POSIX group containing AD SIDs
  2. A regular POSIX group for authorization
  3. Nested membership connecting the external group to the POSIX group

When an AD user authenticates, IPA retrieves their SID from the authentication context. If that SID appears in an external group, and that external group is nested within POSIX groups, the user receives the effective permissions of those POSIX groups.

IPA resolves AD user and group names to SIDs using the trusted domain’s Global Catalog. This resolution enables administrators to specify external members using familiar formats (DOMAIN\username or user@domain) rather than opaque SID strings. The resolved SID is stored, ensuring membership remains valid even if the name changes in the trusted domain.

Examples

Basic Group Management

Create a new POSIX group with automatic GID assignment:

ipa group-add --desc='Engineering team' engineering

Create a POSIX group with a specific GID (useful for migration scenarios):

ipa group-add --gid=10000 --desc='Legacy application group' legacyapp

Create a non-POSIX group for IPA-only authorization:

ipa group-add --nonposix --desc='Policy group for HBAC' hbac_users

Convert a non-POSIX group to POSIX (one-way operation):

ipa group-mod --posix hbac_users

Delete a group:

ipa group-del engineering

Display comprehensive group information including all members:

ipa group-show engineering --all

Search for groups matching a pattern:

ipa group-find engineering

Search for all POSIX groups:

ipa group-find --posix

Find groups containing a specific user:

ipa group-find --users=jsmith

Membership Management

Add individual users to a group:

ipa group-add-member --users=jsmith engineering

Add multiple users in a single operation:

ipa group-add-member --users=jsmith --users=alee --users=mchen engineering

Create nested group structure (add group to another group):

ipa group-add --desc='Development team' developers
ipa group-add --desc='QA team' qa_team
ipa group-add-member --groups=developers --groups=qa_team engineering

Add service principals to a group for service management:

ipa group-add-member --services=HTTP/web.example.com engineering

Remove a user from a group:

ipa group-remove-member --users=jsmith engineering

Remove multiple members at once:

ipa group-remove-member --users=jsmith --groups=contractors engineering

Membership Manager Delegation

Designate a user as membership manager (can add/remove members but not modify group attributes):

ipa group-add-member-manager --users=teamlead engineering

Designate a group as membership manager (anyone in the manager group can manage membership):

ipa group-add --desc='Engineering managers' eng_managers
ipa group-add-member-manager --groups=eng_managers engineering

Remove membership manager privileges:

ipa group-remove-member-manager --users=teamlead engineering

External Group Integration with Active Directory

Create external group for mapping AD users:

ipa group-add --external --desc='External AD Domain Admins' ad_domain_admins_external

Create corresponding POSIX group for authorization:

ipa group-add --desc='AD Domain Admins' ad_domain_admins

Add AD users/groups by name (IPA resolves to SID):

ipa group-add-member ad_domain_admins_external --external 'AD\Domain Admins'
ipa group-add-member ad_domain_admins_external --external 'AD\alice'
ipa group-add-member ad_domain_admins_external --external 'bob@ad.example.com'

Link external group to POSIX group for effective permissions:

ipa group-add-member ad_domain_admins --groups ad_domain_admins_external

Verify external group membership (shows resolved SIDs):

ipa group-show ad_domain_admins_external --all

Remove external member:

ipa group-remove-member ad_domain_admins_external --external 'AD\alice'

Advanced Group Operations

Modify group description:

ipa group-mod --desc='Updated description' engineering

Change group GID (impacts existing file permissions):

ipa group-mod --gid=10500 engineering

Detach a user’s private group (created automatically with user account):

ipa group-detach jsmith

Rename a group:

ipa group-mod --rename=engineering_team engineering

Search for groups in specific roles:

ipa group-find --in-roles=helpdesk

Find groups used in HBAC rules:

ipa group-find --in-hbacrules=allow_admins

Use Cases

Department-Based Organizational Structure

Scenario: Organization with engineering, sales, and operations departments needs group hierarchy.

Solution:

# Create top-level department POSIX groups
ipa group-add engineering --desc="Engineering department" --posix
ipa group-add sales --desc="Sales department" --posix
ipa group-add operations --desc="Operations department" --posix

# Create sub-teams as nested groups
ipa group-add backend-dev --desc="Backend developers" --posix
ipa group-add frontend-dev --desc="Frontend developers" --posix
ipa group-add devops --desc="DevOps team" --posix

# Nest sub-teams under departments
ipa group-add-member engineering --groups=backend-dev,frontend-dev,devops

# Add users to sub-teams
ipa group-add-member backend-dev --users=alice,bob
ipa group-add-member frontend-dev --users=charlie,diana

# Users in backend-dev are automatically members of engineering

Active Directory Trust User Integration

Scenario: AD users need access to Linux infrastructure via IPA trust.

Solution:

# Create external group for AD users
ipa group-add ad_linux_users_ext --desc="AD Linux users external" --external

# Add AD group to external group
ipa group-add-member ad_linux_users_ext --external 'AD\Domain Users'

# Create POSIX group for actual authorization
ipa group-add ad_linux_users --desc="AD Linux users" --posix

# Nest external group within POSIX group
ipa group-add-member ad_linux_users --groups=ad_linux_users_ext

# Use ad_linux_users in HBAC, sudo, file permissions
# AD Domain Users members now have POSIX group membership

Delegated Group Management for Team Leads

Scenario: Project managers need to manage their project team membership without admin rights.

Solution:

# Create project group
ipa group-add project-phoenix --desc="Project Phoenix team" --posix

# Create project managers group
ipa group-add project-managers --desc="Project managers" --posix
ipa group-add-member project-managers --users=alice,bob

# Grant project managers membership management rights
ipa group-add-member-manager project-phoenix --groups=project-managers

# Alice and Bob can now add/remove members from project-phoenix
# (as alice)
ipa group-add-member project-phoenix --users=charlie,diana

Service Principal Collections

Scenario: Manage web service principals collectively for certificate operations.

Solution:

# Create non-POSIX group for service collection
ipa group-add web-services --desc="Web application services" --nonposix

# Add service principals to group
ipa group-add-member web-services \
    --services=HTTP/web01.example.com \
    --services=HTTP/web02.example.com \
    --services=HTTP/web03.example.com

# Use group in certificate policies or access controls
# All web services managed collectively

Multi-Tier Access Control

Scenario: Different access levels for junior, senior, and lead engineers.

Solution:

# Create hierarchical access groups
ipa group-add eng-junior --posix
ipa group-add eng-senior --posix
ipa group-add eng-lead --posix

# Create umbrella engineering group
ipa group-add engineering --posix
ipa group-add-member engineering \
    --groups=eng-junior,eng-senior,eng-lead

# Add users to appropriate levels
ipa group-add-member eng-junior --users=alice,bob
ipa group-add-member eng-senior --users=charlie,diana
ipa group-add-member eng-lead --users=eve

# Create HBAC rules with different scopes
# Junior: dev servers only
ipa hbacrule-add eng-junior-access
ipa hbacrule-add-user eng-junior-access --groups=eng-junior
ipa hbacrule-add-host eng-junior-access --hostgroups=dev-servers

# Senior: dev + staging
ipa hbacrule-add eng-senior-access
ipa hbacrule-add-user eng-senior-access --groups=eng-senior
ipa hbacrule-add-host eng-senior-access --hostgroups=dev-servers,staging-servers

# Lead: all environments
ipa hbacrule-add eng-lead-access
ipa hbacrule-add-user eng-lead-access --groups=eng-lead
ipa hbacrule-add-host eng-lead-access --hostcat=all

GID-Based File Sharing

Scenario: Shared project directory with group-based permissions.

Solution:

# Create POSIX group for project
ipa group-add project-data --desc="Project data access" --posix --gid=10000

# Add team members
ipa group-add-member project-data --users=alice,bob,charlie

# On file server, create shared directory
mkdir /shared/project-data
chgrp 10000 /shared/project-data
chmod 2770 /shared/project-data  # SGID for file ownership

# All group members can read/write files
# New files inherit group ownership due to SGID bit

Migration from Legacy Group Infrastructure

Scenario: Migrating from NIS with existing GID assignments.

Solution:

# Import groups with specific GID values
ipa group-add legacy-users --posix --gid=5000
ipa group-add legacy-admins --posix --gid=5001
ipa group-add legacy-ops --posix --gid=5002

# File ownership on migrated systems matches existing GIDs
# No permission changes needed during migration

Cross-Functional Team with Temporary Access

Scenario: Temporary cross-functional project needs users from multiple departments.

Solution:

# Create temporary project group
ipa group-add temp-migration-2024 --desc="2024 Migration Project" --posix

# Add users from different departments
ipa group-add-member temp-migration-2024 \
    --users=eng-alice,sales-bob,ops-charlie

# Grant access to project resources
ipa hbacrule-add migration-access
ipa hbacrule-add-user migration-access --groups=temp-migration-2024
ipa hbacrule-add-host migration-access --hostgroups=migration-servers

# After project completion, remove group
ipa hbacrule-del migration-access
ipa group-del temp-migration-2024

Security Considerations

External group SID trust boundary: External groups accept SIDs from trusted domains. AD trust compromise could inject malicious SIDs gaining unauthorized access. Monitor trust health and audit external group membership.

Nested group privilege escalation: Users in nested groups inherit parent group permissions. Deep nesting hierarchies can obscure actual user permissions. Document group hierarchies clearly and limit nesting depth.

Membership manager delegation risk: Membership managers can add any user to groups. Malicious membership manager could grant themselves access to sensitive resources by adding their account to privileged groups. Grant membership manager status carefully.

GID conflicts enable permission bypass: Duplicate GIDs between groups cause ambiguous file ownership. Unauthorized users could access files if their group shares GID with authorized group. Ensure GID uniqueness.

Service principal group members visibility: Service principals in groups may not be obvious during permission audits. Service compromise could grant unintended access if service belongs to privileged groups. Audit service group memberships.

Group deletion orphans file ownership: Deleting POSIX groups leaves files owned by orphaned GIDs. These files may become accessible to newly created groups receiving the recycled GID. Always audit file ownership before group deletion.

External group name resolution caching: AD user/group names resolve to SIDs at addition time. If AD name changes, SID remains unchanged and membership persists. This can preserve access after AD renames, defeating name-based access revocations.

Non-POSIX to POSIX conversion one-way: Once converted to POSIX, groups cannot revert to non-POSIX. GID assignment is permanent. Plan POSIX conversions carefully as mistakes cannot be undone without recreating groups.

Group naming conflicts across trusts: Groups with same name but different SIDs can exist across trust boundaries. Ambiguous references could target wrong group. Always use fully qualified group names when working across trusts.

Circular membership prevention not foolproof: While direct circular references are blocked, complex multi-hop circular paths might evade detection temporarily. Monitor group membership topology for complex circular patterns.

SSSD group caching staleness: SSSD caches group memberships for performance. Urgent membership revocations may not take effect immediately. Clear SSSD cache for critical access removals: sssctl cache-expire --users=username.

Private groups default creation: User private groups created automatically consume GID space. Long-term deployments may exhaust GID ranges. Plan GID range sizes accommodating expected user growth.

Troubleshooting

Cannot create POSIX group - GID already in use:

# Find which group has the GID
ipa group-find --gid=10000

# Either:
# 1. Use different GID
ipa group-add newgroup --posix --gid=10001

# 2. Delete conflicting group first (if safe)
ipa group-del conflicting-group
ipa group-add newgroup --posix --gid=10000

User not showing as group member on client systems:

# Verify membership in IPA
ipa group-show groupname

# Check on client system
getent group groupname

# If mismatch, clear SSSD cache
sudo sssctl cache-expire --users=username --groups
sudo systemctl restart sssd

# Verify again
id username

External group membership not working for AD users:

# Verify external group created correctly
ipa group-show ad_ext_group
# Should show: External group: True

# Verify SID added correctly
ipa group-show ad_ext_group --all | grep "External member"

# Verify POSIX group nests external group
ipa group-show posix_group | grep "Member groups"

# Test AD user resolution
id 'aduser@ad.example.com'
# Should show posix_group membership

# If not working, clear cache
sudo sssctl cache-expire --everything

Nested group members not visible in POSIX contexts:

# SSSD must be configured to resolve nested groups
# Check SSSD configuration
grep ldap_group_nesting_level /etc/sssd/sssd.conf

# Default is 2, increase if needed
# /etc/sssd/sssd.conf:
[domain/example.com]
ldap_group_nesting_level = 4

sudo systemctl restart sssd

# Test nested resolution
id username
# Should show parent group memberships

Cannot convert non-POSIX group to POSIX:

# Verify group is non-POSIX
ipa group-show groupname | grep "GID"
# If GID already present, already POSIX

# Convert to POSIX
ipa group-mod groupname --posix

# Optionally specify GID
ipa group-mod groupname --posix --gid=10000

# Verify conversion
ipa group-show groupname | grep "GID"

Circular membership error when adding group:

# Symptom: "This entry is already a member"

# Check existing membership
ipa group-show group-a | grep "Member groups"
ipa group-show group-b | grep "Member groups"

# Identify circular path
# If A contains B, cannot add A to B

# Solution: Restructure group hierarchy
# Remove one direction of membership
ipa group-remove-member group-a --groups=group-b

Membership manager cannot add members:

# Verify membership manager status
ipa group-show targetgroup --all | grep "Membership managed by"

# If missing, add membership manager
ipa group-add-member-manager targetgroup --users=manager

# Verify manager can authenticate
# (as manager)
klist

# Retry member addition
ipa group-add-member targetgroup --users=newuser

Group deletion fails - “group is not empty”:

# Remove all members first
ipa group-show groupname
# Note all members

# Remove users
ipa group-remove-member groupname --users=user1,user2

# Remove nested groups
ipa group-remove-member groupname --groups=subgroup1

# Remove services if present
ipa group-remove-member groupname --services=HTTP/host.example.com

# Retry deletion
ipa group-del groupname

GID change causes file permission issues:

# Files owned by old GID become orphaned

# Find files with old GID
find /path -gid 10000 -exec ls -l {} \;

# Update ownership to new GID
find /path -gid 10000 -exec chgrp 10001 {} \;

# Or use group name (if group exists on system)
find /path -group oldname -exec chgrp newgroup {} \;

External member not resolving from AD:

# Verify trust is functional
ipa trust-show ad.example.com

# Test AD name resolution
# From IPA server:
wbinfo --name-to-sid 'AD\Domain Users'

# If resolution fails, trust has issues
# Verify AD connectivity
ping dc.ad.example.com

# Check winbind status
systemctl status sssd

Private group conflicts with organizational group:

# User private groups created automatically
# May conflict with desired group names

# Find conflicting private group
ipa group-find --private

# Either:
# 1. Delete user private group (if safe)
ipa group-del username

# 2. Use different name for organizational group
ipa group-add username-team --posix

Cannot find group by GID:

# group-find doesn't support direct GID search

# List all groups and filter
ipa group-find --posix --all | grep -A5 "GID: 10000"

# Or search for group name if known
ipa group-show groupname | grep GID

Group member count incorrect:

# Count direct vs indirect members
ipa group-show groupname | grep "Member users"

# Check for nested groups
ipa group-show groupname | grep "Member groups"

# Each nested group contributes indirect members
# Total count = direct + all nested memberships

External group SID format errors:

# Symptom: "invalid SID format"

# Use supported formats:
# Raw SID:
ipa group-add-member ext-group --external 'S-1-5-21-xxx-xxx-xxx-512'

# Domain\name:
ipa group-add-member ext-group --external 'AD\Domain Admins'

# user@domain:
ipa group-add-member ext-group --external 'admingroup@ad.example.com'

# Verify SID was added
ipa group-show ext-group --all | grep "External member"

Group appears in multiple unintended contexts:

# Audit group usage across IPA
ipa group-find groupname --in-groups
ipa group-find groupname --in-hbacrules
ipa group-find groupname --in-sudorules
ipa group-find groupname --in-roles

# Remove from unintended contexts
ipa hbacrule-remove-user unwanted-rule --groups=groupname

Best Practices

Group Design and Organization

Use POSIX groups for file system permissions: Any group that needs to control access to files, directories, or processes on UNIX systems must be POSIX. Non-POSIX groups are only useful for IPA-internal authorization contexts like HBAC or sudo rules.

Leverage nested groups for organizational hierarchy: Create broad parent groups (e.g., “engineering”) that contain more specific subgroups (e.g., “developers”, “qa_team”). This enables both broad and granular access controls while maintaining clear organizational structure.

Establish consistent naming conventions: Use prefixes or suffixes to indicate group purpose (e.g., “role_”, “team_”, “app_”). This improves searchability and helps administrators quickly understand group function.

Minimize direct user membership in parent groups: Prefer adding users to specific subgroups rather than parent groups. This makes membership more granular and easier to audit. Parent groups should primarily contain other groups.

GID Management

Allow automatic GID assignment: Unless migrating existing groups or integrating with external systems requiring specific GIDs, let IPA automatically assign GID values. This prevents collisions and maintains consistent allocation.

Document manual GID assignments: When manually specifying GIDs, maintain external documentation recording the assignment rationale and any external dependencies. This prevents future conflicts and aids troubleshooting.

Avoid changing GIDs on active groups: GID changes do not update existing file permissions. If a GID change is necessary, plan for comprehensive permission audits and updates across all systems. Consider creating a new group instead.

Reserve GID ranges for different purposes: If your organization has multiple group categories (e.g., departmental, application, role-based), consider using separate GID ranges to improve organization and prevent future conflicts.

Membership Management

Use membership managers for delegation: Rather than granting full administrative access, designate team leads or managers as membership managers for their groups. This distributes administrative load while maintaining security boundaries.

Audit nested group relationships regularly: Deep or complex nesting can make effective permissions difficult to understand. Periodically review group hierarchies and flatten where possible to improve clarity.

Limit service principal membership: While services can be group members, excessive service membership in user groups can complicate access control logic. Consider separate groups for services unless there’s clear authorization overlap.

Document external group mappings: When integrating Active Directory trusts, maintain clear documentation mapping external groups to POSIX groups. This aids troubleshooting and prevents orphaned external memberships.

Security and Access Control

Minimize membership in privileged groups: Groups like “admins” or those with broad HBAC/sudo access should have minimal membership. Use nested groups to grant privilege selectively rather than adding users directly to high-privilege groups.

Regularly audit group membership: Implement periodic reviews of group membership, especially for groups controlling access to sensitive resources. Remove users who no longer require access.

Use non-POSIX groups for policy-only contexts: If a group only affects HBAC rules, sudo rules, or IPA role membership, make it non-POSIX. This prevents inadvertent file system permission implications.

Protect membership manager privileges: Membership managers have significant control over group composition. Designate managers carefully and review manager assignments regularly.

Integration and Automation

Leverage automember rules: For groups with consistent membership patterns (e.g., all users in a specific department), use automember rules to maintain membership automatically. This reduces administrative overhead and ensures consistency.

Integrate group management with HR systems: Consider scripting group membership updates based on HR system data. This ensures group membership reflects current organizational structure and reduces manual tracking.

Monitor external group SID resolution: When using external groups with AD trusts, periodically verify that SID resolution still functions correctly. Broken trust relationships can cause external members to become orphaned.

Plan for group lifecycle: Establish processes for archiving or removing obsolete groups. Unused groups clutter the directory and can complicate access control audits.

Integration with Other IPA Components

HBAC Rules

Groups appear as user and host categories in HBAC rules, controlling which users can access which hosts and services. Both POSIX and non-POSIX groups function equivalently in HBAC contexts. Nested group membership is fully resolved during HBAC evaluation.

Sudo Rules

Sudo rules reference groups to determine which users can execute privileged commands on which hosts. As with HBAC, nested groups are resolved during sudo policy evaluation, enabling flexible privilege delegation hierarchies.

Role-Based Access Control (RBAC)

IPA roles can have group members, granting all members of the group the role’s privileges. This enables efficient privilege management for teams or departments.

Automember Rules

Automember rules automatically populate group membership based on user or host attributes. For example, all users with a specific department attribute can automatically become members of the department’s group.

User Private Groups

Each user automatically receives a private group with the same name as their username. These groups can be detached using group-detach if organizational policy requires shared primary groups.

Host Groups

While user groups and host groups are separate entities, they follow similar conceptual models. Both support nesting and appear in HBAC/sudo rules, creating parallel organizational structures for users and systems.

Commands

group-add

Usage: ipa [global-options] group-add GROUP-NAME [options]

Create a new group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--desc DESCGroup description
--gid GIDGID (use this option to set it manually)
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--nonposixCreate as a non-POSIX group
--externalAllow adding external non-IPA members from trusted domains
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

group-add-member

Usage: ipa [global-options] group-add-member GROUP-NAME [options]

Add members to a group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--external EXTERNALMembers of a trusted domain in DOM\name or name@domain form
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to add
--groups GROUPSgroups to add
--services SERVICESservices to add
--idoverrideusers IDOVERRIDEUSERSUser ID overrides to add

group-add-member-manager

Usage: ipa [global-options] group-add-member-manager GROUP-NAME [options]

Add users that can manage members of this group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to add
--groups GROUPSgroups to add

group-del

Usage: ipa [global-options] group-del GROUP-NAME [options]

Delete group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

group-detach

Usage: ipa [global-options] group-detach GROUP-NAME [options]

Detach a managed group from a user.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

group-find

Usage: ipa [global-options] group-find [CRITERIA] [options]

Search for groups.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--group-name GROUP-NAMEGroup name
--desc DESCGroup description
--gid GIDGID (use this option to set it manually)
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--privatesearch for private groups
--posixsearch for POSIX groups
--externalsearch for groups with support of external non-IPA members from trusted domains
--nonposixsearch for non-POSIX groups
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“group-name”)
--users USERSSearch for groups with these member users.
--no-users NO-USERSSearch for groups without these member users.
--groups GROUPSSearch for groups with these member groups.
--no-groups NO-GROUPSSearch for groups without these member groups.
--services SERVICESSearch for groups with these member services.
--no-services NO-SERVICESSearch for groups without these member services.
--idoverrideusers IDOVERRIDEUSERSSearch for groups with these member User ID overrides.
--no-idoverrideusers NO-IDOVERRIDEUSERSSearch for groups without these member User ID overrides.
--in-groups IN-GROUPSSearch for groups with these member of groups.
--not-in-groups NOT-IN-GROUPSSearch for groups without these member of groups.
--in-netgroups IN-NETGROUPSSearch for groups with these member of netgroups.
--not-in-netgroups NOT-IN-NETGROUPSSearch for groups without these member of netgroups.
--in-roles IN-ROLESSearch for groups with these member of roles.
--not-in-roles NOT-IN-ROLESSearch for groups without these member of roles.
--in-hbacrules IN-HBACRULESSearch for groups with these member of HBAC rules.
--not-in-hbacrules NOT-IN-HBACRULESSearch for groups without these member of HBAC rules.
--in-sudorules IN-SUDORULESSearch for groups with these member of sudo rules.
--not-in-sudorules NOT-IN-SUDORULESSearch for groups without these member of sudo rules.
--membermanager-users MEMBERMANAGER-USERSSearch for groups with these group membership managed by users.
--not-membermanager-users NOT-MEMBERMANAGER-USERSSearch for groups without these group membership managed by users.
--membermanager-groups MEMBERMANAGER-GROUPSSearch for groups with these group membership managed by groups.
--not-membermanager-groups NOT-MEMBERMANAGER-GROUPSSearch for groups without these group membership managed by groups.

group-mod

Usage: ipa [global-options] group-mod GROUP-NAME [options]

Modify a group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--desc DESCGroup description
--gid GIDGID (use this option to set it manually)
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--posixchange to a POSIX group
--externalchange to support external non-IPA members from trusted domains
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--rename RENAMERename the group object

group-remove-member

Usage: ipa [global-options] group-remove-member GROUP-NAME [options]

Remove members from a group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--external EXTERNALMembers of a trusted domain in DOM\name or name@domain form
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to remove
--groups GROUPSgroups to remove
--services SERVICESservices to remove
--idoverrideusers IDOVERRIDEUSERSUser ID overrides to remove

group-remove-member-manager

Usage: ipa [global-options] group-remove-member-manager GROUP-NAME [options]

Remove users that can manage members of this group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to remove
--groups GROUPSgroups to remove

group-show

Usage: ipa [global-options] group-show GROUP-NAME [options]

Display information about a named group.

Arguments

ArgumentRequiredDescription
GROUP-NAMEyesGroup name

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.