The clean way to grant sudo is to add the user to the admin group: sudo on Debian and Ubuntu, wheel on RHEL, Fedora, and Arch.
sudo usermod -aG sudo deploy # Debian / Ubuntu
sudo usermod -aG wheel deploy # RHEL / Fedora / Arch
The -a (append) is essential, as covered in add a user to a group: plain -G would wipe their other groups. The user must log out and back in for the new group to apply.
Verify it
sudo -lU deploy # what is deploy allowed to run?Once they log back in, sudo whoami from their account should print root.
Scope it instead of granting everything
Full membership in sudo/wheel means run-anything-as-root. Often you want less than that, for example "this person may restart nginx but not become root". Do that with a sudoers drop-in, edited through visudo:
sudo visudo -f /etc/sudoers.d/deploy# /etc/sudoers.d/deploy
deploy ALL=(ALL) /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx
That grants exactly those two commands as root and nothing else. The format is user host=(runas) commands. Drop-in files in /etc/sudoers.d/ are the right place for this; never hand-edit the main /etc/sudoers directly.
Group the rule for a team
For several people, point the rule at a group (prefixed with %) instead of repeating it per user:
# /etc/sudoers.d/web-ops
%webops ALL=(ALL) /usr/bin/systemctl * nginx
Then add people to webops with usermod -aG. One rule, managed by group membership.
FAQ
They are the same idea on different distros. Debian and Ubuntu grant sudo to members of the sudo group; RHEL, Fedora, and Arch use the wheel group. Add the user to whichever your distro uses with usermod -aG.
Do not add them to the admin group. Instead create a sudoers drop-in with sudo visudo -f /etc/sudoers.d/deploy and a line like deploy ALL=(ALL) /usr/bin/systemctl restart nginx. That grants exactly that command as root and nothing more.
Group membership applies at login. The user must log out and back in (or run newgrp sudo) for the new group to take effect. Confirm with groups deploy that sudo (or wheel) is listed.
See also
- How to edit the sudoers file safely (visudo): the syntax-checked way to write these rules.
- How to add a user to a group: the -aG mechanics and the -a trap.
- How to set up passwordless sudo: NOPASSWD and when it is justified.
- How to disable root login: the reason to give sudo in the first place.
- the sudo lecture file: what that warning message is and how to change it.
Sources
Authoritative references this article was fact-checked against.





