diff --git a/etc/dm.sudo-rules.template b/etc/dm.sudo-rules.template
new file mode 100644
index 0000000000000000000000000000000000000000..b43ddd0839e4fbd41a866aa561cb369a4ef8912f
--- /dev/null
+++ b/etc/dm.sudo-rules.template
@@ -0,0 +1,11 @@
+## DM user sudo functions
+## All strings starting with DM_* have to be replaced with actual values 
+Host_Alias HOST=DM_HOSTNAME
+User_Alias USER=DM_SYSTEM_USER
+Cmnd_Alias SETFACL=/usr/bin/setfacl -m group\:*\:rx DM_DATA_DIR/*
+Cmnd_Alias USERMOD=/usr/sbin/usermod -a -G * *
+Cmnd_Alias GROUPADD=/usr/sbin/groupadd *
+
+USER HOST=(root) NOPASSWD: SETFACL,USERMOD,GROUPADD
+
+