Managing Groups
5 minute read.
TrueNAS offers groups as an efficient way to manage permissions for many similar user accounts. See Users for managing users. The interface lets you manage UNIX-style groups. If the network uses a directory service, import the existing account information using the instructions in Active Directory.
To see saved groups, go to Credentials > Groups.
By default, TrueNAS hides the built-in groups in the system. To see built-in groups, click the Show Built-In Groups toggle. The toggle turns blue and shows all built-in groups. Click the Show Built-In Groups toggle again to show only non-built-in groups on the system.
To create a group, go to Credentials > Groups and click Add.
Enter a unique number for the group ID in GID. TrueNAS uses this to identify a Unix group. Enter a number above 3000 for a group with user accounts or enter the default port number as the GID for a system service.
Enter a name for the group. The group name cannot begin with a hyphen (-) or contain a space, tab, or any of these characters: colon (:), plus (+), ampersand (&), hash (#), percent (%), carat (^), open or close parentheses ( ), exclamation mark (!), at symbol (@), tilde (~), asterisk (*), question mark (?) greater or less than (<) (>), equal (=). The dollar sign ($) can be the last character in a group name.
If required, set the sudo permissions to assign. For improved security, temporarily enable limited sudo permissions only when required to complete an administrative task and disable sudo after completing the task. See Allowing Sudo Commands for more information.
To allow Samba permissions and authentication to use this group, select SMB Group.
Using the same group ID (GID) is not permitted as it can create confusion. The operating system treats it as the same group, even if a different name is assigned.
Select SMB Group to make this group available for permissions editors over SMB protocol, and add the share ACL editor. This is not used for SMB authentication or when determining the user session token or internal permissions checks.
Click Save.
Click anywhere on a row to expand that group and show the group management buttons.
Use Members to manage membership and Edit or Delete to manage the group.
To manage group membership, go to Credentials > Groups, click on the group entry to expand it, then click Members to open the Update Members screen.
To add a user account to the group, select the user and then click the right arrow .
To remove a user account from the group, select the user and then click the left arrow .
To select multiple users, press Ctrl and click on each entry.
Click Save.
To edit an existing group, go to Credentials > Groups, expand the group entry, and click edit Edit to open the Edit Group configuration screen. See Groups Screens for details on all settings.
Never modify the settings for the standard pre-defined privileges (listed below)! Changing these pre-defined roles can result in lost access to the UI!
Pre-defined TrueNAS privileges are:
- Read-Only Administrator - Allows the user to view settings but not make changes in the UI.
- Sharing Administrator - Allows the user to create new shares and the share dataset.
- Local Administrator - Gives full control (read/write/execute permissions) to the user.
Active Directory can provision groups in TrueNAS or you can add new groups that you assign to users in AD. After adding a group, verify or edit the privilege(s) granted to the users in the group.
To configure a new privilege, go to Credentials > Groups, click on Privileges to open the Privileges screen.
Click Add to define a new privilege. For example, if you want to create an group with the ability to only perform and manage backup, replication, or some other task. You can create a new privilege to customize the functional access you want to grant.
On the New Privilege screen:
Enter a name for the new privilege. Names can include the dash (-) or underscore (_) special characters, and upper and lowercase alphanumeric characters. Make the name descriptive of the privilege. For example, Replication Administrator, Backup Administrator, iSCSI Share Admin, etc. You can create a privilege that can only manage iSCSI shares or one that can manage applications based on the selections made in the Roles field.
Click in the Local Groups field to see a list of groups on the system. To add another group, click in the field to select another group. Click the x to the right of the group name to remove that group from the privilege.
Click the down arrow at the right of the Roles field to show the list of roles configured on the system. Select all roles to include. Use the scroll bar at the right of the field to see all options.
Select Web Shell Access to allow access to the shell screen in the TrueNAS UI.
Click Save to create the new privilege.
Users assigned to the group show on the Users screen with the new privilege granted to the user in the Roles column, and the new group shows on the Groups screen with privilege listed in the Roles column.