Chapter 13. Managing User and Host Groups
13.1. How User and Host Groups Work in IdM
13.1.1. What User and Host Groups Are
13.1.2. Supported Group Members
- IdM users
- other IdM user groups
- external users, which are users that exist outside IdM
- IdM servers and clients
- other IdM host groups
13.1.3. Direct and Indirect Group Members
- User 1 and User 2 are direct members of group A.
- User 3, User 4, and User 5 are indirect members of group A.

Figure 13.1. Direct and Indirect Group Membership
Example 13.1. Viewing Direct and Indirect Group Members
- Create two groups:
group_A
andgroup_B
. See Section 13.2, “Adding and Removing User or Host Groups”. - Add:
- one user as a member of
group_A
- another user as a member of
group_B
group_B
as a member ofgroup_A
- In the web UI: Select→ . From the individual group types which are listed in a side bar on the left, select , and click the name of
group_A
. Switch between Direct Membership and Indirect Membership. - From the command line: Use the
ipa group-show
command:$ ipa group-show group_A ... Member users: user_1 Member groups: group_B Indirect Member users: user_2
13.1.4. User Group Types in IdM
- POSIX groups (the default)
- POSIX groups support POSIX attributes for their members. Note that groups that interact with Active Directory cannot use POSIX attributes.
- Non-POSIX groups
- All group members of this type of group must belong to the IdM domain.
- External groups
- External groups allow adding group members that exist in an identity store outside of the IdM domain. The external store can be a local system, an Active Directory domain, or a directory service.
Example 13.2. Searching for Different Types of User Groups
- Run the
ipa group-find
command to display all user groups. - Run the
ipa group-find --posix
command to display all POSIX groups. - Run the
ipa group-find --nonposix
command to display all non-POSIX groups. - Run the
ipa group-find --external
command to display all external groups.
13.1.5. User and Host Groups Created by Default
Table 13.1. User and Host Groups Created by Default
Group Name | User or Host | Default Group Members |
---|---|---|
ipausers | User group | All IdM users |
admins | User group | Users with administrative privileges, initially the default admin user |
editors | User group | Users allowed to edit other IdM users in the web UI, without all the rights of an administrative user |
trust admins | User group | Users with privileges to manage Active Directory trusts |
ipaservers | Host group | All IdM server hosts |
admins
group grants the user administrative privileges.
Warning
admins
group. As admins
is a pre-defined group required by IdM, this operation causes problems with certain commands.
Warning
ipaservers
host group. All hosts in ipaservers
have the ability to promote themselves to an IdM server.
- The user private group has the same name as the user for which it was created.
- The user is the only member of the user private group.
- GID of the private groups matches the UID of the user.
Example 13.3. Viewing User Private Groups
ipa group-find --private
command to display all user private groups:
$ ipa group-find --private ---------------- 2 groups matched ---------------- Group name: user1 Description: User private group for user1 GID: 830400006 Group name: user2 Description: User private group for user2 GID: 830400004 ---------------------------- Number of entries returned 2 ----------------------------