[
https://issues.apache.org/jira/browse/GUACAMOLE-1957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17863629#comment-17863629
]
Adam commented on GUACAMOLE-1957:
---------------------------------
So, if I understand correctly - now the idea is to assign ADMINISTER permission
to group which user is a member of, not the user himself. That's a good idea.
Remodeling permissions management interface is also a very good idea - to be
honest, even more tinkering here is needed - for example, now, when user can
create new connections, he cannot assign other users/groups permissions to use
it. To make it possible he has to have full Administrator permissions, which
makes granular policy management non-existent - for now, it's impossible (at
least using GUI) to create group of "Moderators' which only are able to
add/delete connections and allow others to use it, without allowing them to for
ex. manage other users.
> Support more granular permissions assignment in client
> ------------------------------------------------------
>
> Key: GUACAMOLE-1957
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1957
> Project: Guacamole
> Issue Type: Improvement
> Environment: Guacamole and guacd installed using official docker
> images.
> Reporter: Adam
> Assignee: Nick Couchman
> Priority: Minor
>
> If an user have any administrative permissions assigned to him, either
> directly or inherited from a group, and created anything using this
> permissions (user, group, connection, etc.), he can make administrative
> actions on these items even after administrative permissions are detached
> from him directly or by removing from group from which these permissions were
> inherited.
> This effectively makes user a lifelong administrator of items he created,
> even after this user does not have these permissions anymore.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
