On Wed, Aug 30, 2023 at 10:55 AM Molina de la Iglesia, Manuel <[email protected]> wrote: > > Hi Nick. > > What I need is be able to say which is the list of connections available > (with permission) for each group, exactly the result of the db query of my > last email.
You can already see all of the permissions assigned directly to a group through the web UI - if you go to the Groups section, then click on a group, at the bottom of the page it will list "Current Connections", which shows all connections that a group has explicitly been granted access to, and then "All Connections" where you can list all available connections and select additional ones. The DB query that you sent: 1) Does not do any limit on what type of entity is granted permissions - it will return both users and groups. 2) Does not factor in inheritance - for example, permissions granted to a user through membership in a group. This is basically information already available on the web interface. 3) Does not provide any actual permissions information - it has two columns, an entity name and a connection name. 3) Behaved very strangely in my test environment. I have a handful of users (10, maybe), a handful of groups (4-5) and a handful of connections (10-12, maybe 20 at most), and the result returned 1024 rows, many of which were duplicates and most of which were the "guacadmin" user account. > > Is there any workaround to check it from the UI or though API? > The data is definitely in the database, and also in the API, it would just take some work to piece it all together, particularly for user groups. For users, there is an "effectivePermissions" API endpoint that lists all of the permissions that a given user has, whether assigned directly or through inheritance: GET https://guacamole.example.com/api/session/data/postgresql/self/effectivePermissions The output of this will be JSON that includes connections, connection groups, users, and user groups, which the user (in this case, "self" just means whatever user is currently logged in) has access to, and what type of access (READ, UPDATE, ADMINISTER, etc.). For user groups, however, this is no "effectivePermissions" endpoint. There are endpoints for pulling the directly-assigned permissions: GET https://guacamole.example.com/api/session/data/postgresql/userGroups/group1/permissions as well as other groups of which this group is a member: GET https://guacamole.example.com/api/session/data/postgresql/userGroups/group1/userGroups Using this data it would definitely be possible to pull together the list of permissions that any given group has, both directly assigned and inherited. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
