User can't create connection in group

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

User can't create connection in group

Karl Fiabeschi
Hi all,

scenario:

user: admin, userA, userB

admin create userA and userB and set them "can create connection" and "can create group".

Admin create group1 and set on user page to userA and userB.

Problems:

UserA and UserB can't create new connections under the group1 (only in the root directory), the error say:

Permission denied.

LOG:

https://pastebin.com/cDJL53NM

if userA create a group on root location called group2, admins let userB to access to it, userB can't create new connection under group2.
Error and logs is the same..
 
only if i put userA/B "system administrator" can create connection in groups

thanks
Reply | Threaded
Open this post in threaded view
|

Re: User can't create connection in group

Mike Jumper
Only the creator of a group (or the administrator) will be able to create or delete connections therein.


On Jun 8, 2017 2:45 PM, "Karl Fiabeschi" <[hidden email]> wrote:
Hi all,

scenario:

user: admin, userA, userB

admin create userA and userB and set them "can create connection" and "can
create group".

Admin create group1 and set on user page to userA and userB.

Problems:

UserA and UserB can't create new connections under the group1 (only in the
root directory), the error say:

Permission denied.

LOG:

https://pastebin.com/cDJL53NM

if userA create a group on root location called group2, admins let userB to
access to it, userB can't create new connection under group2.
Error and logs is the same..

only if i put userA/B "system administrator" can create connection in groups

thanks



--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/User-can-t-create-connection-in-group-tp1097.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: User can't create connection in group

Karl Fiabeschi


2017-06-08 23:48 GMT+02:00 Mike Jumper <[hidden email]>:
Only the creator of a group (or the administrator) will be able to create or delete connections therein.

As design choice? or?
Reply | Threaded
Open this post in threaded view
|

Re: User can't create connection in group

Mike Jumper
On Thu, Jun 8, 2017 at 3:01 PM, Karl Fiabeschi <[hidden email]> wrote:
>
>
> 2017-06-08 23:48 GMT+02:00 Mike Jumper <[hidden email]>:
>>
>> Only the creator of a group (or the administrator) will be able to create
>> or delete connections therein.
>
>
> As design choice?

Yes.

The permissions themselves are discussed in detail here:
http://guacamole.incubator.apache.org/doc/gug/guacamole-ext.html#ext-permissions

When a user creates an object (whether that be a connection,
connection group, or other user), the database authentication
automatically grants that user READ, UPDATE, DELETE, and ADMINISTER
permission on that object. When you explicitly grant permission for
connection or connection group by checking the box next to it in the
admin UI, you are actually only granting READ permission.

The CREATE_CONNECTION, CREATE_CONNECTION_GROUP, etc. permissions
control the ability to create such objects, but whether that object
can be created within an existing connection group depends also on the
permissions granted for that group. The only exception here is a user
with system-level ADMINISTER permission, as that permission implies
all others.

- Mike