GUACAMOLE-220: Refactor handling of JDBC permissions to abstract away users vs. user groups.

2025-09-07 05:31:22 +00:00 · 2018-04-07 19:10:38 -07:00
parent 14d10fb42a
commit 69f58c8ca3
22 changed files with 673 additions and 471 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderModule.java
@@ -60,6 +60,7 @@ import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissio
 import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionService;
 import org.apache.guacamole.auth.jdbc.activeconnection.TrackedActiveConnection;
 import org.apache.guacamole.auth.jdbc.base.EntityMapper;
 import org.apache.guacamole.auth.jdbc.base.EntityService;
 import org.apache.guacamole.auth.jdbc.connection.ConnectionParameterMapper;
 import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionMapper;
 import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService;
@@ -161,6 +162,7 @@ public class JDBCAuthenticationProviderModule extends MyBatisModule {
        bind(ConnectionPermissionService.class);
        bind(ConnectionSharingService.class);
        bind(ConnectionService.class);
        bind(EntityService.class);
        bind(GuacamoleTunnelService.class).to(RestrictedGuacamoleTunnelService.class);
        bind(PasswordEncryptionService.class).to(SHA256PasswordEncryptionService.class);
        bind(PasswordPolicyService.class);
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
@@ -27,12 +27,13 @@ import java.util.HashSet;
 import java.util.Set;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.auth.jdbc.permission.AbstractPermissionService;
 import org.apache.guacamole.auth.jdbc.permission.ObjectPermissionService;
 import org.apache.guacamole.auth.jdbc.tunnel.ActiveConnectionRecord;
 import org.apache.guacamole.auth.jdbc.tunnel.GuacamoleTunnelService;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -58,12 +59,13 @@ public class ActiveConnectionPermissionService
    @Override
    public boolean hasPermission(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, ObjectPermission.Type type,
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            String identifier, Set<String> effectiveGroups) throws GuacamoleException {
+            ObjectPermission.Type type, String identifier,
            Set<String> effectiveGroups) throws GuacamoleException {
        // Retrieve permissions
        Set<ObjectPermission> permissions = retrievePermissions(user,
-                targetUser, effectiveGroups);
+                targetEntity, effectiveGroups);
        // Permission is granted if retrieved permissions contains the
        // requested permission
@@ -74,14 +76,14 @@ public class ActiveConnectionPermissionService
    @Override
    public Set<ObjectPermission> retrievePermissions(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
        // Retrieve permissions only if allowed
-        if (canReadPermissions(user, targetUser)) {
+        if (canReadPermissions(user, targetEntity)) {
            // Only administrators may access active connections
-            boolean isAdmin = targetUser.isAdministrator();
+            boolean isAdmin = targetEntity.isAdministrator();
            // Get all active connections
            Collection<ActiveConnectionRecord> records = tunnelService.getActiveConnections(user);
@@ -110,11 +112,12 @@ public class ActiveConnectionPermissionService
    @Override
    public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Collection<ObjectPermission.Type> permissionTypes,
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission.Type> permissionTypes,
            Collection<String> identifiers, Set<String> effectiveGroups)
            throws GuacamoleException {
-        Set<ObjectPermission> permissions = retrievePermissions(user, targetUser, effectiveGroups);
+        Set<ObjectPermission> permissions = retrievePermissions(user, targetEntity, effectiveGroups);
        Collection<String> accessibleObjects = new ArrayList<String>(permissions.size());
        // For each identifier/permission combination
@@ -137,12 +140,12 @@ public class ActiveConnectionPermissionService
    @Override
    public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
-        // Create permission set for requested user
+        // Create permission set for requested entity
        ActiveConnectionPermissionSet permissionSet = activeConnectionPermissionSetProvider.get();
-        permissionSet.init(user, targetUser, effectiveGroups);
+        permissionSet.init(user, targetEntity, effectiveGroups);
        return permissionSet;
@@ -150,7 +153,8 @@ public class ActiveConnectionPermissionService
    @Override
    public void createPermissions(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Collection<ObjectPermission> permissions)
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission> permissions)
            throws GuacamoleException {
        // Creating active connection permissions is not implemented
@@ -160,7 +164,8 @@ public class ActiveConnectionPermissionService
    @Override
    public void deletePermissions(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Collection<ObjectPermission> permissions)
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission> permissions)
            throws GuacamoleException {
        // Deleting active connection permissions is not implemented
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityMapper.java
@@ -19,6 +19,8 @@
 package org.apache.guacamole.auth.jdbc.base;
 import java.util.Collection;
 import java.util.Set;
 import org.apache.ibatis.annotations.Param;
 /**
@@ -40,4 +42,24 @@ public interface EntityMapper {
     */
    int insert(@Param("entity") EntityModel entity);
    /**
     * Returns the set of all group identifiers of which the given entity is a
     * member, taking into account the given collection of known group
     * memberships which are not necessarily defined within the database.
     *
     * @param entity
     *     The entity whose effective groups should be returned.
     *
     * @param effectiveGroups
     *     The identifiers of any known effective groups that should be taken
     *     into account, such as those defined externally to the database.
     *
     * @return
     *     The set of identifiers of all groups that the given entity is a
     *     member of, including those where membership is inherited through
     *     membership in other groups.
     */
    Set<String> selectEffectiveGroupIdentifiers(@Param("entity") EntityModel entity,
            @Param("effectiveGroups") Collection<String> effectiveGroups);
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/EntityService.java
@@ -0,0 +1,65 @@
 /*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
 package org.apache.guacamole.auth.jdbc.base;
 import com.google.inject.Inject;
 import java.util.Collection;
 import java.util.Set;
 /**
 * Service which provides convenience methods for creating, retrieving, and
 * manipulating entities.
 */
 public class EntityService {
    /**
     * Mapper for Entity model objects.
     */
    @Inject
    private EntityMapper entityMapper;
    /**
     * Returns the set of all group identifiers of which the given entity is a
     * member, taking into account the given collection of known group
     * memberships which are not necessarily defined within the database.
     * 
     * Note that group visibility with respect to the queried entity is NOT
     * taken into account. If the entity is a member of a group, the identifier
     * of that group will be included in the returned set even if the current
     * user lacks "READ" permission for that group.
     *
     * @param entity
     *     The entity whose effective groups should be returned.
     *
     * @param effectiveGroups
     *     The identifiers of any known effective groups that should be taken
     *     into account, such as those defined externally to the database.
     *
     * @return
     *     The set of identifiers of all groups that the given entity is a
     *     member of, including those where membership is inherited through
     *     membership in other groups.
     */
    public Set<String> retrieveEffectiveGroups(ModeledPermissions<? extends EntityModel> entity,
            Collection<String> effectiveGroups) {
        return entityMapper.selectEffectiveGroupIdentifiers(entity.getModel(), effectiveGroups);
    }
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
@@ -0,0 +1,266 @@
 /*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
 package org.apache.guacamole.auth.jdbc.base;
 import com.google.inject.Inject;
 import java.util.Collections;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.permission.SystemPermissionService;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissionService;
 import org.apache.guacamole.auth.jdbc.permission.ConnectionGroupPermissionService;
 import org.apache.guacamole.auth.jdbc.permission.ConnectionPermissionService;
 import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService;
 import org.apache.guacamole.auth.jdbc.permission.UserPermissionService;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.net.auth.permission.SystemPermission;
 import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
 import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet;
 /**
 * An implementation of the base Permissions interface which is common to both
 * Users and UserGroups, backed by a database model.
 *
 * @param <ModelType>
 *     The type of model object that corresponds to this object.
 */
 public abstract class ModeledPermissions<ModelType extends EntityModel>
        extends ModeledDirectoryObject<ModelType> implements Permissions {
    /**
     * Service for retrieving entity details.
     */
    @Inject
    private EntityService entityService;
    /**
     * Service for retrieving system permissions.
     */
    @Inject
    private SystemPermissionService systemPermissionService;
    /**
     * Service for retrieving connection permissions.
     */
    @Inject
    private ConnectionPermissionService connectionPermissionService;
    /**
     * Service for retrieving connection group permissions.
     */
    @Inject
    private ConnectionGroupPermissionService connectionGroupPermissionService;
    /**
     * Service for retrieving sharing profile permissions.
     */
    @Inject
    private SharingProfilePermissionService sharingProfilePermissionService;
    /**
     * Service for retrieving active connection permissions.
     */
    @Inject
    private ActiveConnectionPermissionService activeConnectionPermissionService;
    /**
     * Service for retrieving user permissions.
     */
    @Inject
    private UserPermissionService userPermissionService;
    /**
     * Returns whether the underlying entity is a user. Entities may be either
     * users or user groups.
     *
     * @return
     *     true if the underlying entity is a user, false otherwise.
     */
    public boolean isUser() {
        return getModel().getEntityType() == EntityType.USER;
    }
    /**
     * Returns whether the underlying entity is a user group. Entities may be
     * either users or user groups.
     *
     * @return
     *     true if the underlying entity is a user group, false otherwise.
     */
    public boolean isUserGroup() {
        return getModel().getEntityType() == EntityType.USER_GROUP;
    }
    /**
     * Returns whether this entity is a system administrator, and thus is not
     * restricted by permissions, taking into account permission inheritance
     * via user groups.
     *
     * @return
     *    true if this entity is a system administrator, false otherwise.
     *
     * @throws GuacamoleException
     *    If an error occurs while determining the entity's system administrator
     *    status.
     */
    public boolean isAdministrator() throws GuacamoleException {
        SystemPermissionSet systemPermissionSet = getEffective().getSystemPermissions();
        return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER);
    }
    @Override
    public SystemPermissionSet getSystemPermissions()
            throws GuacamoleException {
        return systemPermissionService.getPermissionSet(getCurrentUser(), this,
                Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getConnectionPermissions()
            throws GuacamoleException {
        return connectionPermissionService.getPermissionSet(getCurrentUser(),
                this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getConnectionGroupPermissions()
            throws GuacamoleException {
        return connectionGroupPermissionService.getPermissionSet(
                getCurrentUser(), this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getSharingProfilePermissions()
            throws GuacamoleException {
        return sharingProfilePermissionService.getPermissionSet(
                getCurrentUser(), this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getActiveConnectionPermissions()
            throws GuacamoleException {
        return activeConnectionPermissionService.getPermissionSet(
                getCurrentUser(), this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getUserPermissions()
            throws GuacamoleException {
        return userPermissionService.getPermissionSet(getCurrentUser(), this,
                Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException {
        // FIXME: STUB
        return new SimpleObjectPermissionSet();
    }
    /**
     * Returns the identifiers of all user groups defined within the database
     * which apply to this user, including any groups inherited through
     * membership in yet more groups.
     *
     * @return
     *     The identifiers of all user groups defined within the database which
     *     apply to this user.
     */
    public Set<String> getEffectiveUserGroups() {
        return entityService.retrieveEffectiveGroups(this,
                Collections.<String>emptySet());
    }
    /**
     * Returns a Permissions object which represents all permissions granted to
     * this entity, including any permissions inherited through group
     * membership.
     *
     * @return
     *     A Permissions object which represents all permissions granted to
     *     this entity.
     */
    public Permissions getEffective() {
        final ModeledAuthenticatedUser authenticatedUser = getCurrentUser();
        final Set<String> effectiveGroups;
        // If this user is the currently-authenticated user, include any
        // additional effective groups declared by the authentication system
        if (authenticatedUser.getIdentifier().equals(getIdentifier()))
            effectiveGroups = entityService.retrieveEffectiveGroups(this,
                    authenticatedUser.getEffectiveUserGroups());
        // Otherwise, just include effective groups from the database
        else
            effectiveGroups = getEffectiveUserGroups();
        // Return a permissions object which describes all effective
        // permissions, including any permissions inherited via user groups
        return new Permissions() {
            @Override
            public ObjectPermissionSet getActiveConnectionPermissions()
                    throws GuacamoleException {
                return activeConnectionPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getConnectionGroupPermissions()
                    throws GuacamoleException {
                return connectionGroupPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getConnectionPermissions()
                    throws GuacamoleException {
                return connectionPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getSharingProfilePermissions()
                    throws GuacamoleException {
                return sharingProfilePermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups);
            }
            @Override
            public SystemPermissionSet getSystemPermissions()
                    throws GuacamoleException {
                return systemPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getUserPermissions()
                    throws GuacamoleException {
                return userPermissionService.getPermissionSet(authenticatedUser, ModeledPermissions.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getUserGroupPermissions()
                    throws GuacamoleException {
                // FIXME: STUB
                return new SimpleObjectPermissionSet();
            }
        };
    }
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java
@@ -20,8 +20,10 @@
 package org.apache.guacamole.auth.jdbc.permission;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.net.auth.permission.Permission;
@@ -41,17 +43,51 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis
        PermissionType extends Permission>
    implements PermissionService<PermissionSetType, PermissionType> {
    /**
     * Returns the ObjectPermissionSet related to the type of the given entity.
     * If the given entity represents a user, then the ObjectPermissionSet
     * containing user permissions is returned. If the given entity represents
     * a user group, then the ObjectPermissionSet containing user group
     * permissions is returned.
     *
     * @param user
     *     The user to retrieve the ObjectPermissionSet from.
     *
     * @param targetEntity
     *     The entity whose type dictates the ObjectPermissionSet returned.
     *
     * @return
     *     The ObjectPermissionSet related to the type of the given entity.
     *
     * @throws GuacamoleException
     *     If the relevant ObjectPermissionSet cannot be retrieved.
     */
    protected ObjectPermissionSet getRelevantPermissionSet(ModeledUser user,
            ModeledPermissions<? extends EntityModel> targetEntity)
            throws GuacamoleException {
        if (targetEntity.isUser())
            return user.getUserPermissions();
        if (targetEntity.isUserGroup())
            return user.getUserGroupPermissions();
        // Entities should be only users or groups
        throw new UnsupportedOperationException("Unexpected entity type.");
    }
    /**
     * Determines whether the given user can read the permissions currently
-     * granted to the given target user. If the reading user and the target
+     * granted to the given target entity. If the reading user and the target
-     * user are not the same, then explicit READ or SYSTEM_ADMINISTER access is
+     * entity are not the same, then explicit READ or SYSTEM_ADMINISTER access
-     * required. Permission inheritance via user groups is taken into account.
+     * is required. Permission inheritance via user groups is taken into account.
     *
     * @param user
     *     The user attempting to read permissions.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user whose permissions are being read.
+     *     The entity whose permissions are being read.
     *
     * @return
     *     true if permission is granted, false otherwise.
@@ -61,19 +97,20 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis
     *     permission is denied to read the current user's permissions.
     */
    protected boolean canReadPermissions(ModeledAuthenticatedUser user,
-            ModeledUser targetUser) throws GuacamoleException {
+            ModeledPermissions<? extends EntityModel> targetEntity)
            throws GuacamoleException {
        // A user can always read their own permissions
-        if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
+        if (targetEntity.isUser() && user.getUser().getIdentifier().equals(targetEntity.getIdentifier()))
            return true;
        // A system adminstrator can do anything
        if (user.getUser().isAdministrator())
            return true;
-        // Can read permissions on target user if explicit READ is granted
+        // Can read permissions on target entity if explicit READ is granted
-        ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions();
+        ObjectPermissionSet permissionSet = getRelevantPermissionSet(user.getUser(), targetEntity);
-        return userPermissionSet.hasPermission(ObjectPermission.Type.READ, targetUser.getIdentifier());
+        return permissionSet.hasPermission(ObjectPermission.Type.READ, targetEntity.getIdentifier());
    }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionService.java
@@ -24,7 +24,8 @@ import com.google.inject.Provider;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.jdbc.user.ModeledUser;
+import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 /**
 * Service which provides convenience methods for creating, retrieving, and
@@ -52,12 +53,12 @@ public class ConnectionGroupPermissionService extends ModeledObjectPermissionSer
    @Override
    public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
-        // Create permission set for requested user
+        // Create permission set for requested entity
        ObjectPermissionSet permissionSet = connectionGroupPermissionSetProvider.get();
-        permissionSet.init(user, targetUser, effectiveGroups);
+        permissionSet.init(user, targetEntity, effectiveGroups);
        return permissionSet;
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionService.java
@@ -24,7 +24,8 @@ import com.google.inject.Provider;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.jdbc.user.ModeledUser;
+import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 /**
 * Service which provides convenience methods for creating, retrieving, and
@@ -52,12 +53,12 @@ public class ConnectionPermissionService extends ModeledObjectPermissionService
    @Override
    public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
-        // Create permission set for requested user
+        // Create permission set for requested entity
        ObjectPermissionSet permissionSet = connectionPermissionSetProvider.get();
-        permissionSet.init(user, targetUser, effectiveGroups);
+        permissionSet.init(user, targetEntity, effectiveGroups);
        return permissionSet;
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
@@ -24,9 +24,10 @@ import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -48,13 +49,14 @@ public abstract class ModeledObjectPermissionService
    }
    @Override
-    protected ObjectPermissionModel getModelInstance(ModeledUser targetUser,
+    protected ObjectPermissionModel getModelInstance(
            ModeledPermissions<? extends EntityModel> targetEntity,
            ObjectPermission permission) {
        ObjectPermissionModel model = new ObjectPermissionModel();
-        // Populate model object with data from user and permission
+        // Populate model object with data from entity and permission
-        model.setEntityID(targetUser.getModel().getEntityID());
+        model.setEntityID(targetEntity.getModel().getEntityID());
        model.setType(permission.getType());
        model.setObjectIdentifier(permission.getObjectIdentifier());
@@ -64,31 +66,32 @@ public abstract class ModeledObjectPermissionService
    /**
     * Determines whether the current user has permission to update the given
-     * target user, adding or removing the given permissions. Such permission
+     * target entity, adding or removing the given permissions. Such permission
     * depends on whether the current user is a system administrator, whether
-     * they have explicit UPDATE permission on the target user, and whether
+     * they have explicit UPDATE permission on the target entity, and whether
     * they have explicit ADMINISTER permission on all affected objects.
     * Permission inheritance via user groups is taken into account.
     *
     * @param user
     *     The user who is changing permissions.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user whose permissions are being changed.
+     *     The entity whose permissions are being changed.
     *
     * @param permissions
     *     The permissions that are being added or removed from the target
-     *     user.
+     *     entity.
     *
     * @return
-     *     true if the user has permission to change the target users
+     *     true if the user has permission to change the target entity's
     *     permissions as specified, false otherwise.
     *
     * @throws GuacamoleException
     *     If an error occurs while checking permission status, or if
     *     permission is denied to read the current user's permissions.
     */
-    protected boolean canAlterPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser,
+    protected boolean canAlterPermissions(ModeledAuthenticatedUser user,
            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission> permissions)
            throws GuacamoleException {
@@ -96,9 +99,9 @@ public abstract class ModeledObjectPermissionService
        if (user.getUser().isAdministrator())
            return true;
-        // Verify user has update permission on the target user
+        // Verify user has update permission on the target entity
-        ObjectPermissionSet userPermissionSet = user.getUser().getEffectivePermissions().getUserPermissions();
+        ObjectPermissionSet permissionSet = getRelevantPermissionSet(user.getUser(), targetEntity);
-        if (!userPermissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetUser.getIdentifier()))
+        if (!permissionSet.hasPermission(ObjectPermission.Type.UPDATE, targetEntity.getIdentifier()))
            return false;
        // Produce collection of affected identifiers
@@ -122,13 +125,14 @@ public abstract class ModeledObjectPermissionService
    }
    @Override
-    public void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser,
+    public void createPermissions(ModeledAuthenticatedUser user,
            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission> permissions)
            throws GuacamoleException {
        // Create permissions only if user has permission to do so
-        if (canAlterPermissions(user, targetUser, permissions)) {
+        if (canAlterPermissions(user, targetEntity, permissions)) {
-            Collection<ObjectPermissionModel> models = getModelInstances(targetUser, permissions);
+            Collection<ObjectPermissionModel> models = getModelInstances(targetEntity, permissions);
            getPermissionMapper().insert(models);
            return;
        }
@@ -139,13 +143,14 @@ public abstract class ModeledObjectPermissionService
    }
    @Override
-    public void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser,
+    public void deletePermissions(ModeledAuthenticatedUser user,
            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission> permissions)
            throws GuacamoleException {
        // Delete permissions only if user has permission to do so
-        if (canAlterPermissions(user, targetUser, permissions)) {
+        if (canAlterPermissions(user, targetEntity, permissions)) {
-            Collection<ObjectPermissionModel> models = getModelInstances(targetUser, permissions);
+            Collection<ObjectPermissionModel> models = getModelInstances(targetEntity, permissions);
            getPermissionMapper().delete(models);
            return;
        }
@@ -157,23 +162,24 @@ public abstract class ModeledObjectPermissionService
    @Override
    public boolean hasPermission(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, ObjectPermission.Type type,
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            String identifier, Set<String> effectiveGroups)
+            ObjectPermission.Type type, String identifier,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
        // Retrieve permissions only if allowed
-        if (canReadPermissions(user, targetUser))
+        if (canReadPermissions(user, targetEntity))
-            return getPermissionMapper().selectOne(targetUser.getModel(), type,
+            return getPermissionMapper().selectOne(targetEntity.getModel(),
-                    identifier, effectiveGroups) != null;
+                    type, identifier, effectiveGroups) != null;
-        // User cannot read this user's permissions
+        // User cannot read this entity's permissions
        throw new GuacamoleSecurityException("Permission denied.");
    }
    @Override
    public Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Collection<ObjectPermission.Type> permissions,
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission.Type> permissions,
            Collection<String> identifiers, Set<String> effectiveGroups)
            throws GuacamoleException {
@@ -182,7 +188,7 @@ public abstract class ModeledObjectPermissionService
            return identifiers;
        // Retrieve permissions only if allowed
-        if (canReadPermissions(user, targetUser)) {
+        if (canReadPermissions(user, targetEntity)) {
            // If user is an admin, everything is accessible
            if (user.getUser().isAdministrator())
@@ -190,12 +196,12 @@ public abstract class ModeledObjectPermissionService
            // Otherwise, return explicitly-retrievable identifiers
            return getPermissionMapper().selectAccessibleIdentifiers(
-                    targetUser.getModel(), permissions, identifiers,
+                    targetEntity.getModel(), permissions, identifiers,
                    effectiveGroups);
        }
-        // User cannot read this user's permissions
+        // User cannot read this entity's permissions
        throw new GuacamoleSecurityException("Permission denied.");
    }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledPermissionService.java
@@ -24,9 +24,10 @@ import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.net.auth.permission.Permission;
 import org.apache.guacamole.net.auth.permission.PermissionSet;
@@ -97,42 +98,44 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss
    /**
     * Returns an instance of a model object which is based on the given
-     * permission and target user.
+     * permission and target entity.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user to whom this permission is granted.
+     *     The entity to whom this permission is granted.
     *
     * @param permission
     *     The permission to use to produce the returned model object.
     *
     * @return
     *     A model object which is based on the given permission and target
-     *     user.
+     *     entity.
     */
-    protected abstract ModelType getModelInstance(ModeledUser targetUser,
+    protected abstract ModelType getModelInstance(
            ModeledPermissions<? extends EntityModel> targetEntity,
            PermissionType permission);
    /**
     * Returns a collection of model objects which are based on the given
-     * permissions and target user.
+     * permissions and target entity.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user to whom this permission is granted.
+     *     The entity to whom this permission is granted.
     *
     * @param permissions
     *     The permissions to use to produce the returned model objects.
     *
     * @return
     *     A collection of model objects which are based on the given
-     *     permissions and target user.
+     *     permissions and target entity.
     */
-    protected Collection<ModelType> getModelInstances(ModeledUser targetUser,
+    protected Collection<ModelType> getModelInstances(
            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<PermissionType> permissions) {
        // Create new collection of models by manually converting each permission
        Collection<ModelType> models = new ArrayList<ModelType>(permissions.size());
        for (PermissionType permission : permissions)
-            models.add(getModelInstance(targetUser, permission));
+            models.add(getModelInstance(targetEntity, permission));
        return models;
@@ -140,14 +143,14 @@ public abstract class ModeledPermissionService<PermissionSetType extends Permiss
    @Override
    public Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
        // Retrieve permissions only if allowed
-        if (canReadPermissions(user, targetUser))
+        if (canReadPermissions(user, targetEntity))
-            return getPermissionInstances(getPermissionMapper().select(targetUser.getModel(), effectiveGroups));
+            return getPermissionInstances(getPermissionMapper().select(targetEntity.getModel(), effectiveGroups));
-        // User cannot read this user's permissions
+        // User cannot read this entity's permissions
        throw new GuacamoleSecurityException("Permission denied.");
    }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionService.java
@@ -22,8 +22,9 @@ package org.apache.guacamole.auth.jdbc.permission;
 import java.util.Collection;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
@@ -37,13 +38,13 @@ public interface ObjectPermissionService
    /**
     * Returns whether the permission of the given type and associated with the
-     * given object has been granted to the given user.
+     * given object has been granted to the given entity.
     *
     * @param user
     *     The user retrieving the permission.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user associated with the permission to be retrieved.
+     *     The entity associated with the permission to be retrieved.
     *
     * @param type
     *     The type of permission to retrieve.
@@ -53,30 +54,31 @@ public interface ObjectPermissionService
     *
     * @param effectiveGroups
     *     The identifiers of all groups that should be taken into account
-     *     when determining the permissions effectively granted to the user. If
+     *     when determining the permissions effectively granted to the entity.
-     *     no groups are given, only permissions directly granted to the user
+     *     If no groups are given, only permissions directly granted to the
-     *     will be used.
+     *     entity will be used.
     *
     * @return
     *     true if permission of the given type and associated with the given
-     *     object has been granted to the given user, false otherwise.
+     *     object has been granted to the given entity, false otherwise.
     *
     * @throws GuacamoleException
     *     If an error occurs while retrieving the requested permission.
     */
    boolean hasPermission(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, ObjectPermission.Type type,
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            String identifier, Set<String> effectiveGroups) throws GuacamoleException;
+            ObjectPermission.Type type, String identifier,
            Set<String> effectiveGroups) throws GuacamoleException;
    /**
-     * Retrieves the subset of the given identifiers for which the given user
+     * Retrieves the subset of the given identifiers for which the given entity
     * has at least one of the given permissions.
     *
     * @param user
     *     The user checking the permissions.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user to check permissions of.
+     *     The entity to check permissions of.
     *
     * @param permissions
     *     The permissions to check. An identifier will be included in the
@@ -89,9 +91,9 @@ public interface ObjectPermissionService
     *
     * @param effectiveGroups
     *     The identifiers of all groups that should be taken into account
-     *     when determining the permissions effectively granted to the user. If
+     *     when determining the permissions effectively granted to the entity.
-     *     no groups are given, only permissions directly granted to the user
+     *     If no groups are given, only permissions directly granted to the
-     *     will be used.
+     *     entity will be used.
     *
     * @return
     *     A collection containing the subset of identifiers for which at least
@@ -101,7 +103,8 @@ public interface ObjectPermissionService
     *     If an error occurs while retrieving permissions.
     */
    Collection<String> retrieveAccessibleIdentifiers(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Collection<ObjectPermission.Type> permissions,
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<ObjectPermission.Type> permissions,
            Collection<String> identifiers, Set<String> effectiveGroups)
            throws GuacamoleException;
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ObjectPermissionSet.java
@@ -19,29 +19,34 @@
 package org.apache.guacamole.auth.jdbc.permission;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.auth.jdbc.base.RestrictedObject;
 import org.apache.guacamole.net.auth.permission.ObjectPermission;
 /**
 * A database implementation of ObjectPermissionSet which uses an injected
 * service to query and manipulate the object-level permissions associated with
- * a particular user.
+ * a particular entity.
 */
 public abstract class ObjectPermissionSet extends RestrictedObject
    implements org.apache.guacamole.net.auth.permission.ObjectPermissionSet {
    /**
-     * The user associated with this permission set. Each of the permissions in
+     * The entity associated with this permission set. Each of the permissions
-     * this permission set is granted to this user.
+     * in this permission set is granted to this entity.
     */
-    private ModeledUser user;
+    private ModeledPermissions<? extends EntityModel> entity;
    /**
     * The identifiers of all groups that should be taken into account
     * when determining the permissions effectively granted to the entity.
     */
    private Set<String> effectiveGroups;
    /**
@@ -53,26 +58,27 @@ public abstract class ObjectPermissionSet extends RestrictedObject
    }
    /**
-     * Initializes this permission set with the current user and the user
+     * Initializes this permission set with the current user and the entity
     * to whom the permissions in this set are granted.
     *
     * @param currentUser
     *     The user who queried this permission set, and whose permissions
     *     dictate the access level of all operations performed on this set.
     *
-     * @param user
+     * @param entity
-     *     The user to whom the permissions in this set are granted.
+     *     The entity to whom the permissions in this set are granted.
     *
     * @param effectiveGroups
     *     The identifiers of all groups that should be taken into account
-     *     when determining the permissions effectively granted to the user. If
+     *     when determining the permissions effectively granted to the entity.
-     *     no groups are given, only permissions directly granted to the user
+     *     If no groups are given, only permissions directly granted to the
-     *     will be used.
+     *     entity will be used.
     */
-    public void init(ModeledAuthenticatedUser currentUser, ModeledUser user,
+    public void init(ModeledAuthenticatedUser currentUser,
            ModeledPermissions<? extends EntityModel> entity,
            Set<String> effectiveGroups) {
        super.init(currentUser);
-        this.user = user;
+        this.entity = entity;
        this.effectiveGroups = effectiveGroups;
    }
@@ -88,13 +94,13 @@ public abstract class ObjectPermissionSet extends RestrictedObject
    @Override
    public Set<ObjectPermission> getPermissions() throws GuacamoleException {
-        return getObjectPermissionService().retrievePermissions(getCurrentUser(), user, effectiveGroups);
+        return getObjectPermissionService().retrievePermissions(getCurrentUser(), entity, effectiveGroups);
    }
    @Override
    public boolean hasPermission(ObjectPermission.Type permission,
            String identifier) throws GuacamoleException {
-        return getObjectPermissionService().hasPermission(getCurrentUser(), user, permission, identifier, effectiveGroups);
+        return getObjectPermissionService().hasPermission(getCurrentUser(), entity, permission, identifier, effectiveGroups);
    }
    @Override
@@ -112,19 +118,19 @@ public abstract class ObjectPermissionSet extends RestrictedObject
    @Override
    public Collection<String> getAccessibleObjects(Collection<ObjectPermission.Type> permissions,
            Collection<String> identifiers) throws GuacamoleException {
-        return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), user, permissions, identifiers, effectiveGroups);
+        return getObjectPermissionService().retrieveAccessibleIdentifiers(getCurrentUser(), entity, permissions, identifiers, effectiveGroups);
    }
    @Override
    public void addPermissions(Set<ObjectPermission> permissions)
            throws GuacamoleException {
-        getObjectPermissionService().createPermissions(getCurrentUser(), user, permissions);
+        getObjectPermissionService().createPermissions(getCurrentUser(), entity, permissions);
    }
    @Override
    public void removePermissions(Set<ObjectPermission> permissions)
            throws GuacamoleException {
-        getObjectPermissionService().deletePermissions(getCurrentUser(), user, permissions);
+        getObjectPermissionService().deletePermissions(getCurrentUser(), entity, permissions);
    }
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/PermissionService.java
@@ -22,8 +22,9 @@ package org.apache.guacamole.auth.jdbc.permission;
 import java.util.Collection;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.net.auth.permission.Permission;
 import org.apache.guacamole.net.auth.permission.PermissionSet;
@@ -44,59 +45,60 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
    /**
     * Returns a permission set that can be used to retrieve and manipulate the
-     * permissions of the given user.
+     * permissions of the given entity.
     *
     * @param user
     *     The user who will be retrieving or manipulating permissions through
     *     the returned permission set.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user to whom the permissions in the returned permission set are
+     *     The entity to whom the permissions in the returned permission set are
     *     granted.
     *
     * @param effectiveGroups
     *     The identifiers of all groups that should be taken into account
-     *     when determining the permissions effectively granted to the user. If
+     *     when determining the permissions effectively granted to the entity.
-     *     no groups are given, only permissions directly granted to the user
+     *     If no groups are given, only permissions directly granted to the
-     *     will be used.
+     *     entity will be used.
     *
     * @return
     *     A permission set that contains all permissions associated with the
-     *     given user, and can be used to manipulate that user's permissions.
+     *     given entity, and can be used to manipulate that entity's
     *     permissions.
     *
     * @throws GuacamoleException
     *     If an error occurs while retrieving the permissions of the given
-     *     user, or if permission to retrieve the permissions of the given
+     *     entity, or if permission to retrieve the permissions of the given
-     *     user is denied.
+     *     entity is denied.
     */
    PermissionSetType getPermissionSet(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException;
+            Set<String> effectiveGroups) throws GuacamoleException;
    /**
-     * Retrieves all permissions associated with the given user.
+     * Retrieves all permissions associated with the given entity.
     *
     * @param user
     *     The user retrieving the permissions.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user associated with the permissions to be retrieved.
+     *     The entity associated with the permissions to be retrieved.
     *
     * @param effectiveGroups
     *     The identifiers of all groups that should be taken into account
-     *     when determining the permissions effectively granted to the user. If
+     *     when determining the permissions effectively granted to the entity.
-     *     no groups are given, only permissions directly granted to the user
+     *     If no groups are given, only permissions directly granted to the
-     *     will be used.
+     *     entity will be used.
     *
     * @return
-     *     The permissions associated with the given user.
+     *     The permissions associated with the given entity.
     *
     * @throws GuacamoleException
     *     If an error occurs while retrieving the requested permissions.
     */
    Set<PermissionType> retrievePermissions(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException;
+            Set<String> effectiveGroups) throws GuacamoleException;
    /**
     * Creates the given permissions within the database. If any permissions
@@ -105,8 +107,8 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
     * @param user
     *     The user creating the permissions.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user associated with the permissions to be created.
+     *     The entity associated with the permissions to be created.
     *
     * @param permissions 
     *     The permissions to create.
@@ -115,8 +117,10 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
     *     If the user lacks permission to create the permissions, or an error
     *     occurs while creating the permissions.
     */
-    void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser,
+    void createPermissions(ModeledAuthenticatedUser user,
-            Collection<PermissionType> permissions) throws GuacamoleException;
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<PermissionType> permissions)
            throws GuacamoleException;
    /**
     * Deletes the given permissions. If any permissions do not exist, they
@@ -125,17 +129,19 @@ public interface PermissionService<PermissionSetType extends PermissionSet<Permi
     * @param user
     *     The user deleting the permissions.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user associated with the permissions to be deleted.
+     *     The entity associated with the permissions to be deleted.
     *
     * @param permissions
     *     The permissions to delete.
     *
     * @throws GuacamoleException
-     *     If the user lacks permission to delete the permissions, or an error
+     *     If the entity lacks permission to delete the permissions, or an error
     *     occurs while deleting the permissions.
     */
-    void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser,
+    void deletePermissions(ModeledAuthenticatedUser user,
-            Collection<PermissionType> permissions) throws GuacamoleException;
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<PermissionType> permissions)
            throws GuacamoleException;
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionService.java
@@ -24,7 +24,8 @@ import com.google.inject.Provider;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.jdbc.user.ModeledUser;
+import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 /**
 * Service which provides convenience methods for creating, retrieving, and
@@ -52,12 +53,12 @@ public class SharingProfilePermissionService extends ModeledObjectPermissionServ
    @Override
    public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
-        // Create permission set for requested user
+        // Create permission set for requested entity
        ObjectPermissionSet permissionSet = sharingProfilePermissionSetProvider.get();
-        permissionSet.init(user, targetUser, effectiveGroups);
+        permissionSet.init(user, targetEntity, effectiveGroups);
        return permissionSet;
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
@@ -24,10 +24,11 @@ import com.google.inject.Provider;
 import java.util.Collection;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
 import org.apache.guacamole.GuacamoleUnsupportedException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.net.auth.permission.SystemPermission;
 /**
@@ -61,13 +62,14 @@ public class SystemPermissionService
    }
    @Override
-    protected SystemPermissionModel getModelInstance(final ModeledUser targetUser,
+    protected SystemPermissionModel getModelInstance(
            final ModeledPermissions<? extends EntityModel> targetEntity,
            final SystemPermission permission) {
        SystemPermissionModel model = new SystemPermissionModel();
        // Populate model object with data from user and permission
-        model.setEntityID(targetUser.getModel().getEntityID());
+        model.setEntityID(targetEntity.getModel().getEntityID());
        model.setType(permission.getType());
        return model;
@@ -76,23 +78,25 @@ public class SystemPermissionService
    @Override
    public SystemPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups) throws GuacamoleException {
+            ModeledPermissions<? extends EntityModel> targetEntity,
            Set<String> effectiveGroups) throws GuacamoleException {
        // Create permission set for requested user
        SystemPermissionSet permissionSet = systemPermissionSetProvider.get();
-        permissionSet.init(user, targetUser, effectiveGroups);
+        permissionSet.init(user, targetEntity, effectiveGroups);
        return permissionSet;
    }
    @Override
-    public void createPermissions(ModeledAuthenticatedUser user, ModeledUser targetUser,
+    public void createPermissions(ModeledAuthenticatedUser user,
            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<SystemPermission> permissions) throws GuacamoleException {
        // Only an admin can create system permissions
        if (user.getUser().isAdministrator()) {
-            Collection<SystemPermissionModel> models = getModelInstances(targetUser, permissions);
+            Collection<SystemPermissionModel> models = getModelInstances(targetEntity, permissions);
            systemPermissionMapper.insert(models);
            return;
        }
@@ -103,17 +107,18 @@ public class SystemPermissionService
    }
    @Override
-    public void deletePermissions(ModeledAuthenticatedUser user, ModeledUser targetUser,
+    public void deletePermissions(ModeledAuthenticatedUser user,
            ModeledPermissions<? extends EntityModel> targetEntity,
            Collection<SystemPermission> permissions) throws GuacamoleException {
        // Only an admin can delete system permissions
        if (user.getUser().isAdministrator()) {
            // Do not allow users to remove their own admin powers
-            if (user.getUser().getIdentifier().equals(targetUser.getIdentifier()))
+            if (user.getUser().getIdentifier().equals(targetEntity.getIdentifier()))
                throw new GuacamoleUnsupportedException("Removing your own administrative permissions is not allowed.");
-            Collection<SystemPermissionModel> models = getModelInstances(targetUser, permissions);
+            Collection<SystemPermissionModel> models = getModelInstances(targetEntity, permissions);
            systemPermissionMapper.delete(models);
            return;
        }
@@ -125,14 +130,14 @@ public class SystemPermissionService
    /**
     * Retrieves whether the permission of the given type has been granted to
-     * the given user. Permission inheritance through group membership is taken
+     * the given entity. Permission inheritance through group membership is
-     * into account.
+     * taken into account.
     *
     * @param user
     *     The user retrieving the permission.
     *
-     * @param targetUser
+     * @param targetEntity
-     *     The user associated with the permission to be retrieved.
+     *     The entity associated with the permission to be retrieved.
     * 
     * @param type
     *     The type of permission to retrieve.
@@ -151,12 +156,13 @@ public class SystemPermissionService
     *     If an error occurs while retrieving the requested permission.
     */
    public boolean hasPermission(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, SystemPermission.Type type,
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            Set<String> effectiveGroups) throws GuacamoleException {
+            SystemPermission.Type type, Set<String> effectiveGroups)
            throws GuacamoleException {
        // Retrieve permissions only if allowed
-        if (canReadPermissions(user, targetUser))
+        if (canReadPermissions(user, targetEntity))
-            return getPermissionMapper().selectOne(targetUser.getModel(), type, effectiveGroups) != null;
+            return getPermissionMapper().selectOne(targetEntity.getModel(), type, effectiveGroups) != null;
        // User cannot read this user's permissions
        throw new GuacamoleSecurityException("Permission denied.");
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionSet.java
@@ -19,29 +19,34 @@
 package org.apache.guacamole.auth.jdbc.permission;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import com.google.inject.Inject;
 import java.util.Collections;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.auth.jdbc.base.RestrictedObject;
 import org.apache.guacamole.net.auth.permission.SystemPermission;
 /**
 * A database implementation of SystemPermissionSet which uses an injected
 * service to query and manipulate the system permissions associated with a
- * particular user.
+ * particular entity.
 */
 public class SystemPermissionSet extends RestrictedObject
    implements org.apache.guacamole.net.auth.permission.SystemPermissionSet {
    /**
-     * The user associated with this permission set. Each of the permissions in
+     * The entity associated with this permission set. Each of the permissions
-     * this permission set is granted to this user.
+     * in this permission set is granted to this entity.
     */
-    private ModeledUser user;
+    private ModeledPermissions<? extends EntityModel> entity;
    /**
     * The identifiers of all groups that should be taken into account when
     * determining the permissions effectively granted to the entity.
     */
    private Set<String> effectiveGroups;
    /**
@@ -59,38 +64,39 @@ public class SystemPermissionSet extends RestrictedObject
    }
    /**
-     * Initializes this permission set with the current user and the user
+     * Initializes this permission set with the current user and the entity
     * to whom the permissions in this set are granted.
     *
     * @param currentUser
     *     The user who queried this permission set, and whose permissions
     *     dictate the access level of all operations performed on this set.
     *
-     * @param user
+     * @param entity
-     *     The user to whom the permissions in this set are granted.
+     *     The entity to whom the permissions in this set are granted.
     *
     * @param effectiveGroups
     *     The identifiers of all groups that should be taken into account
-     *     when determining the permissions effectively granted to the user. If
+     *     when determining the permissions effectively granted to the entity.
-     *     no groups are given, only permissions directly granted to the user
+     *     If no groups are given, only permissions directly granted to the
-     *     will be used.
+     *     entity will be used.
     */
-    public void init(ModeledAuthenticatedUser currentUser, ModeledUser user,
+    public void init(ModeledAuthenticatedUser currentUser,
            ModeledPermissions<? extends EntityModel> entity,
            Set<String> effectiveGroups) {
        super.init(currentUser);
-        this.user = user;
+        this.entity = entity;
        this.effectiveGroups = effectiveGroups;
    }
    @Override
    public Set<SystemPermission> getPermissions() throws GuacamoleException {
-        return systemPermissionService.retrievePermissions(getCurrentUser(), user, effectiveGroups);
+        return systemPermissionService.retrievePermissions(getCurrentUser(), entity, effectiveGroups);
    }
    @Override
    public boolean hasPermission(SystemPermission.Type permission)
            throws GuacamoleException {
-        return systemPermissionService.hasPermission(getCurrentUser(), user, permission, effectiveGroups);
+        return systemPermissionService.hasPermission(getCurrentUser(), entity, permission, effectiveGroups);
    }
    @Override
@@ -108,13 +114,13 @@ public class SystemPermissionSet extends RestrictedObject
    @Override
    public void addPermissions(Set<SystemPermission> permissions)
            throws GuacamoleException {
-        systemPermissionService.createPermissions(getCurrentUser(), user, permissions);
+        systemPermissionService.createPermissions(getCurrentUser(), entity, permissions);
    }
    @Override
    public void removePermissions(Set<SystemPermission> permissions)
            throws GuacamoleException {
-        systemPermissionService.deletePermissions(getCurrentUser(), user, permissions);
+        systemPermissionService.deletePermissions(getCurrentUser(), entity, permissions);
    }
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/UserPermissionService.java
@@ -24,7 +24,8 @@ import com.google.inject.Provider;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.user.ModeledAuthenticatedUser;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.jdbc.user.ModeledUser;
+import org.apache.guacamole.auth.jdbc.base.EntityModel;
 import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 /**
 * Service which provides convenience methods for creating, retrieving, and
@@ -52,12 +53,12 @@ public class UserPermissionService extends ModeledObjectPermissionService {
    @Override
    public ObjectPermissionSet getPermissionSet(ModeledAuthenticatedUser user,
-            ModeledUser targetUser, Set<String> effectiveGroups)
+            ModeledPermissions<? extends EntityModel> targetEntity,
-            throws GuacamoleException {
+            Set<String> effectiveGroups) throws GuacamoleException {
-        // Create permission set for requested user
+        // Create permission set for requested entity
        ObjectPermissionSet permissionSet = userPermissionSetProvider.get();
-        permissionSet.init(user, targetUser, effectiveGroups);
+        permissionSet.init(user, targetEntity, effectiveGroups);
        return permissionSet;
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledUser.java
@@ -33,16 +33,10 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.TimeZone;
 import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObject;
 import org.apache.guacamole.auth.jdbc.security.PasswordEncryptionService;
 import org.apache.guacamole.auth.jdbc.security.SaltService;
 import org.apache.guacamole.auth.jdbc.permission.SystemPermissionService;
 import org.apache.guacamole.GuacamoleException;
-import org.apache.guacamole.auth.jdbc.activeconnection.ActiveConnectionPermissionService;
+import org.apache.guacamole.auth.jdbc.base.ModeledPermissions;
 import org.apache.guacamole.auth.jdbc.permission.ConnectionGroupPermissionService;
 import org.apache.guacamole.auth.jdbc.permission.ConnectionPermissionService;
 import org.apache.guacamole.auth.jdbc.permission.SharingProfilePermissionService;
 import org.apache.guacamole.auth.jdbc.permission.UserPermissionService;
 import org.apache.guacamole.form.BooleanField;
 import org.apache.guacamole.form.DateField;
 import org.apache.guacamole.form.EmailField;
@@ -55,10 +49,6 @@ import org.apache.guacamole.net.auth.ActivityRecord;
 import org.apache.guacamole.net.auth.Permissions;
 import org.apache.guacamole.net.auth.RelatedObjectSet;
 import org.apache.guacamole.net.auth.User;
 import org.apache.guacamole.net.auth.permission.ObjectPermissionSet;
 import org.apache.guacamole.net.auth.permission.SystemPermission;
 import org.apache.guacamole.net.auth.permission.SystemPermissionSet;
 import org.apache.guacamole.net.auth.simple.SimpleObjectPermissionSet;
 import org.apache.guacamole.net.auth.simple.SimpleRelatedObjectSet;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -66,7 +56,7 @@ import org.slf4j.LoggerFactory;
 /**
 * An implementation of the User object which is backed by a database model.
 */
-public class ModeledUser extends ModeledDirectoryObject<UserModel> implements User {
+public class ModeledUser extends ModeledPermissions<UserModel> implements User {
    /**
     * Logger for this class.
@@ -186,42 +176,6 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
    @Inject
    private SaltService saltService;
    /**
     * Service for retrieving system permissions.
     */
    @Inject
    private SystemPermissionService systemPermissionService;
    /**
     * Service for retrieving connection permissions.
     */
    @Inject
    private ConnectionPermissionService connectionPermissionService;
    /**
     * Service for retrieving connection group permissions.
     */
    @Inject
    private ConnectionGroupPermissionService connectionGroupPermissionService;
    /**
     * Service for retrieving sharing profile permissions.
     */
    @Inject
    private SharingProfilePermissionService sharingProfilePermissionService;
    /**
     * Service for retrieving active connection permissions.
     */
    @Inject
    private ActiveConnectionPermissionService activeConnectionPermissionService;
    /**
     * Service for retrieving user permissions.
     */
    @Inject
    private UserPermissionService userPermissionService;
    /**
     * Whether attributes which control access restrictions should be exposed
     * via getAttributes() or allowed to be set via setAttributes().
@@ -331,70 +285,6 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
        return passwordRecord;
    }
    /**
     * Returns whether this user is a system administrator, and thus is not
     * restricted by permissions, taking into account permission inheritance
     * via user groups.
     *
     * @return
     *    true if this user is a system administrator, false otherwise.
     *
     * @throws GuacamoleException 
     *    If an error occurs while determining the user's system administrator
     *    status.
     */
    public boolean isAdministrator() throws GuacamoleException {
        SystemPermissionSet systemPermissionSet = getEffectivePermissions().getSystemPermissions();
        return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER);
    }
    @Override
    public SystemPermissionSet getSystemPermissions()
            throws GuacamoleException {
        return systemPermissionService.getPermissionSet(getCurrentUser(), this,
                Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getConnectionPermissions()
            throws GuacamoleException {
        return connectionPermissionService.getPermissionSet(getCurrentUser(),
                this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getConnectionGroupPermissions()
            throws GuacamoleException {
        return connectionGroupPermissionService.getPermissionSet(
                getCurrentUser(), this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getSharingProfilePermissions()
            throws GuacamoleException {
        return sharingProfilePermissionService.getPermissionSet(
                getCurrentUser(), this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getActiveConnectionPermissions()
            throws GuacamoleException {
        return activeConnectionPermissionService.getPermissionSet(
                getCurrentUser(), this, Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getUserPermissions()
            throws GuacamoleException {
        return userPermissionService.getPermissionSet(getCurrentUser(), this,
                Collections.<String>emptySet());
    }
    @Override
    public ObjectPermissionSet getUserGroupPermissions() throws GuacamoleException {
        return new SimpleObjectPermissionSet();
    }
    /**
     * Stores all restricted (privileged) attributes within the given Map,
     * pulling the values of those attributes from the underlying user model.
@@ -860,84 +750,9 @@ public class ModeledUser extends ModeledDirectoryObject<UserModel> implements Us
        return new SimpleRelatedObjectSet();
    }
    /**
     * Returns the identifiers of all user groups defined within the database
     * which apply to this user, including any groups inherited through
     * membership in yet more groups.
     *
     * @return
     *     The identifiers of all user groups defined within the database which
     *     apply to this user.
     */
    public Set<String> getEffectiveUserGroups() {
        return userService.retrieveEffectiveGroups(this,
                Collections.<String>emptySet());
    }
    @Override
    public Permissions getEffectivePermissions() throws GuacamoleException {
-
+        return super.getEffective();
        final ModeledAuthenticatedUser authenticatedUser = getCurrentUser();
        final Set<String> effectiveGroups;
        // If this user is the currently-authenticated user, include any
        // additional effective groups declared by the authentication system
        if (authenticatedUser.getIdentifier().equals(getIdentifier()))
            effectiveGroups = userService.retrieveEffectiveGroups(this,
                    authenticatedUser.getEffectiveUserGroups());
        // Otherwise, just include effective groups from the database
        else
            effectiveGroups = getEffectiveUserGroups();
        // Return a permissions object which describes all effective
        // permissions, including any permissions inherited via user groups
        return new Permissions() {
            @Override
            public ObjectPermissionSet getActiveConnectionPermissions()
                    throws GuacamoleException {
                return activeConnectionPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getConnectionGroupPermissions()
                    throws GuacamoleException {
                return connectionGroupPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getConnectionPermissions()
                    throws GuacamoleException {
                return connectionPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getSharingProfilePermissions()
                    throws GuacamoleException {
                return sharingProfilePermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
            }
            @Override
            public SystemPermissionSet getSystemPermissions()
                    throws GuacamoleException {
                return systemPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getUserPermissions()
                    throws GuacamoleException {
                return userPermissionService.getPermissionSet(authenticatedUser, ModeledUser.this, effectiveGroups);
            }
            @Override
            public ObjectPermissionSet getUserGroupPermissions()
                    throws GuacamoleException {
                // FIXME: STUB
                return new SimpleObjectPermissionSet();
            }
        };
    }
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserMapper.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserMapper.java
@@ -19,8 +19,6 @@
 package org.apache.guacamole.auth.jdbc.user;
 import java.util.Collection;
 import java.util.Set;
 import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
 import org.apache.ibatis.annotations.Param;
@@ -41,24 +39,4 @@ public interface UserMapper extends ModeledDirectoryObjectMapper<UserModel> {
     */
    UserModel selectOne(@Param("username") String username);
    /**
     * Returns the set of all group identifiers of which the given user is a
     * member, taking into account the given collection of known group
     * memberships which are not necessarily defined within the database.
     *
     * @param user
     *     The user whose effective groups should be returned.
     *
     * @param effectiveGroups
     *     The identifiers of any known effective groups that should be taken
     *     into account, such as those defined externally to the database.
     *
     * @return
     *     The set of identifiers of all groups that the given user is a
     *     member of, including those where membership is inherited through
     *     membership in other groups.
     */
    Set<String> selectEffectiveGroupIdentifiers(@Param("user") UserModel user,
            @Param("effectiveGroups") Collection<String> effectiveGroups);
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -26,7 +26,6 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.guacamole.net.auth.Credentials;
 import org.apache.guacamole.auth.jdbc.base.ModeledDirectoryObjectMapper;
@@ -598,31 +597,4 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
    }
    /**
     * Returns the set of all group identifiers of which the given user is a
     * member, taking into account the given collection of known group
     * memberships which are not necessarily defined within the database.
     * 
     * Note that group visibility with respect to the queried user is NOT taken
     * into account. If the user is a member of a group, the identifier of that
     * group will be included in the returned set even if the current user lacks
     * "READ" permission for that group.
     *
     * @param user
     *     The user whose effective groups should be returned.
     *
     * @param effectiveGroups
     *     The identifiers of any known effective groups that should be taken
     *     into account, such as those defined externally to the database.
     *
     * @return
     *     The set of identifiers of all groups that the given user is a
     *     member of, including those where membership is inherited through
     *     membership in other groups.
     */
    public Set<String> retrieveEffectiveGroups(ModeledUser user,
            Collection<String> effectiveGroups) {
        return userMapper.selectEffectiveGroupIdentifiers(user.getModel(), effectiveGroups);
    }
 }
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml
@@ -59,6 +59,44 @@
        )
    </sql>
    <!-- Select names of all effective groups (including inherited) -->
    <select id="selectEffectiveGroupIdentifiers" resultType="string">
        WITH RECURSIVE related_entity(entity_id) AS (
                SELECT
                    guacamole_user_group.entity_id
                FROM guacamole_user_group
                JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
                WHERE
                    guacamole_user_group_member.member_entity_id = #{entity.entityID}
            <if test="!effectiveGroups.isEmpty()">
                UNION
                    SELECT
                        guacamole_entity.entity_id
                    FROM guacamole_entity
                    WHERE
                        type = 'USER_GROUP'::guacamole_entity_type
                        AND name IN
                            <foreach collection="effectiveGroups" item="effectiveGroup"
                                     open="(" separator="," close=")">
                                #{effectiveGroup,jdbcType=VARCHAR}
                            </foreach>
            </if>
            UNION
                SELECT
                    guacamole_user_group.entity_id
                FROM related_entity
                JOIN guacamole_user_group_member ON related_entity.entity_id = guacamole_user_group_member.member_entity_id
                JOIN guacamole_user_group ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
        )
        SELECT name
        FROM related_entity
        JOIN guacamole_entity ON related_entity.entity_id = guacamole_entity.entity_id
        WHERE
            guacamole_entity.type = 'USER_GROUP'::guacamole_entity_type;
    </select>
    <!-- Insert single entity -->
    <insert id="insert" useGeneratedKeys="true" keyProperty="entity.entityID"
            parameterType="org.apache.guacamole.auth.jdbc.base.EntityModel">
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml
@@ -79,44 +79,6 @@
            AND permission = 'READ'
    </select>
    <!-- Select names of all effective (including inherited) groups -->
    <select id="selectEffectiveGroupIdentifiers" resultType="string">
        WITH RECURSIVE related_entity(entity_id) AS (
                SELECT
                    guacamole_user_group.entity_id
                FROM guacamole_user_group
                JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
                WHERE
                    guacamole_user_group_member.member_entity_id = #{user.entityID}
            <if test="!effectiveGroups.isEmpty()">
                UNION
                    SELECT
                        guacamole_entity.entity_id
                    FROM guacamole_entity
                    WHERE
                        type = 'USER_GROUP'::guacamole_entity_type
                        AND name IN
                            <foreach collection="effectiveGroups" item="effectiveGroup"
                                     open="(" separator="," close=")">
                                #{effectiveGroup,jdbcType=VARCHAR}
                            </foreach>
            </if>
            UNION
                SELECT
                    guacamole_user_group.entity_id
                FROM related_entity
                JOIN guacamole_user_group_member ON related_entity.entity_id = guacamole_user_group_member.member_entity_id
                JOIN guacamole_user_group ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id
        )
        SELECT name
        FROM related_entity
        JOIN guacamole_entity ON related_entity.entity_id = guacamole_entity.entity_id
        WHERE
            guacamole_entity.type = 'USER_GROUP'::guacamole_entity_type;
    </select>
    <!-- Select multiple users by username -->
    <select id="select" resultMap="UserResultMap"
            resultSets="users,arbitraryAttributes">