User accounts


  • Users are either humans, or non-human users for services.

  • All users of a resource group are configured (e.g. visible via getent) on all hosts of a resource group.

  • The following attributes are globally unique: username and UID for users; group name and GID for groups.

  • The presence of an account alone does not imply any permission assignments.

Human users

  • The primary group is users.

  • The home directory is located in /home/$USER.

Service users

  • The primary group is service.

  • Usernames usually start with s-

  • The home directory is located in /srv/$USER.

  • No SSH login is allowed by default to support the general data protection guidelines. In exceptional cases SSH access may be granted.

  • Human users that have the sudo-srv permission in a project are allowed to change to the service user (sudo -u <service_user_name> -i) and execute commands as a service user (sudo -u <service_user_name> <command>).


Users own a separate set of permissions for every project they are a member of. Common permissions include:


Perform interactive shell login on a machine (via SSH).


Add or remove other users from the project. Define permissions for users in the project.


Sudo into service users on a machine (password not necessary)