diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
index 1e525710d..fc21a5abb 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionPermissionService.java
@@ -82,21 +82,22 @@ public class ActiveConnectionPermissionService
         // Retrieve permissions only if allowed
         if (canReadPermissions(user, targetEntity)) {
 
-            // Only administrators may access active connections
-            boolean isAdmin = targetEntity.isAdministrator();
+            // Administrators may always access active connections
+            boolean isAdmin = targetEntity.isPrivileged();
 
             // Get all active connections
             Collection<ActiveConnectionRecord> records = tunnelService.getActiveConnections(user);
 
             // We have READ, and possibly DELETE, on all active connections
-            Set<ObjectPermission> permissions = new HashSet<ObjectPermission>();
+            Set<ObjectPermission> permissions = new HashSet<>();
             for (ActiveConnectionRecord record : records) {
 
                 // Add implicit READ
                 String identifier = record.getUUID().toString();
                 permissions.add(new ObjectPermission(ObjectPermission.Type.READ, identifier));
 
-                // If we're an admin, or the connection is ours, then we can DELETE
+                // If the target use is an admin, or the connection belongs to
+                // the target user, then they can DELETE
                 if (isAdmin || targetEntity.isUser(record.getUsername()))
                     permissions.add(new ObjectPermission(ObjectPermission.Type.DELETE, identifier));
 
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
index c21e9c36c..da5e0ccf9 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/activeconnection/ActiveConnectionService.java
@@ -81,7 +81,7 @@ public class ActiveConnectionService
             Collection<String> identifiers) throws GuacamoleException {
 
         String username = user.getIdentifier();
-        boolean isAdmin = user.getUser().isAdministrator();
+        boolean isAdmin = user.isPrivileged();
         Set<String> identifierSet = new HashSet<String>(identifiers);
 
         // Retrieve all visible connections (permissions enforced by tunnel service)
@@ -211,7 +211,7 @@ public class ActiveConnectionService
         
         ObjectPermissionSet permissionSet = getPermissionSet(user);
         
-        return user.getUser().isAdministrator() 
+        return user.isPrivileged()
                 || permissionSet.hasPermission(type, identifier);
         
     }
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java
index f517e2788..220f55c15 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledChildDirectoryObjectService.java
@@ -149,7 +149,7 @@ public abstract class ModeledChildDirectoryObjectService<InternalType extends Mo
             String identifier, ModelType model) throws GuacamoleException {
 
         // If user is an administrator, no need to check
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return true;
         
         // Verify that we have permission to modify any modified parents
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
index edbb67e3e..a8f5cf620 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledDirectoryObjectService.java
@@ -171,7 +171,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
         ObjectPermissionSet permissionSet = getEffectivePermissionSet(user);
         
         // Return whether permission is granted
-        return user.getUser().isAdministrator()
+        return user.isPrivileged()
             || permissionSet.hasPermission(type, identifier);
 
     }
@@ -248,7 +248,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
             ExternalType object, ModelType model) throws GuacamoleException {
 
         // Verify permission to create objects
-        if (!user.getUser().isAdministrator() && !hasCreatePermission(user))
+        if (!user.isPrivileged() && !hasCreatePermission(user))
             throw new GuacamoleSecurityException("Permission denied.");
 
     }
@@ -396,7 +396,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
         Collection<ModelType> objects;
 
         // Bypass permission checks if the user is a system admin
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             objects = getObjectMapper().select(identifiers);
 
         // Otherwise only return explicitly readable identifiers
@@ -508,7 +508,7 @@ public abstract class ModeledDirectoryObjectService<InternalType extends Modeled
         throws GuacamoleException {
 
         // Bypass permission checks if the user is a system admin
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return getObjectMapper().selectIdentifiers();
 
         // Otherwise only return explicitly readable identifiers
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
index 965062cc0..be5ac1503 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/ModeledPermissions.java
@@ -132,18 +132,20 @@ public abstract class ModeledPermissions<ModelType extends EntityModel>
     }
 
     /**
-     * Returns whether this entity is a system administrator, and thus is not
-     * restricted by permissions, taking into account permission inheritance
-     * via user groups.
+     * Returns whether this entity is effectively unrestricted by permissions,
+     * such as a system administrator or an internal user operating via a
+     * privileged UserContext. Permission inheritance via user groups is taken
+     * into account.
      *
      * @return
-     *    true if this entity is a system administrator, false otherwise.
+     *     true if this entity should be unrestricted by permissions, false
+     *     otherwise.
      *
      * @throws GuacamoleException
-     *    If an error occurs while determining the entity's system administrator
-     *    status.
+     *     If an error occurs while determining whether permission restrictions
+     *     apply to the entity.
      */
-    public boolean isAdministrator() throws GuacamoleException {
+    public boolean isPrivileged() throws GuacamoleException {
         SystemPermissionSet systemPermissionSet = getEffective().getSystemPermissions();
         return systemPermissionSet.hasPermission(SystemPermission.Type.ADMINISTER);
     }
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RelatedObjectSet.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RelatedObjectSet.java
index f7b75ef12..3de857329 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RelatedObjectSet.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/base/RelatedObjectSet.java
@@ -141,7 +141,7 @@ public abstract class RelatedObjectSet<ParentObjectType extends ModeledDirectory
             throws GuacamoleException {
 
         // System administrators may alter any relations
-        if (getCurrentUser().getUser().isAdministrator())
+        if (getCurrentUser().isPrivileged())
             return true;
 
         // Non-admin users require UPDATE permission on the parent object ...
@@ -164,7 +164,7 @@ public abstract class RelatedObjectSet<ParentObjectType extends ModeledDirectory
 
         // Bypass permission checks if the user is a system admin
         ModeledAuthenticatedUser user = getCurrentUser();
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return getObjectRelationMapper().selectChildIdentifiers(parent.getModel());
 
         // Otherwise only return explicitly readable identifiers
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java
index e2f3c1523..98c71db7c 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionService.java
@@ -298,7 +298,7 @@ public class ConnectionService extends ModeledChildDirectoryObjectService<Modele
             throws GuacamoleException {
 
         // Bypass permission checks if the user is a system admin
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return connectionMapper.selectIdentifiersWithin(identifier);
 
         // Otherwise only return explicitly readable identifiers
@@ -471,7 +471,7 @@ public class ConnectionService extends ModeledChildDirectoryObjectService<Modele
         List<ConnectionRecordModel> searchResults;
 
         // Bypass permission checks if the user is a system admin
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             searchResults = connectionRecordMapper.search(requiredContents,
                     sortPredicates, limit);
 
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
index 3e9ec72a8..32d9f8c13 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupService.java
@@ -219,7 +219,7 @@ public class ConnectionGroupService extends ModeledChildDirectoryObjectService<M
             throws GuacamoleException {
 
         // Bypass permission checks if the user is a system admin
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return connectionGroupMapper.selectIdentifiersWithin(identifier);
 
         // Otherwise only return explicitly readable identifiers
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java
index eea570f5a..b2bf03d29 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/AbstractPermissionService.java
@@ -105,7 +105,7 @@ public abstract class AbstractPermissionService<PermissionSetType extends Permis
             return true;
         
         // A system adminstrator can do anything
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return true;
 
         // Can read permissions on target entity if explicit READ is granted
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
index 8c4be58fd..2a7389e14 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/ModeledObjectPermissionService.java
@@ -96,7 +96,7 @@ public abstract class ModeledObjectPermissionService
             throws GuacamoleException {
 
         // A system adminstrator can do anything
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return true;
         
         // Verify user has update permission on the target entity
@@ -188,7 +188,7 @@ public abstract class ModeledObjectPermissionService
             return identifiers;
         
         // If user is an admin, everything is accessible
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return identifiers;
 
         // Otherwise, return explicitly-retrievable identifiers only if allowed
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
index 5e5a43bc4..c33242e5d 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/permission/SystemPermissionService.java
@@ -95,7 +95,7 @@ public class SystemPermissionService
             Collection<SystemPermission> permissions) throws GuacamoleException {
 
         // Only an admin can create system permissions
-        if (user.getUser().isAdministrator()) {
+        if (user.isPrivileged()) {
             Collection<SystemPermissionModel> models = getModelInstances(targetEntity, permissions);
             systemPermissionMapper.insert(models);
             return;
@@ -112,7 +112,7 @@ public class SystemPermissionService
             Collection<SystemPermission> permissions) throws GuacamoleException {
 
         // Only an admin can delete system permissions
-        if (user.getUser().isAdministrator()) {
+        if (user.isPrivileged()) {
 
             // Do not allow users to remove their own admin powers
             if (user.getUser().getIdentifier().equals(targetEntity.getIdentifier()))
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
index abecf32f8..1b8dd1762 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/tunnel/AbstractGuacamoleTunnelService.java
@@ -629,7 +629,7 @@ public abstract class AbstractGuacamoleTunnelService implements GuacamoleTunnelS
             return Collections.<ActiveConnectionRecord>emptyList();
 
         // A system administrator can view all connections; no need to filter
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             return records;
 
         // Build set of all connection identifiers associated with active tunnels
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java
index 5778ad01a..7ede92c6c 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/ModeledAuthenticatedUser.java
@@ -23,6 +23,7 @@ import com.google.common.collect.Sets;
 import java.util.Collections;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
+import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
 import org.apache.guacamole.net.auth.Credentials;
@@ -176,4 +177,22 @@ public class ModeledAuthenticatedUser extends RemoteAuthenticatedUser {
                 super.getEffectiveUserGroups());
     }
 
+    /**
+     * Returns whether this user is effectively unrestricted by permissions,
+     * such as a system administrator or an internal user operating via a
+     * privileged UserContext. Permission inheritance via user groups is taken
+     * into account.
+     *
+     * @return
+     *     true if this user should be unrestricted by permissions, false
+     *     otherwise.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while determining whether permission restrictions
+     *     apply to the user.
+     */
+    public boolean isPrivileged() throws GuacamoleException {
+        return getUser().isPrivileged();
+    }
+
 }
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index a68f08237..dbbffe35e 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -279,7 +279,7 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
         if (object.getPassword() != null) {
 
             // Enforce password age only for non-adminstrators
-            if (!user.getUser().isAdministrator())
+            if (!user.isPrivileged())
                 passwordPolicyService.verifyPasswordAge(object);
 
             // Always verify password complexity
@@ -627,7 +627,7 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
         List<ActivityRecordModel> searchResults;
 
         // Bypass permission checks if the user is a system admin
-        if (user.getUser().isAdministrator())
+        if (user.isPrivileged())
             searchResults = userRecordMapper.search(requiredContents,
                     sortPredicates, limit);