Fwd: RBAC, User Permissions

Tue, 26 Oct 2021 08:29:32 -0700 

Hello,

for my use case I want to have two different kinds of Guacamole administrators, 
one "system admin" which administers the entire instance and has full access to 
all resources and a so-called "department admin" which just has access to the 
resources of his department, users, user groups and connections. If we look 
into a user or a user group profile via web frontend, we see below section 
"PERMISSIONS" the following privileges:

        Administer system
        Create new users
        Create new user groups
        Create new connections
        Create new connection groups
        Create new sharing profiles
        Change own password

For the "department admin" role the privileges "Create new users" and "Create 
new connections" is what I want. If I grant some user these two, he/she just 
can do so as literally described, just create new users or connections. But 
this is just half of the battle. Such an admin should be able to do the full 
life cycle management of users and connections, create, update (user - host 
associations) and delete them. If I take a closer look into the database, the 
tables

        * guacamole_connection_group_permission
        * guacamole_connection_permission
        * guacamole_sharing_profile_permission
        * guacamole_system_permission
        * guacamole_user_group_permission
        * guacamole_user_permission

catching my eye. These entity mapping tables all have this ENUM value column 
"permission" with the possible value 
enum('READ','UPDATE','DELETE','ADMINISTER') except for table 
guacamole_system_permission with the ENUM values 
enum('CREATE_CONNECTION','CREATE_CONNECTION_GROUP','CREATE_SHARING_PROFILE','CREATE_USER','CREATE_USER_GROUP','ADMINISTER'),
 not such an entity mapping table.

Is it somehow possible by doing some INSERT statements to model such a 
"department admin" role as described? If not with all features I want, maybe 
partially meaning a little bit more than just create users and connections? 
Update of user-connection association would be good. Or do I misinterpret these 
mapping tables completely and they are used for something else not coming into 
my mind?

Thank you for helping me with this.
-- 
Jürgen

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Reply via email to