[
https://issues.apache.org/jira/browse/GUACAMOLE-1010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-1010:
-------------------------------------
Description:
guacamole already has lots of options available to everyone who can create/edit
connection profiles - in particular "device redirection".
This enables organizations who want to restrict things to do so - but only if
they remove the option for end-users to create new connections. ie orgs have to
go complete "nanny state" mode and remove all versatility from users.
How about if you enabled an "admin only" mode where options could be disabled
globally within guacd.conf, and then only accounts with full admin privs could
even see them? Then when other users with "create" access go to create/edit a
connector, those options don't even show up - thereby stopping them from using
them. I think the sections named "Remote Desktop Gateway", "Device
Redirection", "Preconnection PDU / Hyper-V", "CONCURRENCY LIMITS", "LOAD
BALANCING", "GUACAMOLE PROXY PARAMETERS", "Screen Recording" and "SFTP" all
should be disable-able. That would allow orgs to allow individuals the
flexibility of being able to create their own connectors, but restrict their
options to a level the org is comfortable with - and with those areas not even
showing up to the end-user, it would improve ease of use (you have to know
quite a bit for most of those options to even make sense).
Also, clipboard itself should really be a "device redirection" option too. I
think clipboard in a connection profile should able to be configured as
bidirectional (browser<=>server), or browser=>server only (server<=>server
should always be allowed)
Thanks for listening!
Jason
was:
guacamole already has lots of options available to everyone who can create/edit
connection profiles - in particular "device redirection".
This enables organizations who want to restrict things to do so - but only if
they remove the option for end-users to create new connections. ie orgs have to
go complete "nanny state" mode and remove all versatility from users.
How about if you enabled an "admin only" mode where options could be disabled
globally within guacd.conf, and then only accounts with full admin privs could
even see them? Then when other users with "create" access go to create/edit a
connector, those options don't even show up - thereby stopping them from using
them. I think the sections named "Remote Desktop Gateway", "Device
Redirection", "Preconnection PDU / Hyper-V", "CONCURRENCY LIMITS", "LOAD
BALANCING", "GUACAMOLE PROXY PARAMETERS", "Screen Recording" and "SFTP" all
should be disable-able. That would allow orgs to allow individuals the
flexibility of being able to create their own connectors, but restrict their
options to a level the org is comfortable with - and with those areas not even
showing up to the end-user, it would improve ease of use (you have to know
quite a bit for most of those options to even make sense).
Also, clipboard itself should really be a "device redirection" option too. I
think clipboard in a connection profile should able to be configured as
bidirectional (browser<->server), or browser->server only (server<->server
should always be allowed)
Thanks for listening!
Jason
> enable concept of global policy enforcement to restrict options
> ---------------------------------------------------------------
>
> Key: GUACAMOLE-1010
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1010
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole
> Reporter: Jason Haar
> Priority: Major
>
> guacamole already has lots of options available to everyone who can
> create/edit connection profiles - in particular "device redirection".
> This enables organizations who want to restrict things to do so - but only if
> they remove the option for end-users to create new connections. ie orgs have
> to go complete "nanny state" mode and remove all versatility from users.
> How about if you enabled an "admin only" mode where options could be disabled
> globally within guacd.conf, and then only accounts with full admin privs
> could even see them? Then when other users with "create" access go to
> create/edit a connector, those options don't even show up - thereby stopping
> them from using them. I think the sections named "Remote Desktop Gateway",
> "Device Redirection", "Preconnection PDU / Hyper-V", "CONCURRENCY LIMITS",
> "LOAD BALANCING", "GUACAMOLE PROXY PARAMETERS", "Screen Recording" and "SFTP"
> all should be disable-able. That would allow orgs to allow individuals the
> flexibility of being able to create their own connectors, but restrict their
> options to a level the org is comfortable with - and with those areas not
> even showing up to the end-user, it would improve ease of use (you have to
> know quite a bit for most of those options to even make sense).
> Also, clipboard itself should really be a "device redirection" option too. I
> think clipboard in a connection profile should able to be configured as
> bidirectional (browser<=>server), or browser=>server only (server<=>server
> should always be allowed)
>
> Thanks for listening!
>
> Jason
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
