On Sun, Mar 15, 2020 at 4:54 PM Jason Haar <jason_h...@trimble.com> wrote:
> ... > As far as your "only admins should edit connections" comment goes, yeah I > know that is how guacamole intends to do things, but "CoronaVirus". I am > doing this as a POC with the intention to allow arbitrary staff remote > access from their personal/home computers to their workstations ... > Excellent - this is exactly what Guacamole is meant for. ... so I'm testing giving all users "create new connections" privs (because > they would also use it to access Cloud systems that can only be accessed > from work IPs, etc). > This I don't understand. Can you not create these connections on behalf of your users? It's intended that only specific admins would have such privileges, with the users of the system being restricted to only the connections they are specifically granted (even if those users are technically sysadmins themselves). The internals of how the connection is configured should be opaque to the user accessing it. As long as you grant your users access to only the systems for which they need access, then things should work seamlessly as well as remain properly bounded by the Principle of Least Privilege. - Mike
