Groups Screens
5 minute read.
The Credentials > Groups screen displays a list of groups configured on the screen. By default, built-in groups are hidden until you make them visible.
When enabled, the Show Built-In Groups toggle turns blue and shows built-in groups. When disabled, the toggle turns grey and shows only non-built-in groups.
The Credentials > Groups screen displays the No groups screen if no groups other than built-in groups are configured on the system.
Add opens the Add Group configuration screen.
Privileges opens the Privileges screen
Clicking on the arrow or anywhere on a group row expands it to show the group management buttons.
Use Members to manage membership and Edit or Delete to manage the group.
The Add Group and Edit Group screens show the same settings but the GID is not editable after saving changes on the Add Group screen. Add opens the Add Group configuration screen. The Edit icon opens the Edit Group screen.
| Setting | Description |
|---|---|
| GID | (Required) Assigns the entered unique number as the group ID (GID) TrueNAS uses to identify a Unix group. Enter a number above 1000 for a group with user accounts. If a system service uses the group, the group ID must match the default port number for the service. Shows the group ID assigned at the time the group is created on the Edit Group screen but cannot be changed. |
| Name | (Required) Assigns the entered name to the group. A group name cannot begin with a hyphen (-) or contain a space, tab, or any of these characters: colon (:), plus (+), ampersand (&), hash (#), percent (%), carat (^), open or close parentheses ( ), exclamation mark (!), at symbol (@), tilde (~), asterisk (*), question mark (?) greater or less than (<) (>), equal (=). You can only use the dollar sign ($) as the last character in a group name or username. |
| Privileges | Attaches a role privilege to the group as assigned and configured on the Add or Edit Privileges screens. Using custom administrator roles aside from the defaults is an experimental feature and is not supported. Do not modify the local administrator or default admin user privileges! Only use if you need users in this group to access limited areas of the TrueNAS UI or authentication for TrueNAS API calls. |
| Allowed sudo commands | Permits the group members to enter the specific sudo commands in this field. Enter each command as an absolute path to the ELF (Executable and Linkable Format) executable file, for example /usr/bin/nano. Grants limited root-like permissions for group members when using these commands. Using sudo prompts the user for their account password. |
| Allow all sudo commands | Enable to give group members permission to use all sudo commands. Using sudo prompts the user for their account password. |
| Allowed sudo commands with no password | Permits group memebers to enter the specific allowed sudo commands entered in this field without requiring the user to enter their password. Enter each command as an absolute path to the ELF (Executable and Linkable Format) executable file, for example /usr/bin/nano. Grants limited root-like permissions for group members when using these commands. Exercise caution when allowing sudo commands without password prompts. Recommended to limit the privilege to trusted users and specific commands to minimize security risks. |
| Allow all sudo commands with no password | Not recommended. Enable to give group members the ability to enter all sudo commands without needing to enter a password. Does not require specifying allowed commands. |
| SMB Group | Select to make the group available for permissions editors over SMB protocol (and the share ACL editor). Not used for SMB authentication or determining the user session token or internal permissions checks. |
The Update Members screen manages group permissions and access for large numbers of user accounts.
The right arrow adds a user account to the group after selecting the user. The left arrow removes the selected user account from the group. Hold Ctrl while clicking each entry to select multiple groups.
The Privileges feature in releases earlier than 24.10 is experimental, but as of 24.10 onwards is no longer experimental.
Do not edit the existing predefined administrator roles (Full Control Admin, Readonly Admin, and Sharing Admin)! Editing an unrestricted administrator account privilege can result in lost access to the system!
The Privileges screen shows pre-defined and user-configured roles defined on the system. The Privileges screens show the default administrator groups and roles and define customized groupings of roles for different local or directory service-imported account groups.
The new and edit privilege screens show the same settings but not all settings are editable.
TrueNAS Enterprise
Enterprise-licensed systems can enable Active Directory to provision groups in TrueNAS. To make this possible, join Active Directory, then go to System > Advanced Settings > Access and enable the Allow Directory Service users to access WebUI option. After enabling this, the Edit Privilege screen lists AD groups on the Groups dropdown list. See Allowing Directory Service Users to Access the UI for more information.
Add opens the New Privilege screen. The Edit icon opens the Edit Privilege screen for the selected privilege.
| Setting | Description |
|---|---|
| Name | Assigns the name entered to a new privilege. Names can include the dash (-) or underscore(_) special characters, and upper and lowercase alphanumeric characters. Enter a descriptive name for the privilege. Name shows on the Edit Privilege screen but is not editable. |
| Groups | Shows a list of groups configured on the system. Select a group from the dropdown list after clicking in the field. The privilege is applied to the selected group(s). |
| Roles | Select from a dropdown list of all available roles available to assign to the new privilege or change an existing privilege. Only the Readonly Admin, Sharing Admin, or Full Admin roles are supported in the web UI. |
| Web Shell Access | Select to allow a user to assign the new privilege access to the System > Shell screen. |
Assigned administrator roles show on the Users Screen.