5.5. Managing User Groups

User groups are a way of centralizing control over important management tasks, particularly access control and password policies. Three groups are created during the installation, specifically for use by IPA operations:

ipausers, which contains all users.
admins, which contains administrative users. The initial admin user belongs to this group.
editors, which is a special group for users working through the web UI. This group allows users to edit other users' entries, though without all of the rights of the admin user.

All groups in Identity Management are essentially static groups, meaning that the members of the group are manually and explicitly added to the group. Tangentially, IPA allows nested groups, where a group is a member of another group. In that case, all of the group members of the member group automatically belong to the parent group, as well.

Because groups are easy to create, it is possible to be very flexible in what groups to create and how they are organized. Groups can be defined around organizational divisions like departments, physical locations, or IPA or infrastructure usage guidelines for access controls.

NOTE

Some operating systems limit the number of groups that can be assigned to system users. For example, Solaris and AIX systems both limit users to 16 groups per user. This can be an issue when using nested groups, when a user may be automatically added to multiple groups.

When a group entry is created, it is automatically assigned certain LDAP object classes. (LDAP object classes and attributes are discussed in detail in the Directory Server Deployment Guide and the Directory Server Schema Reference.) For groups, only two attributes truly matter: the name and the description.

Table 5.3. Default Identity Management Group Object Classes

Description

Object Classes

IPA object classes

ipaobject

ipausergroup

nestedgroup

Group object classes

groupofnames

posixgroup

5.5.1. Creating User Groups

5.5.1.1. With the Web UI

Open the Identity tab, and select the User Groups subtab.
Click the Add link at the top of the groups list.
Enter all of the information for the group.
- A unique name. This is the identifier used for the group in the IPA domain, and it cannot be changed after it is created. The name cannot contain spaces, but other separators like an underscore (_) are allowed.
- A text description of the group.
- Whether the group is a Posix group, which adds Linux-specific information to the entry. By default, all groups are Posix groups unless they are explicitly configured not to be. Non-Posix groups can be created for interoperability with Windows or Samba.
- Optionally, the GID number for the group. All Posix groups require a GID number, but IPA automatically assigns the GID number.
  Setting a GID number is not necessary because of the risk of collisions. If a GID number is given manually, IPA will not override the specified GID number, even if it not unique.
Click the Add and Edit button to go immediately to the member selection page.
Select the members, as described in Section 5.5.2.1, “With the Web UI (Group Page)”.

5.5.1.2. With the Command Line

New groups are created using the group-add command. (This adds only the group; members are added separately.)

Two attributes are always required: the group name and the group description. If those attributes are not given as arguments, then the script prompts for them.

$ ipa group-add groupName --desc="description" [--nonposix]

Additionally, there is one other configuration option, --nonposix. (By default, all groups are created as POSIX groups.) To enable interoperability with Windows users and groups and programs like Samba, it is possible to create non-POSIX groups by using the --nonposix option. This option tells the script not to add the posixGroup object class to the entry.

For example:

$ ipa group-add examplegroup --desc="for examples" --nonposix

----------------------
Added group "examplegroup"
----------------------
  Group name: examplegroup
  Description: for examples
  GID: 855800010

When no arguments are used, the command prompts for the required group account information:

$ ipa group-add
Group name: engineering
Description: for engineers
-------------------------
Added group "engineering"
-------------------------
  Group name: engineering
  Description: for engineers
  GID: 387115842

IMPORTANT

When a group is created without specifying a GID number, then the group entry is assigned the ID number that is next available in the server or replica range. (Number ranges are described more in Section 5.4, “Managing Unique UID and GID Number Assignments”.) This means that a group always has a unique number for its GID number.

If a number is manually assigned to a group entry, the server does not validate that the gidNumber is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries.

If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with ipa group-find --all.

NOTE

You cannot edit the group name. The group name is the primary key, so changing it is the equivalent of deleting the group and creating a new one.

5.5.2. Adding Group Members

5.5.2.1. With the Web UI (Group Page)

NOTE

This procedure adds a user to a group. User groups can contain other user groups as their members. These are nested groups.

It can take up to several minutes for the members of the child group to show up as members of the parent group. This is especially true on virtual machines where the nested groups have more than 500 members.

When creating nested groups, be careful not to create recursive groups. For example, if GroupA is a member of GroupB, do not add GroupB as a member of GroupA. Recursive groups are not supported and can cause unpredictable behavior.

Open the Identity tab, and select the User Groups subtab.
Click the name of the group to which to add members.
Click the Enroll link at the top of the task area.
Click the checkbox by the names of the users to add, and click the right arrows button, >>, to move the names to the selection box.
Click the Enroll button.

Group members can be users or other user groups. It can take up to several minutes for the members of the child group to show up as members of the parent group. This is especially true on virtual machines where the nested groups have more than 500 members.

5.5.2.2. With the Web UI (User's Page)

Users can also be added to a group through the user's page.

Open the Identity tab, and select the Users subtab.
Click the name of the user to edit.
Open the User Groups tab on the user entry page.
Click the Enroll link at the top of the task area.
Click the checkbox by the names of the groups for the user to join, and click the right arrows button, >>, to move the groups to the selection box.
Click the Enroll button.

5.5.2.3. With the Command Line

Members are added to a group using the group-add-member command. This command can add both users as group members and other groups as group members.

The syntax of the group-add-member command requires only the group name and a comma-separated list of users to add:

$ ipa group-add-member groupName [--users=list] [--groups=list]

For example, this adds three users to the engineering group:

$ ipa group-add-member engineering --users=jsmith,bjensen,mreynolds
  Group name: engineering
  Description: for engineers
  GID: 387115842
  Member users: jsmith,bjensen,mreynolds
-------------------------
Number of members added 3
-------------------------

Likewise, other groups can be added as members, which creates nested groups:

$ ipa group-add-member engineering --groups=dev,qe1,dev2
  Group name: engineering
  Description: for engineers
  GID: 387115842
  Member groups: dev,qe1,dev2
  -------------------------
  Number of members added 3
  -------------------------

When displaying nested groups, members are listed as members and the members of any member groups are listed as indirect members. For example:

$ ipa group-show examplegroup
  Group name: examplegroup
  Description: for examples
  GID: 93200002
  Member users: jsmith,bjensen,mreynolds
  Member groups: californiausers
  Indirect Member users: sbeckett,acalavicci

NOTE

A group member is removed using the group-remove-member command.

$ ipa group-remove-member engineering --users=jsmith

  Group name: engineering
  Description: for engineers
  GID: 855800009
  Member users: bjensen,mreynolds
---------------------------
Number of members removed 1
---------------------------

5.5.2.4. Viewing Direct and Indirect Members of a Group

User groups can contain other user groups as members. This is called a nested group. This also means that a group has two types of members:

Direct members, which are added explicitly to the group
Indirect members, which are members of the group because they are members of another user group which is a member of the group

The IPA web UI has an easy way to view direct and indirect members of a group. The members list is filtered by member type, and this can be toggled by selecting the Direct and Indirect radio buttons at the top right corner of the members list.

Figure 5.1. Indirect and Direct Members

Being able to track indirect members makes it easier to assign group membership properly, without duplicating membership.

5.5.3. Deleting User Groups

When a user group is deleted, only the group is removed. The user accounts of group members (including nested groups) are not affected. Additionally, any access control delegations that apply to that group are removed.

WARNING

Deleting a group is immediate and permanent. If any group configuration (such as delegations) is required, it must be assigned to another group or a new group created.

5.5.3.1. With the Web UI

Open the Identity tab, and select the User Groups subtab.
Select the checkbox by the name of the group to delete.
Click the Delete link at the top of the task area.
When prompted, confirm the delete action.

5.5.3.2. With the Command Line

The group-del command to deletes the specified group. For example:

$ ipa group-del examplegroup