On Tue, Oct 26, 2021 at 11:29 AM Jürgen Kuri <[email protected]> wrote:
> Hello,
>
> for my use case I want to have two different kinds of Guacamole
> administrators, one "system admin" which administers the entire instance
> and has full access to all resources and a so-called "department admin"
> which just has access to the resources of his department, users, user
> groups and connections. If we look into a user or a user group profile via
> web frontend, we see below section "PERMISSIONS" the following privileges:
>
> Administer system
> Create new users
> Create new user groups
> Create new connections
> Create new connection groups
> Create new sharing profiles
> Change own password
>
> For the "department admin" role the privileges "Create new users" and
> "Create new connections" is what I want. If I grant some user these two,
> he/she just can do so as literally described, just create new users or
> connections.
One thing to note, here, is that a user will have access to the resources
in Guacamole that they create - connection groups, connections, etc. So,
the user who creates a connection should also have the ability to modify
it, assign permissions, delete it, etc.
> But this is just half of the battle. Such an admin should be able to do
> the full life cycle management of users and connections, create, update
> (user - host associations) and delete them. If I take a closer look into
> the database, the tables
>
> * guacamole_connection_group_permission
> * guacamole_connection_permission
> * guacamole_sharing_profile_permission
> * guacamole_system_permission
> * guacamole_user_group_permission
> * guacamole_user_permission
>
> catching my eye. These entity mapping tables all have this ENUM value
> column "permission" with the possible value
> enum('READ','UPDATE','DELETE','ADMINISTER') except for table
> guacamole_system_permission with the ENUM values
> enum('CREATE_CONNECTION','CREATE_CONNECTION_GROUP','CREATE_SHARING_PROFILE','CREATE_USER','CREATE_USER_GROUP','ADMINISTER'),
> not such an entity mapping table.
>
> Is it somehow possible by doing some INSERT statements to model such a
> "department admin" role as described? If not with all features I want,
> maybe partially meaning a little bit more than just create users and
> connections? Update of user-connection association would be good. Or do I
> misinterpret these mapping tables completely and they are used for
> something else not coming into my mind?
>
>
Yes, there are additional permissions that you can assign to each of these
resources above and beyond what the admin interface allows you to
configure, so you can insert or update records to adjust these permissions.
-NIck
