You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by "Hermann, Uwe" <Uw...@de.ebmpapst.com> on 2020/08/13 11:18:01 UTC

Can't understand the inheritance of user groups

Hi all,

I think I don't understand the inheritance of connections (and connection groups) within user groups. The way I understand it "Member Groups" should inherit any connections and connection groups from their "Parent Groups", if both exist in the database (using a PostgreSQL database for connection storage as we're using SSO with SAML running Guacamole 1.2.0).

So I have created the following test groups

- Admin Group
- Parent Group 1
  - Member Group 1
  - Member Group 2
  - Member Group n

Our connections are configured this way:

group 1
    - subgroup 1
        - second subgroup 1
             - connection 1
             - connection 2
and so on

Our parent groups contain the main structure down to any subgroup, the member groups contain everything below (second subgroup and deeper).
The admin group can administrate the system

The following are the test results with users belonging to different groups:
User A belongs to the Admin Group and can see everything and use any connection
This is working as expected

User B belongs to Parent Group 1 and can only see the connection groups down to subgroup 1
This has not been expected. The expectation was that User B can see and use any connection belonging to the Member Groups of Parent Group 1

User C belongs to Member Group 1 and can see all connection groups (but not the connections) and the connections from its Member Group
This also has not been expected. The expectation was that User C is only able to see the connection groups her user group has been given access to

Is this working as it should? Or am I seeing a bug here?

Mit freundlichen Grüßen / Best regards

i.A. Uwe Hermann

ebm-papst IT (Mulfingen)
Datacenter Services

ebm-papst Mulfingen GmbH & Co. KG
Amtstraße 85
74673 Hollenbach
Phone: +49 (7938) 81 8732
Fax: +49 (7938) 81 98732
Uwe.Hermann@de.ebmpapst.com
http://www.ebmpapst.com

Ein Zeichen, mit dem wir Zeichen setzen. A symbol that defines standards.


ebm-papst Mulfingen GmbH & Co. KG
Sitz der Gesellschaft: Bachmühle 2, D-74673 Mulfingen
Kommanditgesellschaft Sitz Mulfingen: Amtsgericht Stuttgart HRA 590344
Komplementär: Elektrobau Mulfingen GmbH, Sitz Mulfingen, Amtsgericht Stuttgart HRB 590142
Geschäftsführung: Stefan Brandl (Vorsitzender), Hans Peter Fuchs, Dr. Stephan Arnold, Johannes Pfeffer, Thomas Wagner

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Can't understand the inheritance of user groups

Posted by Mike Jumper <mj...@apache.org>.

On Thu, Aug 13, 2020, 04:18 Hermann, Uwe <Uw...@de.ebmpapst.com>
wrote:

> Hi all,
>
> I think I don't understand the inheritance of connections (and connection
> groups) within user groups. The way I understand it "Member Groups" should
> inherit any connections and connection groups from their "Parent Groups",
> if both exist in the database (using a PostgreSQL database for connection
> storage as we're using SSO with SAML running Guacamole 1.2.0).
>
> So I have created the following test groups
>
> - Admin Group
> - Parent Group 1
>   - Member Group 1
>   - Member Group 2
>   - Member Group n
>
> Our connections are configured this way:
>
> group 1
>     - subgroup 1
>         - second subgroup 1
>              - connection 1
>              - connection 2
> and so on
>
> Our parent groups contain the main structure down to any subgroup, the
> member groups contain everything below (second subgroup and deeper).
> The admin group can administrate the system
>
> The following are the test results with users belonging to different
> groups:
> User A belongs to the Admin Group and can see everything and use any
> connection
> This is working as expected
>
> User B belongs to Parent Group 1 and can only see the connection groups
> down to subgroup 1
> This has not been expected. The expectation was that User B can see and
> use any connection belonging to the Member Groups of Parent Group 1
>
> User C belongs to Member Group 1 and can see all connection groups (but
> not the connections) and the connections from its Member Group
> This also has not been expected. The expectation was that User C is only
> able to see the connection groups her user group has been given access to
>
> Is this working as it should?
>

Yes, you are just conceptualizing group inheritance backwards.

A member of a group inherits the permissions granted to that group. This is
true whether the member is a user or another group.

If you have the following hierarchy:

GroupA:
    User1
    GroupB:
        User2
        GroupC:
            User3

Then:

* "User1" inherits permissions from "GroupA".
* "User2" inherits permissions from "GroupB" and "GroupA".
* "User3" inherits permissions from all three groups.

If you want a particular group to inherit permissions from several groups,
then that group needs to be made a member of those groups, not the other
way around.

- Mike