diff --git a/user_mgr.cpp b/user_mgr.cpp
index bd63aac..f4a90ec 100644
--- a/user_mgr.cpp
+++ b/user_mgr.cpp
@@ -38,6 +38,7 @@
 #include <xyz/openbmc_project/User/Common/error.hpp>
 
 #include <algorithm>
+#include <array>
 #include <ctime>
 #include <fstream>
 #include <numeric>
@@ -99,8 +100,52 @@
     sdbusplus::xyz::openbmc_project::User::Common::Error::UserNameGroupFail;
 using NoResource =
     sdbusplus::xyz::openbmc_project::User::Common::Error::NoResource;
-
 using Argument = xyz::openbmc_project::Common::InvalidArgument;
+using GroupNameExists =
+    sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameExists;
+using GroupNameDoesNotExists =
+    sdbusplus::xyz::openbmc_project::User::Common::Error::GroupNameDoesNotExist;
+
+namespace
+{
+
+// The hardcoded groups in OpenBMC projects
+constexpr std::array<const char*, 4> predefinedGroups = {"web", "redfish",
+                                                         "ipmi", "ssh"};
+
+// These prefixes are for Dynamic Redfish authorization. See
+// https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md
+
+// Base role and base privileges are added by Redfish implementation (e.g.,
+// BMCWeb) at compile time
+constexpr std::array<const char*, 4> allowedGroupPrefix = {
+    "openbmc_rfr_",  // OpenBMC Redfish Base Role
+    "openbmc_rfp_",  // OpenBMC Redfish Base Privileges
+    "openbmc_orfr_", // OpenBMC Redfish OEM Role
+    "openbmc_orfp_", // OpenBMC Redfish OEM Privileges
+};
+
+void checkAndThrowsForGroupChangeAllowed(const std::string& groupName)
+{
+    bool allowed = false;
+    for (std::string_view prefix : allowedGroupPrefix)
+    {
+        if (groupName.starts_with(prefix))
+        {
+            allowed = true;
+            break;
+        }
+    }
+    if (!allowed)
+    {
+        log<level::ERR>("Invalid group name; not in the allowed list",
+                        entry("GroupName=%s", groupName.c_str()));
+        elog<InvalidArgument>(Argument::ARGUMENT_NAME("Group Name"),
+                              Argument::ARGUMENT_VALUE(groupName.c_str()));
+    }
+}
+
+} // namespace
 
 std::string getCSVFromVector(std::span<const std::string> vec)
 {
@@ -160,6 +205,21 @@
     }
 }
 
+void UserMgr::checkAndThrowForDisallowedGroupCreation(
+    const std::string& groupName)
+{
+    if (groupName.size() > maxSystemGroupNameLength ||
+        !std::regex_match(groupName.c_str(),
+                          std::regex("[a-zA-z_][a-zA-Z_0-9]*")))
+    {
+        log<level::ERR>("Invalid group name",
+                        entry("GroupName=%s", groupName.c_str()));
+        elog<InvalidArgument>(Argument::ARGUMENT_NAME("Group Name"),
+                              Argument::ARGUMENT_VALUE(groupName.c_str()));
+    }
+    checkAndThrowsForGroupChangeAllowed(groupName);
+}
+
 void UserMgr::throwForUserExists(const std::string& userName)
 {
     if (isUserExist(userName))
@@ -255,6 +315,30 @@
     }
 }
 
+std::vector<std::string> UserMgr::readAllGroupsOnSystem()
+{
+    std::vector<std::string> allGroups = {predefinedGroups.begin(),
+                                          predefinedGroups.end()};
+    // rewinds to the beginning of the group database
+    setgrent();
+    struct group* gr = getgrent();
+    while (gr != nullptr)
+    {
+        std::string group(gr->gr_name);
+        for (std::string_view prefix : allowedGroupPrefix)
+        {
+            if (group.starts_with(prefix))
+            {
+                allGroups.push_back(gr->gr_name);
+            }
+        }
+        gr = getgrent();
+    }
+    // close the group database
+    endgrent();
+    return allGroups;
+}
+
 void UserMgr::createUser(std::string userName,
                          std::vector<std::string> groupNames, std::string priv,
                          bool enabled)
@@ -327,6 +411,73 @@
     return;
 }
 
+void UserMgr::checkDeleteGroupConstraints(const std::string& groupName)
+{
+    if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) ==
+        groupsMgr.end())
+    {
+        log<level::ERR>("Group already exists",
+                        entry("GROUP_NAME=%s", groupName.c_str()));
+        elog<GroupNameDoesNotExists>();
+    }
+    checkAndThrowsForGroupChangeAllowed(groupName);
+}
+
+void UserMgr::deleteGroup(std::string groupName)
+{
+    checkDeleteGroupConstraints(groupName);
+    try
+    {
+        executeGroupDeletion(groupName.c_str());
+    }
+    catch (const InternalFailure& e)
+    {
+        log<level::ERR>("Group delete failed",
+                        entry("GROUP_NAME=%s", groupName.c_str()));
+        elog<InternalFailure>();
+    }
+
+    groupsMgr.erase(std::find(groupsMgr.begin(), groupsMgr.end(), groupName));
+    UserMgrIface::allGroups(groupsMgr);
+    log<level::INFO>("Group deleted successfully",
+                     entry("GROUP_NAME=%s", groupName.c_str()));
+}
+
+void UserMgr::checkCreateGroupConstraints(const std::string& groupName)
+{
+    if (std::find(groupsMgr.begin(), groupsMgr.end(), groupName) !=
+        groupsMgr.end())
+    {
+        log<level::ERR>("Group already exists",
+                        entry("GROUP_NAME=%s", groupName.c_str()));
+        elog<GroupNameExists>();
+    }
+    checkAndThrowForDisallowedGroupCreation(groupName);
+    if (groupsMgr.size() >= maxSystemGroupCount)
+    {
+        log<level::ERR>("Group limit reached");
+        elog<NoResource>(xyz::openbmc_project::User::Common::NoResource::REASON(
+            "Group limit reached"));
+    }
+}
+
+void UserMgr::createGroup(std::string groupName)
+{
+    checkCreateGroupConstraints(groupName);
+    try
+    {
+        executeGroupCreation(groupName.c_str());
+    }
+    catch (const InternalFailure& e)
+    {
+        log<level::ERR>("Group create failed",
+                        entry("GROUP_NAME=%s", groupName.c_str()));
+        elog<InternalFailure>();
+    }
+    groupsMgr.push_back(groupName);
+    UserMgrIface::allGroups(groupsMgr);
+}
+
 void UserMgr::renameUser(std::string userName, std::string newUserName)
 {
     // All user management lock has to be based on /etc/shadow
@@ -668,7 +819,6 @@
     boost::algorithm::split(splitWords, output[t2OutputIndex],
                             boost::algorithm::is_any_of("\t "),
                             boost::token_compress_on);
-
     uint16_t failAttempts = 0;
     try
     {
@@ -1056,6 +1206,16 @@
     return false;
 }
 
+void UserMgr::executeGroupCreation(const char* groupName)
+{
+    executeCmd("/usr/sbin/groupadd", groupName);
+}
+
+void UserMgr::executeGroupDeletion(const char* groupName)
+{
+    executeCmd("/usr/sbin/groupdel", groupName);
+}
+
 UserInfoMap UserMgr::getUserInfo(std::string userName)
 {
     UserInfoMap userInfo;
@@ -1280,7 +1440,9 @@
     if (!userNameList.empty())
     {
         std::map<std::string, std::vector<std::string>> groupLists;
-        for (auto& grp : groupsMgr)
+        // We only track users that are in the |predefinedGroups|
+        // The other groups don't contain real BMC users.
+        for (const char* grp : predefinedGroups)
         {
             if (grp == grpSsh)
             {
@@ -1337,6 +1499,7 @@
     pamAuthConfigFile(defaultPamAuthConfigFile)
 {
     UserMgrIface::allPrivileges(privMgr);
+    groupsMgr = readAllGroupsOnSystem();
     std::sort(groupsMgr.begin(), groupsMgr.end());
     UserMgrIface::allGroups(groupsMgr);
     initializeAccountPolicy();
@@ -1389,17 +1552,5 @@
     return executeCmd("/usr/sbin/pam_tally2", "-u", userName);
 }
 
-void UserMgr::createGroup(std::string /*groupName*/)
-{
-    log<level::ERR>("Not implemented yet");
-    elog<InternalFailure>();
-}
-
-void UserMgr::deleteGroup(std::string /*groupName*/)
-{
-    log<level::ERR>("Not implemented yet");
-    elog<InternalFailure>();
-}
-
 } // namespace user
 } // namespace phosphor