diff --git a/bundles/sudo/files/sudoers b/bundles/sudo/files/sudoers
index 450f5ba..c5ce343 100644
--- a/bundles/sudo/files/sudoers
+++ b/bundles/sudo/files/sudoers
@@ -6,6 +6,8 @@ Defaults secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bi
 
 root ALL=(ALL) ALL
 
-% for user in sorted(node.metadata['sudo']):
-${user} ALL=(ALL) NOPASSWD:ALL
+% for user, permissions in sorted(node.metadata['sudo'].items()):
+%     for p in sorted(permissions):
+${user} ALL=(ALL) NOPASSWD:${p}
+%     endfor
 % endfor
diff --git a/bundles/sudo/metadata.py b/bundles/sudo/metadata.py
index b516e61..4155d59 100644
--- a/bundles/sudo/metadata.py
+++ b/bundles/sudo/metadata.py
@@ -1,10 +1,10 @@
 @metadata_reactor
 def sudo_users(metadata):
-    sudoers = set()
+    sudoers = {}
 
     for username, config in metadata.get('users', {}).items():
-        if 'sudo' in config and config['sudo']:
-            sudoers.add(username)
+        if 'sudo_commands' in config:
+            sudoers[username] = config['sudo_commands']
 
     return {
         'sudo': sudoers,
diff --git a/groups/all.py b/groups/all.py
index ef43a30..3e1b76e 100644
--- a/groups/all.py
+++ b/groups/all.py
@@ -21,13 +21,17 @@ groups['all'] = {
                 'ssh_pubkey': [
                     'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+ja1z5VRQzaKCCePsUM14qMr9QR94qlWc7Je5Poki9UmC1t/TyxRVzcCBL1ZdIfBGx6QKtfkEbvhgb3nxVt3PvXjoJrc6wwGLmNrVsU6B88y35g7nzupQiPKYJwkNzJ9j6Dmkgj1F5Q+aY2SitDaX6vqICLJ4Al/ZFw2IQxVJfC7JXRJ9jRMG5o9gWoE3gWDYEAmw+HU2mNzyeuaD12qJw9DHUimAlgkOWzll3gh9WclsYnnXGrCCn5fyHFUCJl+XXAIy519z7YTpKih02rsIOw5dnaGClBZD/YQu2ZKVFZiwIVH7aBiqHOmtgRyWTQgjbh/fMpIN0ar2f/iZsWYUjd6et48TOmXZYIPCQ5FivXNvxt9oo1XZfq76UHBwlmypLJIWROMbz375n2M6hr3hECuxuPjKEUXAv05KiC1aJ4xc6pFoVhqwAR99hvHw5U4o7/ko2NVjNpTu6Jr5DT5VaQLIdDDjC/93kUjMpdD/8P72bEn7454+WexU6OE6uvNiHj1fetrptr2UAuzVfnCoaV8pBqY7X95gk+lnSENdpr8ltJYMg8s0Z7Pzz0OxsZtzzDY5VmWfC9TCdJkN5lT8IbnaixsYlWdjQl1lMmZGElmelfU3K7YQLAbZiHmHKe4hTl9ZoCcWdTQ3d4y2t1DBos+N2HZNdtFCyOS8esDdMw== cardno:000609506971',
                 ],
-                'sudo': True,
+                'sudo_commands': {
+                    'ALL',
+                },
             },
             'sophie': {
                 'ssh_pubkey': [
                     'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU7XmpX4w+rGQDi+dF6M0q65K2iHVgD1wHBoHREjyqCzmPGZgrnLIv6EN9WWJXjCgRdLEUXgPn7PNJnAgBs3U8G8MsF55yrPNUIsEeg6v+Y6zibEujMrwmeDSk0XAn8iSZcy+4cnqykIMk9Hd5WXW7ZhSHGs4MftWn3Z/q15qPHl/w9OyaKDJAjk8yEsD1sZoAQMhomKliKjJ5a6jNyf7otS3HdbZx4KXABJNuWn/IvmwkcaIU8ljyuPkPkiMn5JWhcUK2kE81Y4a5zJxxusSXSF6Ip7W2Rhv+4gnScTjhTPsG70HlSF/LAB2ytKo0F0N/ZB2hJk+Jq6cAwNBzuST7 sophie@ejgwmobile',
                 ],
-                'sudo': True,
+                'sudo_commands': {
+                    'ALL',
+                },
             },
         },
     },