Hello, for my use case I want to have two different kinds of Guacamole administrators, one "system admin" which administers the entire instance and has full access to all resources and a so-called "department admin" which just has access to the resources of his department, users, user groups and connections. If we look into a user or a user group profile via web frontend, we see below section "PERMISSIONS" the following privileges:
Administer system Create new users Create new user groups Create new connections Create new connection groups Create new sharing profiles Change own password For the "department admin" role the privileges "Create new users" and "Create new connections" is what I want. If I grant some user these two, he/she just can do so as literally described, just create new users or connections. But this is just half of the battle. Such an admin should be able to do the full life cycle management of users and connections, create, update (user - host associations) and delete them. If I take a closer look into the database, the tables * guacamole_connection_group_permission * guacamole_connection_permission * guacamole_sharing_profile_permission * guacamole_system_permission * guacamole_user_group_permission * guacamole_user_permission catching my eye. These entity mapping tables all have this ENUM value column "permission" with the possible value enum('READ','UPDATE','DELETE','ADMINISTER') except for table guacamole_system_permission with the ENUM values enum('CREATE_CONNECTION','CREATE_CONNECTION_GROUP','CREATE_SHARING_PROFILE','CREATE_USER','CREATE_USER_GROUP','ADMINISTER'), not such an entity mapping table. Is it somehow possible by doing some INSERT statements to model such a "department admin" role as described? If not with all features I want, maybe partially meaning a little bit more than just create users and connections? Update of user-connection association would be good. Or do I misinterpret these mapping tables completely and they are used for something else not coming into my mind? Thank you for helping me with this. -- Jürgen --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org