Re: Can't understand the inheritance of user groups

Thu, 13 Aug 2020 10:56:22 -0700 

On Thu, Aug 13, 2020, 04:18 Hermann, Uwe <[email protected]>
wrote:

> Hi all,
>
> I think I don't understand the inheritance of connections (and connection
> groups) within user groups. The way I understand it "Member Groups" should
> inherit any connections and connection groups from their "Parent Groups",
> if both exist in the database (using a PostgreSQL database for connection
> storage as we're using SSO with SAML running Guacamole 1.2.0).
>
> So I have created the following test groups
>
> - Admin Group
> - Parent Group 1
>   - Member Group 1
>   - Member Group 2
>   - Member Group n
>
> Our connections are configured this way:
>
> group 1
>     - subgroup 1
>         - second subgroup 1
>              - connection 1
>              - connection 2
> and so on
>
> Our parent groups contain the main structure down to any subgroup, the
> member groups contain everything below (second subgroup and deeper).
> The admin group can administrate the system
>
> The following are the test results with users belonging to different
> groups:
> User A belongs to the Admin Group and can see everything and use any
> connection
> This is working as expected
>
> User B belongs to Parent Group 1 and can only see the connection groups
> down to subgroup 1
> This has not been expected. The expectation was that User B can see and
> use any connection belonging to the Member Groups of Parent Group 1
>
> User C belongs to Member Group 1 and can see all connection groups (but
> not the connections) and the connections from its Member Group
> This also has not been expected. The expectation was that User C is only
> able to see the connection groups her user group has been given access to
>
> Is this working as it should?
>

Yes, you are just conceptualizing group inheritance backwards.

A member of a group inherits the permissions granted to that group. This is
true whether the member is a user or another group.

If you have the following hierarchy:

GroupA:
    User1
    GroupB:
        User2
        GroupC:
            User3

Then:

* "User1" inherits permissions from "GroupA".
* "User2" inherits permissions from "GroupB" and "GroupA".
* "User3" inherits permissions from all three groups.

If you want a particular group to inherit permissions from several groups,
then that group needs to be made a member of those groups, not the other
way around.

- Mike

Reply via email to