It's handy to be able to create users that *don't* have sudo rights.
Here at Stanford we use this to add users to our VPC bastion box (ssh
proxy) so these users can use this machine for ssh tunneling, but I
don't want to give those users the keys to the kingdom.
This let's me configure a playbook like this.
roles:
- common
- supervisor
- role: gh_users
gh_users:
- su1
- su2
- su3
gh_users_no_sudo:
- normal1
- normal2
The new gh_users_no_sudo list can be empty.
