On 5/5/23 04:26, Fischer, Manuel wrote:
Hi all,
we would like to setup a system with local users first and switch to
ldap or openid/saml later when its available in our environment.
I tried to setup a system with a global system administrator and with
some group administrators who only have a limited set of rights.
I think I understand the user and group management if we have only one
or more global administrators and some users and groups when there is
only a simple and flat structure.
But I don’t really understand the rights system when it comes to
inheritance. Is there a good documentation about this? Or where can I
find a detailed description of the dependencies on the internet or the
official documentation? I found this one, but its not very detailed:
https://guacamole.apache.org/doc/gug/administration.html#
If I create the groups and users with the global admin, it looks like
that it behaves different like if I create the same users and groups
with a user which only have limited rights to create users and groups.
Like: A global admin can always see and change all users and groups no
matter if its created by the global or group admin. But a group admin
cant see all groups and users if they are created with a global admin
even if he should because they are in a group where the group admin has
privileges.
A user with full system administration privileges has permission to see
and modify all objects, even if they did not create them.
A user without full system administration privileges but with some type
of creation privileges (create connections, create users, etc.) will be
able to create those objects and maintain objects they created
themselves. They will not be able to see/maintain objects they did not
create.
Users can receive permissions directly via their user account or via
their user groups. The fact that they inherit a permission from a group
vs. from their own account does not alter the behavior of that
permission, nor the behavior of actions taken by the user that require
that permission.
- Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
