You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Jason Haar (Jira)" <ji...@apache.org> on 2020/04/06 01:47:00 UTC
[jira] [Created] (GUACAMOLE-1010) enable concept of global policy
enforcement to restrict options
Jason Haar created GUACAMOLE-1010:
-------------------------------------
Summary: enable concept of global policy enforcement to restrict options
Key: GUACAMOLE-1010
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1010
Project: Guacamole
Issue Type: New Feature
Components: guacamole
Reporter: Jason Haar
guacamole already has lots of options available to everyone who can create/edit connection profiles - in particular "device redirection".
This enables organizations who want to restrict things to do so - but only if they remove the option for end-users to create new connections. ie orgs have to go complete "nanny state" mode and remove all versatility from users.
How about if you enabled an "admin only" mode where options could be disabled globally within guacd.conf, and then only accounts with full admin privs could even see them? Then when other users with "create" access go to create/edit a connector, those options don't even show up - thereby stopping them from using them. I think the sections named "Remote Desktop Gateway", "Device Redirection", "Preconnection PDU / Hyper-V", "CONCURRENCY LIMITS", "LOAD BALANCING", "GUACAMOLE PROXY PARAMETERS", "Screen Recording" and "SFTP" all should be disable-able. That would allow orgs to allow individuals the flexibility of being able to create their own connectors, but restrict their options to a level the org is comfortable with - and with those areas not even showing up to the end-user, it would improve ease of use (you have to know quite a bit for most of those options to even make sense).
Also, clipboard itself should really be a "device redirection" option too. I think clipboard in a connection profile should able to be configured as bidirectional (browser<->server), or browser->server only (server<->server should always be allowed)
Thanks for listening!
Jason
--
This message was sent by Atlassian Jira
(v8.3.4#803005)