[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 3

mkgroup Command


Creates a new group.


mkgroup [ -R load_module ] [ -a ] [ -A ] [ Attribute=Value ... ] Group


The mkgroup command creates a new group. The Group parameter must be a unique string of 8-byte or less and cannot be the ALL or default keywords. By default, the mkgroup command creates a standard group. To create an administrative group, specify the -a flag. You must be the root user or a user with GroupAdmin authorization to create an administrative group.

To create a group with an alternate Identification and Authentication (I&A) mechanism, the -R flag can be used to specify the I&A load module used to create the group. Load modules are defined in the /usr/lib/security/methods.cfg file.

You can use the Users application in Web-based System Manager (wsm) to change user characteristics. You could also use the System Management Interface Tool (SMIT) smit mkgroups fast path to run this command.

Restrictions on Creating Group Names

To prevent login inconsistencies, you should avoid composing group names entirely of uppercase alphabetic characters. While the mkgroup command supports multi-byte group names, it is recommended that you restrict group names to characters with the POSIX portable filename character set.

To ensure that your user database remains uncorrupted, you must be careful when naming groups. Group names must not begin with a - (dash), + (plus sign), @ (at sign), or ~ (tilde). You cannot use the keywords ALL or default in a group name. Additionally, do not use any of the following characters within a group-name string:

: Colon
" Double quote
# Pound sign
, Comma
= Equal sign
\ Back slash
/ Slash
? Question mark
' Single quote
` Back quote

Finally, the Name parameter cannot contain any space, tab, or new-line characters.


-a Creates an administrative group. Only the root user can use this flag.
-A Sets the group administrator to the person who invoked the mkgroup command.
-R load_module Specifies the loadable I&A module used to create the user.
Attribute=Value Initializes a group with a specific attribute. See the chgroup command for more information about the group attributes.


Access Control: This command should grant execute (x) access only to the root user and members of the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.

Files Accessed:

Mode File
rw /etc/passwd
rw /etc/security/user
rw /etc/security/limits
rw /etc/security/environ
rw /etc/group
rw /etc/security/group
r /usr/lib/security/mkuser.default
x /usr/lib/security/mkuser.sys

Auditing Events:

Event Information
USER_Create user


Creating a group may not be supported by all loadable I&A modules. If the loadable I&A module does not support creating a group, an error is reported.


  1. To create a new group account called finance, type:

    mkgroup finance
  2. To create a new administrative group account called payroll, type:

    mkgroup -a payroll

    Only the root user can issue this command.

  3. To create a new group account called managers and set yourself as the administrator, type:

    mkgroup -A managers
  4. To create a new group account called managers and set the list of administrators to steve and mike, type:

    mkgroup adms=steve,mike managers

    The users steve and mike must already exist on the system.

  5. To create a new group that is a LDAP I&A loadable module user, type:

    mkgroup -R LDAP monsters


/usr/bin/mkgroup Contains the mkgroup command.
/etc/group Contains the basic attributes of groups.
/etc/security/group Contains the extended attributes of groups.
/etc/passwd Contains basic user information.
/etc/security/passwd Contains password information.

Related Information

The chgroup command, chgrpmem command, chuser command, lsgroup command, lsuser command, mkuser command, passwd command, pwdadm command, rmgroup command, rmuser command, setgroups command, setsenv command.

For information on installing the Web-based System Manager, see Chapter 2: Installation and System Requirements in AIX 5L Version 5.2 Web-based System Manager Administration Guide.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to the AIX 5L Version 5.2 Security Guide.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]