diff --git a/inventory/group_vars/maintainer_test b/inventory/group_vars/maintainer_test
index 1838bd8a6f..a8c36c90c0 100644
--- a/inventory/group_vars/maintainer_test
+++ b/inventory/group_vars/maintainer_test
@@ -11,5 +11,6 @@ ipa_host_group: maintainer_test
 ipa_host_group_desc: Test hosts for package maintainers
 ipa_client_shell_groups:
 - packager
-ipa_client_sudo_groups:
+ipa_client_sudo_nopasswd_groups:
+- sysadmin-main
 - packager
diff --git a/roles/ipa/client/tasks/prepare-ipa-info.yml b/roles/ipa/client/tasks/prepare-ipa-info.yml
index 1a518df9a4..ead4fbeda1 100644
--- a/roles/ipa/client/tasks/prepare-ipa-info.yml
+++ b/roles/ipa/client/tasks/prepare-ipa-info.yml
@@ -40,6 +40,7 @@
 #       "host_group_1": {
 #         "shell_groups": [...],
 #         "sudo_groups": [...],
+#         "sudo_nopasswd_groups": [...],
 #         "hosts": {        # <-- This could be a list with Ansible >= 2.10
 #           "host_1": true,
 #           ...,
@@ -85,6 +86,8 @@
                   (ipa_hosts_combined_shell_groups_dict[item] | length > 0)
                   | ternary(ipa_hosts_combined_shell_groups_dict[item], omit),
                 'sudo_groups': hostvars[item]['ipa_client_sudo_groups'] | default(omit),
+                'sudo_nopasswd_groups':
+                    hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default(omit),
                 'hosts': {item: true},
               }
             }
@@ -99,6 +102,8 @@
             hostvars[item]['ipa_server']: {
               'groups': ipa_hosts_combined_shell_groups_dict[item] | union(
                 hostvars[item]['ipa_client_sudo_groups'] | default([])
+              ) | union(
+                hostvars[item]['ipa_client_sudo_nopasswd_groups'] | default([])
               ),
               'hosts': {item: True},
             }
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
index 33a7fda035..31c6d536ab 100644
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -34,3 +34,20 @@
   notify: clean sss caches
   loop: "{{ ipa_server_host_groups }}"
   when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_groups'] is defined
+
+- name: Give certain groups passwordless sudo access to anything per host group
+  delegate_to: "{{ item[0] }}"
+  ipasudorule:
+    name: "hostgroup/{{ item[1] }}/nopasswd"
+    description: "Grant passwordless sudo access to anything on host group {{ item[1] }}"
+    ipaadmin_password: "{{ ipa_server_admin_passwords[item[0]] }}"
+    state: present
+    group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] }}"
+    hostgroup: "{{ item[1] }}"
+    cmdcategory: "all"
+    runasusercategory: "all"
+    runasgroupcategory: "all"
+    options: "!authenticate"
+  notify: clean sss caches
+  loop: "{{ ipa_server_host_groups }}"
+  when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_nopasswd_groups'] is defined