— LiveStream

Adding AIX users to groups on IBM AIX is done by editing a user's group set (their secondary/supplementary groups) using either the smitty user menu or the command-line chuser tool, then confirming the result with lsuser -a groups. This guide walks through both methods accurately, explains the difference between a primary and secondary group, and shows how to verify the change took effect.

The problem: a user needs membership in additional groups

A common AIX administration task is granting an existing account access to resources owned by one or more groups. For example, you may need to add the groups lipread and cvmread to the user cmanton on a host such as dmspar01 so that user can read files that those groups control.

On AIX, file and directory permissions are evaluated against a user's primary group and their secondary (supplementary) groups. Adding the user to the right secondary groups is the standard, least-privilege way to grant that access without changing file ownership or loosening permissions.

Primary group vs. group set: the key concept

Before adding AIX users to groups, understand the two distinct attributes AIX tracks for every account:

• Primary group (the pgrp attribute): the single group assigned to new files and directories the user creates. Every user has exactly one primary group at a time.
• Group set (the groups attribute): the full list of groups the user belongs to, including the primary group plus all supplementary groups. This is the field you edit when you simply want to add a user to extra groups.

Membership in a secondary group grants access immediately for new login sessions, but the user's primary group still controls the ownership of files they create. Keep both in mind so you change the correct attribute.

Prerequisites and safety checks

You must run these tasks as root (or a user with the appropriate RBAC role / sudo rights). Confirm a few things first:

• The target user already exists. Adding a brand-new user is a different task (mkuser / smitty mkuser).
• The target groups already exist. If a group is missing, create it first with mkgroup lipread or via smitty mkgroup.
• You know the user's current group memberships, so you do not accidentally drop existing groups.

Check what exists today before making any change:

1. List the user's current groups: lsuser -a groups cmanton
2. Confirm the target groups exist: lsgroup lipread cvmread

Method 1: Adding AIX users to groups with SMIT (smitty)

SMIT (the System Management Interface Tool) is AIX's menu-driven administration front end. It is the friendliest method and writes the same changes the command line does. Use the fast-path smitty user to jump straight to the user menu.

1. Log in or switch to root: su - root
2. Launch the user management menu: smitty user
3. Select Change / Show Characteristics of a User.
4. At the User NAME prompt, type the account name (for example cmanton) and press Enter. You can press F4 (or Esc+4) to pop up a selectable list of users.
5. Find the Group SET field. This holds the comma-separated list of all groups the user belongs to. To add new groups without losing existing ones, append them so the field reads, for example, bcsetl,staff,cvmread,lipread.
6. Optionally set Primary GROUP if you intend to change which group owns the user's newly created files (leave it alone if you only want to add secondary access).
7. Press Enter to commit. SMIT shows an OK status when the change succeeds.
8. Press F10 (or Esc+0) to exit SMIT.

Important: the Group SET field in SMIT is a complete replacement of the list, not an append. Always include the user's existing groups along with the new ones, or those existing memberships will be removed. This is the single most common mistake when adding AIX users to groups through SMIT.

Tip: SMIT records every action. Review smit.log and the generated command in smit.script in your home directory to see the exact chuser command SMIT ran on your behalf.

Method 2: Adding AIX users to groups with chuser (command line)

For scripting, remote sessions, or speed, the chuser command changes user attributes directly. It is what SMIT calls under the hood. The relevant attribute is groups (the group set).

Because the groups= form replaces the entire list, the safe pattern is to read the current value first, then write back the full list with your additions:

1. Read current memberships: lsuser -a groups cmanton
2. Write the complete new list (existing plus new): chuser groups=bcsetl,staff,cvmread,lipread cmanton

If you prefer not to retype the existing groups, AIX 7.x supports adjusting the list relative to its current contents using the =, +, and - operators with the multi-group syntax. The portable, always-supported approach, however, is to specify the full groups= list, which is why that form is shown above.

Other useful one-liners:

Note on the legacy chgrpmem command: AIX also ships chgrpmem, which edits membership from the group's side (for example chgrpmem -m + cmanton lipread adds cmanton to lipread). It is handy because it only touches one group at a time and will not clobber other memberships, but managing membership from the user side with chuser is the more common and clearer approach for most administrators.

Step-by-step worked example

Putting it together for the scenario of adding lipread and cvmread to cmanton, whose existing groups are bcsetl and staff:

1. Become root: su - root
2. Confirm the groups exist: lsgroup lipread cvmread
3. Read the current group set: lsuser -a groups cmanton → returns cmanton groups=bcsetl,staff
4. Apply the change with the full list: chuser groups=bcsetl,staff,cvmread,lipread cmanton
5. Verify (see the next section).

Verification: confirm the groups were added

Never assume the change worked. Verify with lsuser, which queries the user database and shows the effective attributes:

1. Show only the group set: lsuser -a groups cmanton

Expected output:

cmanton groups=bcsetl,staff,cvmread,lipread

You can also confirm both the primary group and the full set together with lsuser -a pgrp groups cmanton. To see the membership from the group's perspective, run lsgroup -a users lipread and check that cmanton appears in the list.

Session caveat: the user must start a new login session for the new group membership to take effect. Already-open shells keep the group set they were created with. Have the user log out and back in, or start a fresh session, then confirm with the id command: id cmanton lists the user's UID, primary GID, and all supplementary groups for the current process.

Common pitfalls when adding AIX users to groups

• Overwriting the group set. Both the SMIT Group SET field and chuser groups= replace the whole list. Omitting existing groups silently removes them. Always read first, then write the complete list.
• Editing /etc/group by hand. Manually editing /etc/group or /etc/security/group can desynchronize AIX's user database. Use chuser, chgroup, or SMIT so all backing files stay consistent.
• Forgetting to create the group. chuser errors if a named group does not exist. Run mkgroup first.
• Expecting open sessions to update. Group changes apply at next login; current shells are unaffected.
• Confusing primary and secondary groups. Adding a secondary group does not change file-creation ownership; only pgrp does that.
• Permission denied. You must be root or hold the right RBAC authorization. A non-privileged user cannot change another account's group set.

A note on platform context

AIX remains in active support from IBM on Power Systems, so these commands are current rather than legacy. The same conceptual model (primary group plus a supplementary group set, verified with the equivalent of id) applies across UNIX and Linux, although the management tools differ. On Linux you would use usermod -aG and getent; on AIX the native tools are chuser, lsuser, and SMIT. Sticking to the platform-native tooling keeps the underlying security databases consistent and auditable.

Key Takeaways

• Use smitty user → Change / Show Characteristics of a User, or the command line chuser groups=..., to manage a user's group set.
• The Group SET field and chuser groups= replace the full list, so always include existing groups plus the new ones.
• Distinguish the primary group (pgrp, controls new-file ownership) from secondary groups (the supplementary group set).
• Verify every change with lsuser -a groups cmanton and confirm at the session level with id after the user logs in again.
• Create missing groups with mkgroup first, and never hand-edit /etc/group directly.

Frequently Asked Questions

How do I add an AIX user to a group without removing existing groups?

Read the current list with lsuser -a groups <user>, then run chuser groups=<existing>,<new> <user> including every existing group. Alternatively use chgrpmem -m + <user> <group>, which adds membership from the group side and never disturbs other memberships.

What is the difference between primary group and group set in AIX?

The primary group (pgrp) is the single group that owns files the user creates. The group set (groups) is the complete list of all groups the user belongs to, including supplementary groups that grant additional access. Adding a secondary group does not change the primary group.

Why doesn't the new group take effect immediately?

Group membership is read when a login session starts. Shells that were already open keep their original group set. The user must log out and back in (or start a new session); confirm with id <user>.

How do I verify which users belong to a group?

Run lsgroup -a users <group> to list the members of a group, or lsuser -a groups <user> to list the groups for a single user.

For more practical AIX and UNIX system-administration walkthroughs, subscribe on YouTube @explorenystream.