diff --git a/roles/mgrote.create_users/tasks/main.yml b/roles/mgrote.create_users/tasks/main.yml
index 7f924cb1..d3f68703 100644
--- a/roles/mgrote.create_users/tasks/main.yml
+++ b/roles/mgrote.create_users/tasks/main.yml
@@ -38,4 +38,5 @@
     template:
       src: sudoers
       dest: /etc/sudoers.d/{{ create_user_name }}
+      validate: /usr/sbin/visudo -cf %s
 #    no_log: true
diff --git a/roles/mgrote.zfs_tools/tasks/main.yml b/roles/mgrote.zfs_tools/tasks/main.yml
index cb29b37e..ed874bcd 100644
--- a/roles/mgrote.zfs_tools/tasks/main.yml
+++ b/roles/mgrote.zfs_tools/tasks/main.yml
@@ -83,3 +83,15 @@
       mode: 0555
       src: zfs-free.sh
       dest: /usr/local/bin/zfs-free.sh
+
+  - name: Erlaube "non-root" Usern Read-Only ZFS Commands
+    become: yes
+    template:
+      src: sudoers_zfs
+      dest: /etc/sudoers.d/zfs
+      owner: root
+      group: root
+      force: yes
+      backup: yes
+      mode: 0440
+      validate: /usr/sbin/visudo -cf %s
diff --git a/roles/mgrote.zfs_tools/templates/sudoers_zfs b/roles/mgrote.zfs_tools/templates/sudoers_zfs
new file mode 100644
index 00000000..0acd6387
--- /dev/null
+++ b/roles/mgrote.zfs_tools/templates/sudoers_zfs
@@ -0,0 +1,18 @@
+# Allow read-only ZoL commands to be called through sudo
+# without a password. Remove the first '#' column to enable.
+#
+# CAUTION: Any syntax error introduced here will break sudo.
+#
+# Cmnd alias specification
+Cmnd_Alias C_ZFS = \
+  /sbin/zfs "", /sbin/zfs help *, \
+  /sbin/zfs get, /sbin/zfs get *, \
+  /sbin/zfs list, /sbin/zfs list *, \
+  /sbin/zpool "", /sbin/zpool help *, \
+  /sbin/zpool iostat, /sbin/zpool iostat *, \
+  /sbin/zpool list, /sbin/zpool list *, \
+  /sbin/zpool status, /sbin/zpool status *, \
+  /sbin/zpool upgrade, /sbin/zpool upgrade -v
+#
+# allow any user to use basic read-only ZFS commands
+ALL ALL = (root) NOPASSWD: C_ZFS