GUACAMOLE-220: Merge add database support for user groups.

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/001-create-schema.sql

@@ -33,6 +33,22 @@ EXEC sp_bindrule
     'guacamole_connection_group_type';
 GO
 
+--
+-- Entity types
+--
+
+CREATE RULE [guacamole_entity_type_list] AS @list IN (
+    'USER',
+    'USER_GROUP'
+);
+GO
+
+CREATE TYPE [guacamole_entity_type] FROM [nvarchar](16);
+EXEC sp_bindrule
+    'guacamole_entity_type_list',
+    'guacamole_entity_type';
+GO
+
 --
 -- Object permission types
 --
@@ -60,6 +76,7 @@ CREATE RULE [guacamole_system_permission_list] AS @list IN (
     'CREATE_CONNECTION_GROUP',
     'CREATE_SHARING_PROFILE',
     'CREATE_USER',
+    'CREATE_USER_GROUP',
     'ADMINISTER'
 );
 GO
@@ -163,6 +180,28 @@ CREATE NONCLUSTERED INDEX [IX_guacamole_connection_parent_id]
     ON [guacamole_connection] ([parent_id]);
 GO
 
+--
+-- Table of base entities which may each be either a user or user group. Other
+-- tables which represent qualities shared by both users and groups will point
+-- to guacamole_entity, while tables which represent qualities specific to
+-- users or groups will point to guacamole_user or guacamole_user_group.
+--
+
+CREATE TABLE [guacamole_entity] (
+
+    [entity_id]     [int] IDENTITY(1,1)     NOT NULL,
+    [name]          [nvarchar](128)         NOT NULL,
+    [type]          [guacamole_entity_type] NOT NULL,
+
+    CONSTRAINT [PK_guacamole_entity]
+        PRIMARY KEY CLUSTERED ([entity_id]),
+
+    CONSTRAINT [AK_guacamole_entity_name_scope]
+        UNIQUE ([type], [name])
+
+);
+GO
+
 --
 -- Table of users. Each user has a unique username and a hashed password
 -- with corresponding salt. Although the authentication system will always set
@@ -172,10 +211,10 @@ GO
 
 CREATE TABLE [guacamole_user] (
 
-    [user_id] [int] IDENTITY(1,1) NOT NULL,
+    [user_id]   [int] IDENTITY(1,1) NOT NULL,
+    [entity_id] [int]               NOT NULL,
 
-    -- Username and optionally-salted password
-    [username]      [nvarchar](128) NOT NULL,
+    -- Optionally-salted password
     [password_hash] [binary](32)    NOT NULL,
     [password_salt] [binary](32),
     [password_date] [datetime]      NOT NULL,
@@ -204,8 +243,68 @@ CREATE TABLE [guacamole_user] (
     CONSTRAINT [PK_guacamole_user]
         PRIMARY KEY CLUSTERED ([user_id]),
 
-    CONSTRAINT [AK_guacamole_user_username]
-        UNIQUE ([username])
+    CONSTRAINT [AK_guacamole_user_single_entity]
+        UNIQUE ([entity_id]),
+
+    CONSTRAINT [FK_guacamole_user_entity]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        ON DELETE CASCADE
+
+);
+GO
+
+--
+-- Table of user groups. Each user group may have an arbitrary set of member
+-- users and member groups, with those members inheriting the permissions
+-- granted to that group.
+--
+
+CREATE TABLE [guacamole_user_group] (
+
+    [user_group_id] [int] IDENTITY(1,1) NOT NULL,
+    [entity_id]     [int]               NOT NULL,
+
+    -- Group disabled status
+    [disabled] [bit] NOT NULL DEFAULT 0,
+
+    CONSTRAINT [PK_guacamole_user_group]
+        PRIMARY KEY CLUSTERED ([user_group_id]),
+
+    CONSTRAINT [guacamole_user_group_single_entity]
+        UNIQUE ([entity_id]),
+
+    CONSTRAINT [guacamole_user_group_entity]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        ON DELETE CASCADE
+
+);
+GO
+
+--
+-- Table of users which are members of given user groups.
+--
+
+CREATE TABLE [guacamole_user_group_member] (
+
+    [user_group_id]    [int] NOT NULL,
+    [member_entity_id] [int] NOT NULL,
+
+    CONSTRAINT [PK_guacamole_user_group_member]
+        PRIMARY KEY CLUSTERED ([user_group_id], [member_entity_id]),
+
+    -- Parent must be a user group
+    CONSTRAINT [guacamole_user_group_member_parent_id]
+        FOREIGN KEY ([user_group_id])
+        REFERENCES [guacamole_user_group] ([user_group_id])
+        ON DELETE CASCADE,
+
+    -- Member may be either a user or a user group (any entity)
+    CONSTRAINT [guacamole_user_group_member_entity_id]
+        FOREIGN KEY ([member_entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        -- ON DELETE CASCADE handled by guacamole_delete_entity trigger
 
 );
 GO
@@ -269,6 +368,34 @@ CREATE NONCLUSTERED INDEX [IX_guacamole_user_attribute_user_id]
     INCLUDE ([attribute_name], [attribute_value]);
 GO
 
+--
+-- Table of arbitrary user group attributes. Each attribute is simply a
+-- name/value pair associated with a user group. Arbitrary attributes are
+-- defined by other extensions. Attributes defined by this extension will be
+-- mapped to properly-typed columns of a specific table.
+--
+
+CREATE TABLE [guacamole_user_group_attribute] (
+
+    [user_group_id]   [int]            NOT NULL,
+    [attribute_name]  [nvarchar](128)  NOT NULL,
+    [attribute_value] [nvarchar](4000) NOT NULL,
+
+    CONSTRAINT [PK_guacamole_user_group_attribute]
+        PRIMARY KEY CLUSTERED ([user_group_id], [attribute_name]),
+
+    CONSTRAINT [FK_guacamole_user_attribute_user_group_id]
+        FOREIGN KEY ([user_group_id])
+        REFERENCES [guacamole_user_group] ([user_group_id])
+        ON DELETE CASCADE
+
+);
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_group_attribute_user_id]
+    ON [guacamole_user_group_attribute] ([user_group_id])
+    INCLUDE ([attribute_name], [attribute_value]);
+GO
+
 --
 -- Table of arbitrary connection attributes. Each attribute is simply a
 -- name/value pair associated with a connection. Arbitrary attributes are
@@ -403,27 +530,27 @@ CREATE NONCLUSTERED INDEX [IX_guacamole_sharing_profile_parameter_sharing_profil
 GO
 
 --
--- Table of connection permissions. Each connection permission grants a user
--- specific access to a connection.
+-- Table of connection permissions. Each connection permission grants a user or
+-- user group specific access to a connection.
 --
 
 CREATE TABLE [guacamole_connection_permission] (
 
-    [user_id]       [int]                         NOT NULL,
+    [entity_id]     [int]                         NOT NULL,
     [connection_id] [int]                         NOT NULL,
     [permission]    [guacamole_object_permission] NOT NULL,
 
     CONSTRAINT [PK_guacamole_connection_permission]
-        PRIMARY KEY CLUSTERED  ([user_id], [connection_id], [permission]),
+        PRIMARY KEY CLUSTERED  ([entity_id], [connection_id], [permission]),
 
     CONSTRAINT [FK_guacamole_connection_permission_connection_id]
         FOREIGN KEY ([connection_id])
         REFERENCES [guacamole_connection] ([connection_id])
         ON DELETE CASCADE,
 
-    CONSTRAINT [FK_guacamole_connection_permission_user_id]
-        FOREIGN KEY ([user_id])
-        REFERENCES [guacamole_user] ([user_id])
+    CONSTRAINT [FK_guacamole_connection_permission_entity_id]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
         ON DELETE CASCADE
 
 );
@@ -431,32 +558,32 @@ CREATE TABLE [guacamole_connection_permission] (
 CREATE NONCLUSTERED INDEX [IX_guacamole_connection_permission_connection_id]
     ON [guacamole_connection_permission] ([connection_id]);
 
-CREATE NONCLUSTERED INDEX [IX_guacamole_connection_permission_user_id]
-    ON [guacamole_connection_permission] ([user_id]);
+CREATE NONCLUSTERED INDEX [IX_guacamole_connection_permission_entity_id]
+    ON [guacamole_connection_permission] ([entity_id]);
 GO
 
 --
 -- Table of connection group permissions. Each group permission grants a user
--- specific access to a connection group.
+-- or user group specific access to a connection group.
 --
 
 CREATE TABLE [guacamole_connection_group_permission] (
 
-    [user_id]             [int]                         NOT NULL,
+    [entity_id]           [int]                         NOT NULL,
     [connection_group_id] [int]                         NOT NULL,
     [permission]          [guacamole_object_permission] NOT NULL,
 
     CONSTRAINT [PK_guacamole_connection_group_permission]
-        PRIMARY KEY CLUSTERED ([user_id], [connection_group_id], [permission]),
+        PRIMARY KEY CLUSTERED ([entity_id], [connection_group_id], [permission]),
 
     CONSTRAINT [FK_guacamole_connection_group_permission_connection_group_id]
         FOREIGN KEY ([connection_group_id])
         REFERENCES [guacamole_connection_group] ([connection_group_id])
         ON DELETE CASCADE,
 
-    CONSTRAINT [FK_guacamole_connection_group_permission_user_id]
-        FOREIGN KEY ([user_id])
-        REFERENCES [guacamole_user] ([user_id])
+    CONSTRAINT [FK_guacamole_connection_group_permission_entity_id]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
         ON DELETE CASCADE
 
 );
@@ -464,32 +591,32 @@ CREATE TABLE [guacamole_connection_group_permission] (
 CREATE NONCLUSTERED INDEX [IX_guacamole_connection_group_permission_connection_group_id]
     ON [guacamole_connection_group_permission] ([connection_group_id]);
 
-CREATE NONCLUSTERED INDEX [IX_guacamole_connection_group_permission_user_id]
-    ON [guacamole_connection_group_permission] ([user_id]);
+CREATE NONCLUSTERED INDEX [IX_guacamole_connection_group_permission_entity_id]
+    ON [guacamole_connection_group_permission] ([entity_id]);
 GO
 
 --
 -- Table of sharing profile permissions. Each sharing profile permission grants
--- a user specific access to a sharing profile.
+-- a user or user group specific access to a sharing profile.
 --
 
 CREATE TABLE [guacamole_sharing_profile_permission] (
 
-    [user_id]            [int]                         NOT NULL,
+    [entity_id]          [int]                         NOT NULL,
     [sharing_profile_id] [int]                         NOT NULL,
     [permission]         [guacamole_object_permission] NOT NULL,
 
     CONSTRAINT [PK_guacamole_sharing_profile_permission]
-        PRIMARY KEY CLUSTERED ([user_id], [sharing_profile_id], [permission]),
+        PRIMARY KEY CLUSTERED ([entity_id], [sharing_profile_id], [permission]),
 
     CONSTRAINT [FK_guacamole_sharing_profile_permission_sharing_profile_id]
         FOREIGN KEY ([sharing_profile_id])
         REFERENCES [guacamole_sharing_profile] ([sharing_profile_id])
         ON DELETE CASCADE,
 
-    CONSTRAINT [FK_guacamole_sharing_profile_permission_user_id]
-        FOREIGN KEY ([user_id])
-        REFERENCES [guacamole_user] ([user_id])
+    CONSTRAINT [FK_guacamole_sharing_profile_permission_entity_id]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
         ON DELETE CASCADE
 
 );
@@ -497,67 +624,102 @@ CREATE TABLE [guacamole_sharing_profile_permission] (
 CREATE NONCLUSTERED INDEX [IX_guacamole_sharing_profile_permission_sharing_profile_id]
     ON [guacamole_sharing_profile_permission] ([sharing_profile_id]);
 
-CREATE NONCLUSTERED INDEX [IX_guacamole_sharing_profile_permission_user_id]
-    ON [guacamole_sharing_profile_permission] ([user_id]);
+CREATE NONCLUSTERED INDEX [IX_guacamole_sharing_profile_permission_entity_id]
+    ON [guacamole_sharing_profile_permission] ([entity_id]);
 GO
 
 --
--- Table of system permissions. Each system permission grants a user a
--- system-level privilege of some kind.
+-- Table of system permissions. Each system permission grants a user or user
+-- group a system-level privilege of some kind.
 --
 
 CREATE TABLE [guacamole_system_permission] (
 
-    [user_id]    [int]                         NOT NULL,
+    [entity_id]  [int]                         NOT NULL,
     [permission] [guacamole_system_permission] NOT NULL,
 
     CONSTRAINT [PK_guacamole_system_permission]
-        PRIMARY KEY CLUSTERED ([user_id], [permission]),
+        PRIMARY KEY CLUSTERED ([entity_id], [permission]),
 
-    CONSTRAINT [FK_guacamole_system_permission_user_id]
-        FOREIGN KEY ([user_id])
-        REFERENCES [guacamole_user] ([user_id])
+    CONSTRAINT [FK_guacamole_system_permission_entity_id]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
         ON DELETE CASCADE
 
 );
 
-CREATE NONCLUSTERED INDEX [IX_guacamole_system_permission_user_id]
-    ON [guacamole_system_permission] ([user_id]);
+CREATE NONCLUSTERED INDEX [IX_guacamole_system_permission_entity_id]
+    ON [guacamole_system_permission] ([entity_id]);
 GO
 
 --
--- Table of user permissions. Each user permission grants a user access to
--- another user (the "affected" user) for a specific type of operation.
+-- Table of user permissions. Each user permission grants a user or user group
+-- access to another user (the "affected" user) for a specific type of
+-- operation.
 --
 
 CREATE TABLE [guacamole_user_permission] (
 
-    [user_id]          [int]                         NOT NULL,
+    [entity_id]        [int]                         NOT NULL,
     [affected_user_id] [int]                         NOT NULL,
     [permission]       [guacamole_object_permission] NOT NULL,
 
     CONSTRAINT [PK_guacamole_user_permission]
-        PRIMARY KEY CLUSTERED ([user_id], [affected_user_id], [permission]),
+        PRIMARY KEY CLUSTERED ([entity_id], [affected_user_id], [permission]),
 
     CONSTRAINT [FK_guacamole_user_permission_affected_user_id]
         FOREIGN KEY ([affected_user_id])
-        REFERENCES [guacamole_user] ([user_id]),
-        -- ON DELETE CASCADE handled by guacamole_delete_user trigger
-
-    CONSTRAINT [FK_guacamole_user_permission_user_id]
-        FOREIGN KEY ([user_id])
         REFERENCES [guacamole_user] ([user_id])
-        -- ON DELETE CASCADE handled by guacamole_delete_user trigger
+        ON DELETE CASCADE,
+
+    CONSTRAINT [FK_guacamole_user_permission_entity_id]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        -- ON DELETE CASCADE handled by guacamole_delete_entity trigger
 
 );
 
-CREATE NONCLUSTERED INDEX [IX_guacamole_user_permission_user_id]
-    ON [guacamole_user_permission] ([user_id]);
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_permission_entity_id]
+    ON [guacamole_user_permission] ([entity_id]);
 
 CREATE NONCLUSTERED INDEX [IX_guacamole_user_permission_affected_user_id]
     ON [guacamole_user_permission] ([affected_user_id]);
 GO
 
+--
+-- Table of user group permissions. Each user group permission grants a user
+-- or user group access to a another user group (the "affected" user group) for
+-- a specific type of operation.
+--
+
+CREATE TABLE [guacamole_user_group_permission] (
+
+    [entity_id]              [int]                         NOT NULL,
+    [affected_user_group_id] [int]                         NOT NULL,
+    [permission]             [guacamole_object_permission] NOT NULL,
+
+    CONSTRAINT [PK_guacamole_user_group_permission]
+        PRIMARY KEY CLUSTERED ([entity_id], [affected_user_group_id], [permission]),
+
+    CONSTRAINT [FK_guacamole_user_group_permission_affected_user_group_id]
+        FOREIGN KEY ([affected_user_group_id])
+        REFERENCES [guacamole_user_group] ([user_group_id])
+        ON DELETE CASCADE,
+
+    CONSTRAINT [FK_guacamole_user_group_permission_entity_id]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        -- ON DELETE CASCADE handled by guacamole_delete_entity trigger
+
+);
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_group_permission_entity_id]
+    ON [guacamole_user_group_permission] ([entity_id]);
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_group_permission_affected_user_group_id]
+    ON [guacamole_user_group_permission] ([affected_user_group_id]);
+GO
+
 --
 -- Table of connection history records. Each record defines a specific user's
 -- session, including the connection used, the start time, and the end time
@@ -682,12 +844,12 @@ GO
 
 --
 -- Handle cascading deletion/updates of records in response to deletion of
--- guacamole_user records, where such deletion is not already covered by
+-- guacamole_entity records, where such deletion is not already covered by
 -- ON DELETE CASCADE or ON DELETE SET NULL.
 --
 
-CREATE TRIGGER [guacamole_delete_user]
-   ON [guacamole_user]
+CREATE TRIGGER [guacamole_delete_entity]
+   ON [guacamole_entity]
    INSTEAD OF DELETE
 AS BEGIN
 
@@ -696,13 +858,18 @@ AS BEGIN
 
     -- Delete all associated permissions not covered by ON DELETE CASCADE
     DELETE FROM [guacamole_user_permission]
-    WHERE
-           [user_id] IN (SELECT [user_id] FROM DELETED)
-        OR [user_id] IN (SELECT [user_id] FROM DELETED);
+    WHERE [entity_id] IN (SELECT [entity_id] FROM DELETED);
+
+    DELETE FROM [guacamole_user_group_permission]
+    WHERE [entity_id] IN (SELECT [entity_id] FROM DELETED);
+
+    -- Delete all associated group memberships not covered by ON DELETE CASCADE
+    DELETE FROM [guacamole_user_group_member]
+    WHERE [member_entity_id] IN (SELECT [entity_id] FROM DELETED);
 
     -- Perform original deletion
-    DELETE FROM [guacamole_user]
-    WHERE [user_id] IN (SELECT [user_id] FROM DELETED);
+    DELETE FROM [guacamole_entity]
+    WHERE [entity_id] IN (SELECT [entity_id] FROM DELETED);
 
 END
 GO
@@ -746,6 +913,20 @@ AS BEGIN
     -- Do not take trigger into account when producing row counts for the DELETE
     SET NOCOUNT ON;
 
+    -- Delete all descendant connections
+    WITH [connection_groups] ([connection_group_id]) AS (
+        SELECT [connection_group_id] FROM DELETED
+    UNION ALL
+        SELECT [guacamole_connection_group].[connection_group_id]
+        FROM [guacamole_connection_group]
+        JOIN [connection_groups] ON [connection_groups].[connection_group_id] = [guacamole_connection_group].[parent_id]
+    )
+    DELETE FROM [guacamole_connection]
+    WHERE [parent_id] IN (
+        SELECT [connection_group_id]
+        FROM [connection_groups]
+    );
+
     -- Delete all requested connection groups, including descendants
     WITH [connection_groups] ([connection_group_id]) AS (
         SELECT [connection_group_id] FROM DELETED
@@ -760,10 +941,6 @@ AS BEGIN
         FROM [connection_groups]
     );
 
-    -- Delete all child connections
-    DELETE FROM [guacamole_connection]
-    WHERE [parent_id] IN (SELECT [connection_group_id] FROM DELETED);
-
 END
 GO
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/002-create-admin-user.sql

@@ -18,43 +18,46 @@
 --
 
 -- Create default user "guacadmin" with password "guacadmin"
+INSERT INTO [guacamole_entity] ([name], [type]) VALUES ('guacadmin', 'USER');
 INSERT INTO [guacamole_user] (
-    [username],
+    [entity_id],
     [password_hash],
     [password_salt],
     [password_date]
 )
-VALUES (
-    'guacadmin',
+SELECT
+    [entity_id],
     0xCA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960,
     0xFE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264,
     getdate()
-);
+FROM [guacamole_entity] WHERE [name] = 'guacadmin';
 
 -- Grant this user all system permissions
 INSERT INTO [guacamole_system_permission]
 SELECT
-    [user_id],
+    [entity_id],
     [permission]
 FROM (
           SELECT 'guacadmin', 'CREATE_CONNECTION'
     UNION SELECT 'guacadmin', 'CREATE_CONNECTION_GROUP'
     UNION SELECT 'guacadmin', 'CREATE_SHARING_PROFILE'
     UNION SELECT 'guacadmin', 'CREATE_USER'
+    UNION SELECT 'guacadmin', 'CREATE_USER_GROUP'
     UNION SELECT 'guacadmin', 'ADMINISTER'
 ) [permissions] ([username], [permission])
-JOIN [guacamole_user] ON [permissions].[username] = [guacamole_user].[username];
+JOIN [guacamole_entity] ON [permissions].[username] = [guacamole_entity].[name] AND [guacamole_entity].[type] = 'USER';
 
 INSERT INTO [guacamole_user_permission]
 SELECT
+    [guacamole_entity].[entity_id],
     [guacamole_user].[user_id],
-    [affected].[user_id],
     [permission]
 FROM (
           SELECT 'guacadmin', 'guacadmin', 'READ'
     UNION SELECT 'guacadmin', 'guacadmin', 'UPDATE'
     UNION SELECT 'guacadmin', 'guacadmin', 'ADMINISTER'
 ) [permissions] ([username], [affected_username], [permission])
-JOIN [guacamole_user]          ON permissions.username = [guacamole_user].[username]
-JOIN [guacamole_user] [affected] ON permissions.affected_username = affected.username;
+JOIN [guacamole_entity]            ON [permissions].[username] = [guacamole_entity].[name] AND [guacamole_entity].[type] = 'USER'
+JOIN [guacamole_entity] [affected] ON [permissions].[affected_username] = [affected].[name] AND [guacamole_entity].[type] = 'USER'
+JOIN [guacamole_user]              ON [guacamole_user].[entity_id] = [affected].[entity_id];
 GO

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/schema/upgrade/upgrade-pre-1.0.0.sql

@@ -17,6 +17,510 @@
 -- under the License.
 --
 
+--
+-- Add new system-level permission
+--
+
+EXEC sp_unbindrule 'guacamole_system_permission';
+DROP RULE [guacamole_system_permission_list];
+GO
+
+CREATE RULE [guacamole_system_permission_list] AS @list IN (
+    'CREATE_CONNECTION',
+    'CREATE_CONNECTION_GROUP',
+    'CREATE_SHARING_PROFILE',
+    'CREATE_USER',
+    'CREATE_USER_GROUP',
+    'ADMINISTER'
+);
+GO
+
+EXEC sp_bindrule
+    'guacamole_system_permission_list',
+    'guacamole_system_permission';
+GO
+
+--
+-- Entity types
+--
+
+CREATE RULE [guacamole_entity_type_list] AS @list IN (
+    'USER',
+    'USER_GROUP'
+);
+GO
+
+CREATE TYPE [guacamole_entity_type] FROM [nvarchar](16);
+EXEC sp_bindrule
+    'guacamole_entity_type_list',
+    'guacamole_entity_type';
+GO
+
+--
+-- Table of base entities which may each be either a user or user group. Other
+-- tables which represent qualities shared by both users and groups will point
+-- to guacamole_entity, while tables which represent qualities specific to
+-- users or groups will point to guacamole_user or guacamole_user_group.
+--
+
+CREATE TABLE [guacamole_entity] (
+
+    [entity_id]     [int] IDENTITY(1,1)     NOT NULL,
+    [name]          [nvarchar](128)         NOT NULL,
+    [type]          [guacamole_entity_type] NOT NULL,
+
+    CONSTRAINT [PK_guacamole_entity]
+        PRIMARY KEY CLUSTERED ([entity_id]),
+
+    CONSTRAINT [AK_guacamole_entity_name_scope]
+        UNIQUE ([type], [name])
+
+);
+GO
+
+--
+-- Table of user groups. Each user group may have an arbitrary set of member
+-- users and member groups, with those members inheriting the permissions
+-- granted to that group.
+--
+
+CREATE TABLE [guacamole_user_group] (
+
+    [user_group_id] [int] IDENTITY(1,1) NOT NULL,
+    [entity_id]     [int]               NOT NULL,
+
+    -- Group disabled status
+    [disabled] [bit] NOT NULL DEFAULT 0,
+
+    CONSTRAINT [PK_guacamole_user_group]
+        PRIMARY KEY CLUSTERED ([user_group_id]),
+
+    CONSTRAINT [guacamole_user_group_single_entity]
+        UNIQUE ([entity_id]),
+
+    CONSTRAINT [guacamole_user_group_entity]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        ON DELETE CASCADE
+
+);
+GO
+
+--
+-- Table of users which are members of given user groups.
+--
+
+CREATE TABLE [guacamole_user_group_member] (
+
+    [user_group_id]    [int] NOT NULL,
+    [member_entity_id] [int] NOT NULL,
+
+    CONSTRAINT [PK_guacamole_user_group_member]
+        PRIMARY KEY CLUSTERED ([user_group_id], [member_entity_id]),
+
+    -- Parent must be a user group
+    CONSTRAINT [guacamole_user_group_member_parent_id]
+        FOREIGN KEY ([user_group_id])
+        REFERENCES [guacamole_user_group] ([user_group_id])
+        ON DELETE CASCADE,
+
+    -- Member may be either a user or a user group (any entity)
+    CONSTRAINT [guacamole_user_group_member_entity_id]
+        FOREIGN KEY ([member_entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        -- ON DELETE CASCADE handled by guacamole_delete_entity trigger
+
+);
+GO
+
+--
+-- Table of user group permissions. Each user group permission grants a user
+-- or user group access to a another user group (the "affected" user group) for
+-- a specific type of operation.
+--
+
+CREATE TABLE [guacamole_user_group_permission] (
+
+    [entity_id]              [int]                         NOT NULL,
+    [affected_user_group_id] [int]                         NOT NULL,
+    [permission]             [guacamole_object_permission] NOT NULL,
+
+    CONSTRAINT [PK_guacamole_user_group_permission]
+        PRIMARY KEY CLUSTERED ([entity_id], [affected_user_group_id], [permission]),
+
+    CONSTRAINT [FK_guacamole_user_group_permission_affected_user_group_id]
+        FOREIGN KEY ([affected_user_group_id])
+        REFERENCES [guacamole_user_group] ([user_group_id])
+        ON DELETE CASCADE,
+
+    CONSTRAINT [FK_guacamole_user_group_permission_entity_id]
+        FOREIGN KEY ([entity_id])
+        REFERENCES [guacamole_entity] ([entity_id])
+        -- ON DELETE CASCADE handled by guacamole_delete_entity trigger
+
+);
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_group_permission_entity_id]
+    ON [guacamole_user_group_permission] ([entity_id]);
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_group_permission_affected_user_group_id]
+    ON [guacamole_user_group_permission] ([affected_user_group_id]);
+GO
+
+--
+-- The guacamole_delete_entity trigger effectively replaces the
+-- guacamole_delete_user trigger, which is no longer necessary and will cease
+-- being correct after the columns of existing tables are updated.
+--
+
+DROP TRIGGER [guacamole_delete_user];
+GO
+
+--
+-- Modify guacamole_user table to use guacamole_entity as a base
+--
+
+-- Add new entity_id column
+ALTER TABLE [guacamole_user] ADD [entity_id] [int];
+GO
+
+-- Create user entities for each guacamole_user entry
+INSERT INTO [guacamole_entity] ([name], [type])
+SELECT [username], 'USER' FROM [guacamole_user];
+GO
+
+-- Update guacamole_user to point to corresponding guacamole_entity
+UPDATE [guacamole_user] SET [entity_id] = (
+    SELECT [entity_id] FROM [guacamole_entity]
+    WHERE
+            [username] = [guacamole_entity].[name]
+        AND type = 'USER'
+);
+GO
+
+-- The entity_id column should now be safely non-NULL
+ALTER TABLE [guacamole_user]
+    ALTER COLUMN [entity_id] [int] NOT NULL;
+
+-- The entity_id column should now be unique for each user
+ALTER TABLE [guacamole_user]
+    ADD CONSTRAINT [AK_guacamole_user_single_entity]
+    UNIQUE ([entity_id]);
+
+-- The entity_id column should now safely point to guacamole_entity entries
+ALTER TABLE [guacamole_user]
+    ADD CONSTRAINT [FK_guacamole_user_entity]
+    FOREIGN KEY ([entity_id])
+    REFERENCES [guacamole_entity] ([entity_id])
+    ON DELETE CASCADE;
+
+-- The username column can now safely be removed
+ALTER TABLE [guacamole_user] DROP [AK_guacamole_user_username];
+ALTER TABLE [guacamole_user] DROP COLUMN [username];
+GO
+
+--
+-- Modify guacamole_connection_permission to use guacamole_entity instead of
+-- guacamole_user
+--
+
+-- Add new entity_id column
+ALTER TABLE [guacamole_connection_permission] ADD [entity_id] [int];
+GO
+
+-- Update guacamole_connection_permission to point to the guacamole_entity
+-- that has been granted the permission
+UPDATE [guacamole_connection_permission] SET [entity_id] = (
+    SELECT [entity_id] FROM [guacamole_user]
+    WHERE [guacamole_user].[user_id] = [guacamole_connection_permission].[user_id]
+);
+GO
+
+-- The entity_id column should now be safely non-NULL
+ALTER TABLE [guacamole_connection_permission]
+    ALTER COLUMN [entity_id] [int] NOT NULL;
+
+-- Remove user_id column
+DROP INDEX [IX_guacamole_connection_permission_user_id] ON [guacamole_connection_permission];
+ALTER TABLE [guacamole_connection_permission] DROP [PK_guacamole_connection_permission];
+ALTER TABLE [guacamole_connection_permission] DROP [FK_guacamole_connection_permission_user_id];
+ALTER TABLE [guacamole_connection_permission] DROP COLUMN [user_id];
+
+-- The entity_id column should now safely point to guacamole_entity entries
+ALTER TABLE [guacamole_connection_permission]
+    ADD CONSTRAINT [FK_guacamole_connection_permission_entity_id]
+    FOREIGN KEY ([entity_id])
+    REFERENCES [guacamole_entity] ([entity_id])
+    ON DELETE CASCADE;
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_connection_permission_entity_id]
+    ON [guacamole_connection_permission] ([entity_id]);
+
+-- Add new primary key which uses entity_id
+ALTER TABLE [guacamole_connection_permission]
+    ADD CONSTRAINT [PK_guacamole_connection_permission]
+    PRIMARY KEY CLUSTERED ([entity_id], [connection_id], [permission]);
+GO
+
+--
+-- Modify guacamole_connection_group_permission to use guacamole_entity instead
+-- of guacamole_user
+--
+
+-- Add new entity_id column
+ALTER TABLE [guacamole_connection_group_permission] ADD [entity_id] [int];
+GO
+
+-- Update guacamole_connection_group_permission to point to the guacamole_entity
+-- that has been granted the permission
+UPDATE guacamole_connection_group_permission SET entity_id = (
+    SELECT entity_id FROM guacamole_user
+    WHERE guacamole_user.user_id = guacamole_connection_group_permission.user_id
+);
+GO
+
+-- The entity_id column should now be safely non-NULL
+ALTER TABLE [guacamole_connection_group_permission]
+    ALTER COLUMN [entity_id] [int] NOT NULL;
+
+-- Remove user_id column
+DROP INDEX [IX_guacamole_connection_group_permission_user_id] ON [guacamole_connection_group_permission];
+ALTER TABLE [guacamole_connection_group_permission] DROP [PK_guacamole_connection_group_permission];
+ALTER TABLE [guacamole_connection_group_permission] DROP [FK_guacamole_connection_group_permission_user_id];
+ALTER TABLE [guacamole_connection_group_permission] DROP COLUMN user_id;
+
+-- The entity_id column should now safely point to guacamole_entity entries
+ALTER TABLE [guacamole_connection_group_permission]
+    ADD CONSTRAINT [FK_guacamole_connection_group_permission_entity_id]
+    FOREIGN KEY ([entity_id])
+    REFERENCES [guacamole_entity] ([entity_id])
+    ON DELETE CASCADE;
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_connection_group_permission_entity_id]
+    ON [guacamole_connection_group_permission] ([entity_id]);
+
+-- Add new primary key which uses entity_id
+ALTER TABLE [guacamole_connection_group_permission]
+    ADD CONSTRAINT [PK_guacamole_connection_group_permission]
+    PRIMARY KEY CLUSTERED ([entity_id], [connection_group_id], [permission]);
+GO
+
+--
+-- Modify guacamole_sharing_profile_permission to use guacamole_entity instead
+-- of guacamole_user
+--
+
+-- Add new entity_id column
+ALTER TABLE [guacamole_sharing_profile_permission] ADD [entity_id] [int];
+GO
+
+-- Update guacamole_sharing_profile_permission to point to the guacamole_entity
+-- that has been granted the permission
+UPDATE guacamole_sharing_profile_permission SET entity_id = (
+    SELECT entity_id FROM guacamole_user
+    WHERE guacamole_user.user_id = guacamole_sharing_profile_permission.user_id
+);
+GO
+
+-- The entity_id column should now be safely non-NULL
+ALTER TABLE [guacamole_sharing_profile_permission]
+    ALTER COLUMN [entity_id] [int] NOT NULL;
+
+-- Remove user_id column
+DROP INDEX [IX_guacamole_sharing_profile_permission_user_id] ON [guacamole_sharing_profile_permission];
+ALTER TABLE [guacamole_sharing_profile_permission] DROP [PK_guacamole_sharing_profile_permission];
+ALTER TABLE [guacamole_sharing_profile_permission] DROP [FK_guacamole_sharing_profile_permission_user_id];
+ALTER TABLE [guacamole_sharing_profile_permission] DROP COLUMN user_id;
+
+-- The entity_id column should now safely point to guacamole_entity entries
+ALTER TABLE [guacamole_sharing_profile_permission]
+    ADD CONSTRAINT [FK_guacamole_sharing_profile_permission_entity_id]
+    FOREIGN KEY ([entity_id])
+    REFERENCES [guacamole_entity] ([entity_id])
+    ON DELETE CASCADE;
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_sharing_profile_permission_entity_id]
+    ON [guacamole_sharing_profile_permission] ([entity_id]);
+
+-- Add new primary key which uses entity_id
+ALTER TABLE [guacamole_sharing_profile_permission]
+    ADD CONSTRAINT [PK_guacamole_sharing_profile_permission]
+    PRIMARY KEY CLUSTERED ([entity_id], [sharing_profile_id], [permission]);
+GO
+
+--
+-- Modify guacamole_user_permission to use guacamole_entity instead of
+-- guacamole_user
+--
+
+-- Add new entity_id column
+ALTER TABLE [guacamole_user_permission] ADD [entity_id] [int];
+GO
+
+-- Update guacamole_user_permission to point to the guacamole_entity
+-- that has been granted the permission
+UPDATE guacamole_user_permission SET entity_id = (
+    SELECT entity_id FROM guacamole_user
+    WHERE guacamole_user.user_id = guacamole_user_permission.user_id
+);
+GO
+
+-- The entity_id column should now be safely non-NULL
+ALTER TABLE [guacamole_user_permission]
+    ALTER COLUMN [entity_id] [int] NOT NULL;
+
+-- The entity_id column should now safely point to guacamole_entity entries
+ALTER TABLE [guacamole_user_permission]
+    ADD CONSTRAINT [FK_guacamole_user_permission_entity_id]
+    FOREIGN KEY ([entity_id])
+    REFERENCES [guacamole_entity] ([entity_id]);
+    -- ON DELETE CASCADE handled by guacamole_delete_entity trigger
+
+-- The affected_user_id column now has ON DELETE CASCADE
+ALTER TABLE [guacamole_user_permission] DROP [FK_guacamole_user_permission_affected_user_id];
+ALTER TABLE [guacamole_user_permission]
+    ADD CONSTRAINT [FK_guacamole_user_permission_affected_user_id]
+        FOREIGN KEY ([affected_user_id])
+        REFERENCES [guacamole_user] ([user_id])
+        ON DELETE CASCADE;
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_permission_entity_id]
+    ON [guacamole_user_permission] ([entity_id]);
+
+-- Remove user_id column
+DROP INDEX [IX_guacamole_user_permission_user_id] ON [guacamole_user_permission];
+ALTER TABLE [guacamole_user_permission] DROP [PK_guacamole_user_permission];
+ALTER TABLE [guacamole_user_permission] DROP [FK_guacamole_user_permission_user_id];
+ALTER TABLE [guacamole_user_permission] DROP COLUMN user_id;
+
+-- Add new primary key which uses entity_id
+ALTER TABLE [guacamole_user_permission]
+    ADD CONSTRAINT [PK_guacamole_user_permission]
+    PRIMARY KEY CLUSTERED ([entity_id], [affected_user_id], [permission]);
+GO
+
+--
+-- Modify guacamole_system_permission to use guacamole_entity instead of
+-- guacamole_user
+--
+
+-- Add new entity_id column
+ALTER TABLE [guacamole_system_permission] ADD [entity_id] [int];
+GO
+
+-- Update guacamole_system_permission to point to the guacamole_entity
+-- that has been granted the permission
+UPDATE [guacamole_system_permission] SET [entity_id] = (
+    SELECT [entity_id] FROM [guacamole_user]
+    WHERE [guacamole_user].[user_id] = [guacamole_system_permission].[user_id]
+);
+GO
+
+-- The entity_id column should now be safely non-NULL
+ALTER TABLE [guacamole_system_permission]
+    ALTER COLUMN [entity_id] [int] NOT NULL;
+
+-- Remove user_id column
+DROP INDEX [IX_guacamole_system_permission_user_id] ON [guacamole_system_permission];
+ALTER TABLE [guacamole_system_permission] DROP [PK_guacamole_system_permission];
+ALTER TABLE [guacamole_system_permission] DROP [FK_guacamole_system_permission_user_id];
+ALTER TABLE [guacamole_system_permission] DROP COLUMN [user_id];
+
+-- The entity_id column should now safely point to guacamole_entity entries
+ALTER TABLE [guacamole_system_permission]
+    ADD CONSTRAINT [FK_guacamole_system_permission_entity_id]
+    FOREIGN KEY ([entity_id])
+    REFERENCES [guacamole_entity] ([entity_id])
+    ON DELETE CASCADE;
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_system_permission_entity_id]
+    ON [guacamole_system_permission] ([entity_id]);
+
+-- Add new primary key which uses entity_id
+ALTER TABLE [guacamole_system_permission]
+    ADD CONSTRAINT [PK_guacamole_system_permission]
+    PRIMARY KEY CLUSTERED ([entity_id], [permission]);
+GO
+
+--
+-- Handle cascading deletion/updates of records in response to deletion of
+-- guacamole_entity records, where such deletion is not already covered by
+-- ON DELETE CASCADE or ON DELETE SET NULL.
+--
+
+CREATE TRIGGER [guacamole_delete_entity]
+   ON [guacamole_entity]
+   INSTEAD OF DELETE
+AS BEGIN
+
+    -- Do not take trigger into account when producing row counts for the DELETE
+    SET NOCOUNT ON;
+
+    -- Delete all associated permissions not covered by ON DELETE CASCADE
+    DELETE FROM [guacamole_user_permission]
+    WHERE [entity_id] IN (SELECT [entity_id] FROM DELETED);
+
+    DELETE FROM [guacamole_user_group_permission]
+    WHERE [entity_id] IN (SELECT [entity_id] FROM DELETED);
+
+    -- Delete all associated group memberships not covered by ON DELETE CASCADE
+    DELETE FROM [guacamole_user_group_member]
+    WHERE [member_entity_id] IN (SELECT [entity_id] FROM DELETED);
+
+    -- Perform original deletion
+    DELETE FROM [guacamole_entity]
+    WHERE [entity_id] IN (SELECT [entity_id] FROM DELETED);
+
+END
+GO
+
+--
+-- Update guacamole_delete_connection_group trigger to remove descendant
+-- connections first.
+--
+
+DROP TRIGGER [guacamole_delete_connection_group];
+GO
+
+CREATE TRIGGER [guacamole_delete_connection_group]
+   ON [guacamole_connection_group]
+   INSTEAD OF DELETE
+AS BEGIN
+
+    -- Do not take trigger into account when producing row counts for the DELETE
+    SET NOCOUNT ON;
+
+    -- Delete all descendant connections
+    WITH [connection_groups] ([connection_group_id]) AS (
+        SELECT [connection_group_id] FROM DELETED
+    UNION ALL
+        SELECT [guacamole_connection_group].[connection_group_id]
+        FROM [guacamole_connection_group]
+        JOIN [connection_groups] ON [connection_groups].[connection_group_id] = [guacamole_connection_group].[parent_id]
+    )
+    DELETE FROM [guacamole_connection]
+    WHERE [parent_id] IN (
+        SELECT [connection_group_id]
+        FROM [connection_groups]
+    );
+
+    -- Delete all requested connection groups, including descendants
+    WITH [connection_groups] ([connection_group_id]) AS (
+        SELECT [connection_group_id] FROM DELETED
+    UNION ALL
+        SELECT [guacamole_connection_group].[connection_group_id]
+        FROM [guacamole_connection_group]
+        JOIN [connection_groups] ON [connection_groups].[connection_group_id] = [guacamole_connection_group].[parent_id]
+    )
+    DELETE FROM [guacamole_connection_group]
+    WHERE [connection_group_id] IN (
+        SELECT [connection_group_id]
+        FROM [connection_groups]
+    );
+
+END
+GO
+
 --
 -- Table of arbitrary user attributes. Each attribute is simply a name/value
 -- pair associated with a user. Arbitrary attributes are defined by other
@@ -45,6 +549,34 @@ CREATE NONCLUSTERED INDEX [IX_guacamole_user_attribute_user_id]
     INCLUDE ([attribute_name], [attribute_value]);
 GO
 
+--
+-- Table of arbitrary user group attributes. Each attribute is simply a
+-- name/value pair associated with a user group. Arbitrary attributes are
+-- defined by other extensions. Attributes defined by this extension will be
+-- mapped to properly-typed columns of a specific table.
+--
+
+CREATE TABLE [guacamole_user_group_attribute] (
+
+    [user_group_id]   [int]            NOT NULL,
+    [attribute_name]  [nvarchar](128)  NOT NULL,
+    [attribute_value] [nvarchar](4000) NOT NULL,
+
+    CONSTRAINT [PK_guacamole_user_group_attribute]
+        PRIMARY KEY CLUSTERED ([user_group_id], [attribute_name]),
+
+    CONSTRAINT [FK_guacamole_user_attribute_user_group_id]
+        FOREIGN KEY ([user_group_id])
+        REFERENCES [guacamole_user_group] ([user_group_id])
+        ON DELETE CASCADE
+
+);
+
+CREATE NONCLUSTERED INDEX [IX_guacamole_user_group_attribute_user_id]
+    ON [guacamole_user_group_attribute] ([user_group_id])
+    INCLUDE ([attribute_name], [attribute_value]);
+GO
+
 --
 -- Table of arbitrary connection attributes. Each attribute is simply a
 -- name/value pair associated with a connection. Arbitrary attributes are

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/java/org/apache/guacamole/auth/sqlserver/SQLServerEnvironment.java

@@ -24,6 +24,7 @@ import org.apache.guacamole.auth.jdbc.JDBCEnvironment;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.guacamole.auth.jdbc.security.PasswordPolicy;
+import org.apache.ibatis.session.SqlSession;
 
 /**
  * A SQLServer-specific implementation of JDBCEnvironment provides database
@@ -250,5 +251,10 @@ public class SQLServerEnvironment extends JDBCEnvironment {
             SQLSERVER_DEFAULT_DRIVER
         );
     }
-    
+
+    @Override
+    public boolean isRecursiveQuerySupported(SqlSession session) {
+        return true; // All versions of SQL Server support recursive queries through CTEs
+    }
+
 }

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml

@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.base.EntityMapper" >
+
+    <!--
+      * SQL fragment which tests whether the value of the given column matches
+      * the given entity ID. If group identifiers are provided, the IDs of the
+      * entities for all groups having those identifiers are tested, as well.
+      * Disabled groups are ignored.
+      *
+      * @param column
+      *     The name of the column to test. This column MUST contain an entity
+      *     ID (a foreign key into the [guacamole_entity] table).
+      *
+      * @param entityID
+      *     The ID of the specific entity to test the column against.
+      *
+      * @param groups
+      *     A collection of group identifiers to additionally test the column
+      *     against. Though this functionality is optional, a collection must
+      *     always be given, even if that collection is empty.
+      -->
+    <sql id="isRelatedEntity">
+        (
+            ${column} = ${entityID}
+            <if test="!${groups}.isEmpty()">
+                OR ${column} IN (
+                    SELECT [guacamole_entity].entity_id
+                    FROM [guacamole_entity]
+                    JOIN [guacamole_user_group] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                        type = 'USER_GROUP'
+                        AND name IN
+                            <foreach collection="${groups}" item="effectiveGroup"
+                                     open="(" separator="," close=")">
+                                #{effectiveGroup,jdbcType=VARCHAR}
+                            </foreach>
+                        AND disabled = 0
+                )
+            </if>
+        )
+    </sql>
+
+    <!-- Select names of all effective groups (including inherited) -->
+    <select id="selectEffectiveGroupIdentifiers" resultType="string">
+
+        WITH [related_entity] ([entity_id], [path]) AS (
+            SELECT
+                [guacamole_user_group].entity_id,
+                '{' + CAST([guacamole_user_group].entity_id AS VARCHAR(MAX)) + '}'
+            FROM [guacamole_user_group]
+            JOIN [guacamole_user_group_member] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+            WHERE
+                [guacamole_user_group_member].member_entity_id = #{entity.entityID}
+                AND [guacamole_user_group].disabled = 0
+            <if test="!effectiveGroups.isEmpty()">
+                UNION ALL
+                    SELECT
+                        [guacamole_entity].entity_id,
+                        '{' + CAST([guacamole_entity].entity_id AS VARCHAR(MAX)) + '}'
+                    FROM [guacamole_entity]
+                    JOIN [guacamole_user_group] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                        type = 'USER_GROUP'
+                        AND name IN
+                            <foreach collection="effectiveGroups" item="effectiveGroup"
+                                     open="(" separator="," close=")">
+                                #{effectiveGroup,jdbcType=VARCHAR}
+                            </foreach>
+                        AND [guacamole_user_group].disabled = 0
+            </if>
+            UNION ALL
+                SELECT
+                    [guacamole_user_group].entity_id,
+                    [related_entity].path + '{' + CAST([guacamole_user_group].entity_id AS VARCHAR(MAX)) + '}'
+                FROM [related_entity]
+                JOIN [guacamole_user_group_member] ON [related_entity].entity_id = [guacamole_user_group_member].member_entity_id
+                JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+                WHERE
+                    [guacamole_user_group].disabled = 0
+                    AND [related_entity].path NOT LIKE '%{' + CAST([guacamole_user_group].entity_id AS VARCHAR(MAX)) + '}%'
+        )
+        SELECT DISTINCT name
+        FROM [related_entity]
+        JOIN [guacamole_entity] ON [related_entity].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].type = 'USER_GROUP';
+
+    </select>
+
+    <!-- Insert single entity -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="entity.entityID"
+            parameterType="org.apache.guacamole.auth.jdbc.base.EntityModel">
+
+        INSERT INTO [guacamole_entity] (
+            name,
+            type
+        )
+        VALUES (
+            #{entity.identifier,jdbcType=VARCHAR},
+            #{entity.entityType,jdbcType=VARCHAR}
+        )
+
+    </insert>
+
+</mapper>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml

@@ -68,7 +68,11 @@
         SELECT connection_id
         FROM [guacamole_connection_permission]
         WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ'
     </select>
 
@@ -89,7 +93,11 @@
         WHERE
             <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
             <if test="parentIdentifier == null">parent_id IS NULL</if>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ'
     </select>
 
@@ -170,7 +178,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND [guacamole_connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_connection_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
         SELECT primary_connection_id, [guacamole_sharing_profile].sharing_profile_id
@@ -181,7 +193,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
         SELECT
@@ -195,7 +211,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
     </select>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml

@@ -79,7 +79,10 @@
             #{record.sharingProfileIdentifier,jdbcType=INTEGER},
             #{record.sharingProfileName,jdbcType=VARCHAR},
             (SELECT user_id FROM [guacamole_user]
-             WHERE username = #{record.username,jdbcType=VARCHAR}),
+             JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+             WHERE
+                   [guacamole_entity].name = #{record.username,jdbcType=VARCHAR}
+               AND [guacamole_entity].type = 'USER'),
             #{record.username,jdbcType=VARCHAR},
             #{record.startDate,jdbcType=TIMESTAMP},
             #{record.endDate,jdbcType=TIMESTAMP}
@@ -161,13 +164,21 @@
         <!-- Restrict to readable connections -->
         JOIN [guacamole_connection_permission] ON
                 [guacamole_connection_history].connection_id = [guacamole_connection_permission].connection_id
-            AND [guacamole_connection_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_connection_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND [guacamole_connection_permission].permission = 'READ'
 
         <!-- Restrict to readable users -->
         JOIN [guacamole_user_permission] ON
                 [guacamole_connection_history].user_id = [guacamole_user_permission].affected_user_id
-            AND [guacamole_user_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND [guacamole_user_permission].permission = 'READ'
 
         <!-- Search terms -->
@@ -178,7 +189,10 @@
                 [guacamole_connection_history].user_id IN (
                     SELECT user_id
                     FROM [guacamole_user]
-                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                    JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                            POSITION(#{term.term,jdbcType=VARCHAR} IN [guacamole_entity].name) > 0
+                        AND [guacamole_entity].type = 'USER'
                 )
 
                 OR [guacamole_connection_history].connection_id IN (

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml

@@ -69,7 +69,11 @@
         SELECT connection_group_id
         FROM [guacamole_connection_group_permission]
         WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ'
     </select>
 
@@ -90,7 +94,11 @@
         WHERE
             <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
             <if test="parentIdentifier == null">parent_id IS NULL</if>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ'
     </select>
 
@@ -161,7 +169,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
         SELECT parent_id, [guacamole_connection_group].connection_group_id
@@ -172,7 +184,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
         SELECT parent_id, [guacamole_connection].connection_id
@@ -183,7 +199,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
         SELECT
@@ -197,7 +217,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
     </select>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml

@@ -25,24 +25,26 @@
 
     <!-- Result mapper for connection permissions -->
     <resultMap id="ConnectionGroupPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"             property="userID"           jdbcType="INTEGER"/>
-        <result column="username"            property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"           property="entityID"         jdbcType="INTEGER"/>
         <result column="permission"          property="type"             jdbcType="VARCHAR"
                 javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
         <result column="connection_group_id" property="objectIdentifier" jdbcType="INTEGER"/>
     </resultMap>
 
-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
     <select id="select" resultMap="ConnectionGroupPermissionResultMap">
 
         SELECT
-            [guacamole_connection_group_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
             connection_group_id
         FROM [guacamole_connection_group_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_group_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_connection_group_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
 
     </select>
 
@@ -50,26 +52,32 @@
     <select id="selectOne" resultMap="ConnectionGroupPermissionResultMap">
 
         SELECT
-            [guacamole_connection_group_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
             connection_group_id
         FROM [guacamole_connection_group_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_group_permission].user_id = [guacamole_user].user_id
         WHERE
-            [guacamole_connection_group_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = #{type,jdbcType=VARCHAR}
             AND connection_group_id = #{identifier,jdbcType=INTEGER}
 
     </select>
 
-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
     <select id="selectAccessibleIdentifiers" resultType="string">
 
         SELECT DISTINCT connection_group_id 
         FROM [guacamole_connection_group_permission]
         WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND connection_group_id IN
                 <foreach collection="identifiers" item="identifier"
                          open="(" separator="," close=")">
@@ -87,12 +95,12 @@
     <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
 
         DELETE FROM [guacamole_connection_group_permission]
-        WHERE (user_id, permission, connection_group_id) IN
+        WHERE
             <foreach collection="permissions" item="permission"
-                     open="(" separator="," close=")">
-                (#{permission.userID,jdbcType=INTEGER},
-                 #{permission.type,jdbcType=VARCHAR},
-                 #{permission.objectIdentifier,jdbcType=INTEGER})
+                     open="(" separator=" OR " close=")">
+                (entity_id = #{permission.entityID,jdbcType=INTEGER} AND
+                 permission = #{permission.type,jdbcType=VARCHAR} AND
+                 connection_group_id = #{permission.objectIdentifier,jdbcType=INTEGER})
             </foreach>
 
     </delete>
@@ -101,24 +109,24 @@
     <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
 
         INSERT INTO [guacamole_connection_group_permission] (
-            user_id,
+            entity_id,
             permission,
             connection_group_id
         )
         SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
             permissions.permission,
             permissions.connection_group_id
         FROM
             <foreach collection="permissions" item="permission"
                      open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                        #{permission.type,jdbcType=VARCHAR} AS permission,
                        #{permission.objectIdentifier,jdbcType=INTEGER} AS connection_group_id
             </foreach>
         AS permissions
         WHERE NOT EXISTS (SELECT 1 FROM [guacamole_connection_group_permission]
-            WHERE [guacamole_connection_group_permission].user_id = permissions.user_id AND
+            WHERE [guacamole_connection_group_permission].entity_id = permissions.entity_id AND
             [guacamole_connection_group_permission].permission = permissions.permission AND
             [guacamole_connection_group_permission].connection_group_id = permissions.connection_group_id
         );

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionMapper.xml

@@ -25,24 +25,26 @@
 
     <!-- Result mapper for connection permissions -->
     <resultMap id="ConnectionPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"       property="userID"           jdbcType="INTEGER"/>
-        <result column="username"      property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"     property="entityID"         jdbcType="INTEGER"/>
         <result column="permission"    property="type"             jdbcType="VARCHAR"
                 javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
         <result column="connection_id" property="objectIdentifier" jdbcType="INTEGER"/>
     </resultMap>
 
-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
     <select id="select" resultMap="ConnectionPermissionResultMap">
 
         SELECT
-            [guacamole_connection_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
             connection_id
         FROM [guacamole_connection_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
 
     </select>
 
@@ -50,26 +52,32 @@
     <select id="selectOne" resultMap="ConnectionPermissionResultMap">
 
         SELECT
-            [guacamole_connection_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
             connection_id
         FROM [guacamole_connection_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_permission].user_id = [guacamole_user].user_id
         WHERE
-            [guacamole_connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = #{type,jdbcType=VARCHAR}
             AND connection_id = #{identifier,jdbcType=INTEGER}
 
     </select>
 
-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
     <select id="selectAccessibleIdentifiers" resultType="string">
 
         SELECT DISTINCT connection_id 
         FROM [guacamole_connection_permission]
         WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND connection_id IN
                 <foreach collection="identifiers" item="identifier"
                          open="(" separator="," close=")">
@@ -90,7 +98,7 @@
         WHERE
             <foreach collection="permissions" item="permission"
                      open="(" separator=" OR " close=")">
-                (user_id = #{permission.userID,jdbcType=INTEGER} AND
+                (entity_id = #{permission.entityID,jdbcType=INTEGER} AND
                  permission = #{permission.type,jdbcType=VARCHAR} AND
                  connection_id = #{permission.objectIdentifier,jdbcType=INTEGER})
             </foreach>
@@ -101,24 +109,24 @@
     <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
 
         INSERT INTO [guacamole_connection_permission] (
-            user_id,
+            entity_id,
             permission,
             connection_id
         )
         SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
             permissions.permission,
             permissions.connection_id
         FROM
             <foreach collection="permissions" item="permission"
                      open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER} AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                        #{permission.type,jdbcType=VARCHAR} AS permission,
                        #{permission.objectIdentifier,jdbcType=INTEGER} AS connection_id
             </foreach>
         AS permissions
         WHERE NOT EXISTS ( SELECT 1 FROM [guacamole_connection_permission]
-            WHERE [guacamole_connection_permission].user_id = permissions.user_id AND
+            WHERE [guacamole_connection_permission].entity_id = permissions.entity_id AND
             [guacamole_connection_permission].permission = permissions.permission AND
             [guacamole_connection_permission].connection_id = permissions.connection_id
         );

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionMapper.xml

@@ -25,24 +25,26 @@
 
     <!-- Result mapper for sharing profile permissions -->
     <resultMap id="SharingProfilePermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"            property="userID"           jdbcType="INTEGER"/>
-        <result column="username"           property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"          property="entityID"         jdbcType="INTEGER"/>
         <result column="permission"         property="type"             jdbcType="VARCHAR"
                 javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
         <result column="sharing_profile_id" property="objectIdentifier" jdbcType="INTEGER"/>
     </resultMap>
 
-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
     <select id="select" resultMap="SharingProfilePermissionResultMap">
 
         SELECT
-            [guacamole_sharing_profile_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
             sharing_profile_id
         FROM [guacamole_sharing_profile_permission]
-        JOIN [guacamole_user] ON [guacamole_sharing_profile_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_sharing_profile_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
 
     </select>
 
@@ -50,26 +52,32 @@
     <select id="selectOne" resultMap="SharingProfilePermissionResultMap">
 
         SELECT
-            [guacamole_sharing_profile_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
             sharing_profile_id
         FROM [guacamole_sharing_profile_permission]
-        JOIN [guacamole_user] ON [guacamole_sharing_profile_permission].user_id = [guacamole_user].user_id
         WHERE
-            [guacamole_sharing_profile_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = #{type,jdbcType=VARCHAR}
             AND sharing_profile_id = #{identifier,jdbcType=INTEGER}
 
     </select>
 
-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
     <select id="selectAccessibleIdentifiers" resultType="string">
 
         SELECT DISTINCT sharing_profile_id
         FROM [guacamole_sharing_profile_permission]
         WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND sharing_profile_id IN
                 <foreach collection="identifiers" item="identifier"
                          open="(" separator="," close=")">
@@ -90,7 +98,7 @@
         WHERE
             <foreach collection="permissions" item="permission"
                      open="(" separator=" OR " close=")">
-                (user_id = #{permission.userID,jdbcType=INTEGER} AND
+                (entity_id = #{permission.entityID,jdbcType=INTEGER} AND
                  permission = #{permission.type,jdbcType=VARCHAR} AND
                  sharing_profile_id = #{permission.objectIdentifier,jdbcType=INTEGER})
             </foreach>
@@ -101,24 +109,24 @@
     <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
 
         INSERT INTO [guacamole_sharing_profile_permission] (
-            user_id,
+            entity_id,
             permission,
             sharing_profile_id
         )
         SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
             permissions.permission,
             permissions.sharing_profile_id
         FROM
             <foreach collection="permissions" item="permission"
                      open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER} AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                        #{permission.type,jdbcType=VARCHAR} AS permission,
                        #{permission.objectIdentifier,jdbcType=INTEGER} AS sharing_profile_id
             </foreach>
         AS permissions
         WHERE NOT EXISTS (SELECT 1 FROM [guacamole_sharing_profile_permission]
-            WHERE [guacamole_sharing_profile_permission].user_id = permissions.user_id
+            WHERE [guacamole_sharing_profile_permission].entity_id = permissions.entity_id
             AND [guacamole_sharing_profile_permission].permission = permissions.permission
             AND [guacamole_sharing_profile_permission].sharing_profile_id = permissions.sharing_profile_id
         );

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.xml

@@ -25,36 +25,40 @@
 
     <!-- Result mapper for system permissions -->
     <resultMap id="SystemPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.SystemPermissionModel">
-        <result column="user_id"    property="userID"   jdbcType="INTEGER"/>
-        <result column="username"   property="username" jdbcType="VARCHAR"/>
+        <result column="entity_id"  property="entityID" jdbcType="INTEGER"/>
         <result column="permission" property="type"     jdbcType="VARCHAR"
                 javaType="org.apache.guacamole.net.auth.permission.SystemPermission$Type"/>
     </resultMap>
 
-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
     <select id="select" resultMap="SystemPermissionResultMap">
 
-        SELECT
-            [guacamole_system_permission].user_id,
-            username,
+        SELECT DISTINCT
+            #{entity.entityID} AS entity_id,
             permission
         FROM [guacamole_system_permission]
-        JOIN [guacamole_user] ON [guacamole_system_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_system_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
 
     </select>
 
     <!-- Select the single permission matching the given criteria -->
     <select id="selectOne" resultMap="SystemPermissionResultMap">
 
-        SELECT
-            [guacamole_system_permission].user_id,
-            username,
+        SELECT DISTINCT
+            #{entity.entityID} AS entity_id,
             permission
         FROM [guacamole_system_permission]
-        JOIN [guacamole_user] ON [guacamole_system_permission].user_id = [guacamole_user].user_id
         WHERE
-            [guacamole_system_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = #{type,jdbcType=VARCHAR}
 
     </select>
@@ -66,7 +70,7 @@
         WHERE
             <foreach collection="permissions" item="permission"
                      open="(" separator=" OR " close=")">
-                     (user_id = #{permission.userID,jdbcType=INTEGER}
+                     (entity_id = #{permission.entityID,jdbcType=INTEGER}
                       AND permission = #{permission.type,jdbcType=VARCHAR})
             </foreach>
 
@@ -76,21 +80,21 @@
     <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.SystemPermissionModel">
 
         INSERT INTO [guacamole_system_permission] (
-            user_id,
+            entity_id,
             permission
         )
         SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
             permissions.permission
         FROM
             <foreach collection="permissions" item="permission"
                      open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                        #{permission.type,jdbcType=VARCHAR} AS permission
             </foreach>
         AS permissions
         WHERE NOT EXISTS (SELECT 1 FROM [guacamole_system_permission]
-            WHERE [guacamole_system_permission].user_id = permissions.user_id
+            WHERE [guacamole_system_permission].entity_id = permissions.entity_id
             AND [guacamole_system_permission].permission = permissions.permission
         );
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserGroupPermissionMapper.xml

@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.permission.UserGroupPermissionMapper" >
+
+    <!-- Result mapper for user group permissions -->
+    <resultMap id="UserGroupPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+        <result column="entity_id"         property="entityID"         jdbcType="INTEGER"/>
+        <result column="permission"        property="type"             jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
+        <result column="affected_name"     property="objectIdentifier" jdbcType="INTEGER"/>
+    </resultMap>
+
+    <!-- Select all permissions for a given entity -->
+    <select id="select" resultMap="UserGroupPermissionResultMap">
+
+        SELECT
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
+            permission,
+            affected_entity.name AS affected_name
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Select the single permission matching the given criteria -->
+    <select id="selectOne" resultMap="UserGroupPermissionResultMap">
+
+        SELECT
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
+            permission,
+            affected_entity.name AS affected_name
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND permission = #{type,jdbcType=VARCHAR}
+            AND affected_entity.name = #{identifier,jdbcType=VARCHAR}
+            AND affected_entity.type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
+    <select id="selectAccessibleIdentifiers" resultType="string">
+
+        SELECT DISTINCT affected_entity.name
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.name IN
+                <foreach collection="identifiers" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+            AND permission IN
+                <foreach collection="permissions" item="permission"
+                         open="(" separator="," close=")">
+                    #{permission,jdbcType=VARCHAR}
+                </foreach>
+            AND affected_entity.type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Delete all given permissions -->
+    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        DELETE [guacamole_user_group_permission]
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <foreach collection="permissions" item="permission"
+                     open="(" separator=" OR " close=")">
+                ([guacamole_user_group_permission].entity_id = #{permission.entityID,jdbcType=INTEGER} AND
+                 permission = #{permission.type,jdbcType=VARCHAR} AND
+                 affected_entity.name = #{permission.objectIdentifier,jdbcType=VARCHAR} AND
+                 affected_entity.type = 'USER_GROUP')
+            </foreach>
+
+    </delete>
+
+    <!-- Insert all given permissions -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        INSERT INTO [guacamole_user_group_permission] (
+            entity_id,
+            permission,
+            affected_user_group_id
+        )
+        SELECT DISTINCT
+            permissions.entity_id,
+            permissions.permission,
+            affected_group.user_group_id
+        FROM
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="UNION ALL" close=")">
+                SELECT #{permission.entityID,jdbcType=INTEGER}         AS entity_id,
+                       #{permission.type,jdbcType=VARCHAR}             AS permission,
+                       #{permission.objectIdentifier,jdbcType=VARCHAR} AS affected_name
+            </foreach>
+        AS permissions
+        JOIN [guacamole_entity] affected_entity ON
+                affected_entity.name = permissions.affected_name
+            AND affected_entity.type = 'USER_GROUP'
+        JOIN [guacamole_user_group] affected_group ON affected_group.entity_id = affected_entity.entity_id
+        WHERE NOT EXISTS (SELECT 1 FROM [guacamole_user_group_permission]
+            WHERE [guacamole_user_group_permission].entity_id = permissions.entity_id
+            AND [guacamole_user_group_permission].permission = permissions.permission
+            AND [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        );
+
+    </insert>
+
+</mapper>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserPermissionMapper.xml

@@ -25,25 +25,29 @@
 
     <!-- Result mapper for user permissions -->
     <resultMap id="UserPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"           property="userID"           jdbcType="INTEGER"/>
-        <result column="username"          property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"         property="entityID"         jdbcType="INTEGER"/>
         <result column="permission"        property="type"             jdbcType="VARCHAR"
                 javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
-        <result column="affected_username" property="objectIdentifier" jdbcType="INTEGER"/>
+        <result column="affected_name"     property="objectIdentifier" jdbcType="INTEGER"/>
     </resultMap>
 
-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
     <select id="select" resultMap="UserPermissionResultMap">
 
         SELECT
-            [guacamole_user_permission].user_id,
-            [guacamole_user].username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
-            affected.username AS affected_username
+            affected_entity.name AS affected_name
         FROM [guacamole_user_permission]
-        JOIN [guacamole_user] ON [guacamole_user_permission].user_id = [guacamole_user].user_id
-        JOIN [guacamole_user] affected ON [guacamole_user_permission].affected_user_id = affected.user_id
-        WHERE [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.type = 'USER'
 
     </select>
 
@@ -51,55 +55,66 @@
     <select id="selectOne" resultMap="UserPermissionResultMap">
 
         SELECT
-            [guacamole_user_permission].user_id,
-            [guacamole_user].username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
             permission,
-            affected.username AS affected_username
+            affected_entity.name AS affected_name
         FROM [guacamole_user_permission]
-        JOIN [guacamole_user] ON [guacamole_user_permission].user_id = [guacamole_user].user_id
-        JOIN [guacamole_user] affected ON [guacamole_user_permission].affected_user_id = affected.user_id
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
         WHERE
-            [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = #{type,jdbcType=VARCHAR}
-            AND affected.username = #{identifier,jdbcType=INTEGER}
+            AND affected_entity.name = #{identifier,jdbcType=VARCHAR}
+            AND affected_entity.type = 'USER'
 
     </select>
 
-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
     <select id="selectAccessibleIdentifiers" resultType="string">
 
-        SELECT DISTINCT username
+        SELECT DISTINCT affected_entity.name
         FROM [guacamole_user_permission]
-        JOIN [guacamole_user] ON [guacamole_user_permission].affected_user_id = [guacamole_user].user_id
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
         WHERE
-            [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
-            AND username IN
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.name IN
                 <foreach collection="identifiers" item="identifier"
                          open="(" separator="," close=")">
-                    #{identifier,jdbcType=INTEGER}
+                    #{identifier,jdbcType=VARCHAR}
                 </foreach>
             AND permission IN
                 <foreach collection="permissions" item="permission"
                          open="(" separator="," close=")">
                     #{permission,jdbcType=VARCHAR}
                 </foreach>
+            AND affected_entity.type = 'USER'
 
     </select>
 
     <!-- Delete all given permissions -->
     <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
 
-        DELETE FROM [guacamole_user_permission]
-        USING [guacamole_user] affected
+        DELETE [guacamole_user_permission]
+        FROM [guacamole_user_permission]
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
         WHERE
-            [guacamole_user_permission].affected_user_id = affected.user_id
-            AND ([guacamole_user_permission].user_id, permission, affected.username) IN
-                <foreach collection="permissions" item="permission"
-                         open="(" separator="," close=")">
-                    (#{permission.userID,jdbcType=INTEGER},
-                     #{permission.type,jdbcType=VARCHAR},
-                     #{permission.objectIdentifier,jdbcType=INTEGER})
-                </foreach>
+            <foreach collection="permissions" item="permission"
+                     open="(" separator=" OR " close=")">
+                ([guacamole_user_permission].entity_id = #{permission.entityID,jdbcType=INTEGER} AND
+                 permission = #{permission.type,jdbcType=VARCHAR} AND
+                 affected_entity.name = #{permission.objectIdentifier,jdbcType=VARCHAR} AND
+                 affected_entity.type = 'USER')
+            </foreach>
 
     </delete>
 
@@ -107,27 +122,30 @@
     <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
 
         INSERT INTO [guacamole_user_permission] (
-            user_id,
+            entity_id,
             permission,
             affected_user_id
         )
         SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
             permissions.permission,
-            [guacamole_user].user_id
+            affected_user.user_id
         FROM
             <foreach collection="permissions" item="permission"
                      open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                        #{permission.type,jdbcType=VARCHAR} AS permission,
-                       #{permission.objectIdentifier,jdbcType=INTEGER}                       AS username
+                       #{permission.objectIdentifier,jdbcType=INTEGER} AS affected_name
             </foreach>
         AS permissions
-        JOIN [guacamole_user] ON [guacamole_user].username = permissions.username
+        JOIN [guacamole_entity] affected_entity ON
+                affected_entity.name = permissions.affected_name
+            AND affected_entity.type = 'USER'
+        JOIN [guacamole_user] affected_user ON affected_user.entity_id = affected_entity.entity_id
         WHERE NOT EXISTS (SELECT 1 FROM [guacamole_user_permission]
-            WHERE [guacamole_user_permission].user_id = permissions.user_id
+            WHERE [guacamole_user_permission].entity_id = permissions.entity_id
             AND [guacamole_user_permission].permission = permissions.permission
-            AND [guacamole_user_permission].affected_user_id = [guacamole_user].user_id
+            AND [guacamole_user_permission].affected_user_id = affected_user.user_id
         );
 
     </insert>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml

@@ -52,7 +52,11 @@
         SELECT sharing_profile_id
         FROM [guacamole_sharing_profile_permission]
         WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ'
     </select>
 
@@ -99,7 +103,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
         SELECT
@@ -113,7 +121,11 @@
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=INTEGER}
             </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
     </select>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml

@@ -41,8 +41,9 @@
             [guacamole_user_password_history].password_date
         FROM [guacamole_user_password_history]
         JOIN [guacamole_user] ON [guacamole_user_password_history].user_id = [guacamole_user].user_id
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
         WHERE
-            [guacamole_user].username = #{username,jdbcType=VARCHAR}
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
         ORDER BY
             [guacamole_user_password_history].password_date DESC
 

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml

@@ -28,7 +28,8 @@
 
         <!-- User properties -->
         <id     column="user_id"             property="objectID"           jdbcType="INTEGER"/>
-        <result column="username"            property="identifier"         jdbcType="VARCHAR"/>
+        <result column="entity_id"           property="entityID"           jdbcType="INTEGER"/>
+        <result column="name"                property="identifier"         jdbcType="VARCHAR"/>
         <result column="password_hash"       property="passwordHash"       jdbcType="BINARY"/>
         <result column="password_salt"       property="passwordSalt"       jdbcType="BINARY"/>
         <result column="password_date"       property="passwordDate"       jdbcType="TIMESTAMP"/>
@@ -57,17 +58,24 @@
 
     <!-- Select all usernames -->
     <select id="selectIdentifiers" resultType="string">
-        SELECT username
-        FROM [guacamole_user]
+        SELECT name
+        FROM [guacamole_entity]
+        WHERE [guacamole_entity].type = 'USER'
     </select>
 
     <!-- Select usernames of all readable users -->
     <select id="selectReadableIdentifiers" resultType="string">
-        SELECT username
+        SELECT [guacamole_entity].name
         FROM [guacamole_user]
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
         JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
         WHERE
-            [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_entity].type = 'USER'
             AND permission = 'READ'
     </select>
 
@@ -77,7 +85,8 @@
 
         SELECT
             [guacamole_user].user_id,
-            [guacamole_user].username,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
             password_hash,
             password_salt,
             password_date,
@@ -98,11 +107,13 @@
                 WHERE [guacamole_user_history].user_id = [guacamole_user].user_id
             ) AS last_active
         FROM [guacamole_user]
-        WHERE [guacamole_user].username IN
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
             <foreach collection="identifiers" item="identifier"
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=VARCHAR}
-            </foreach>;
+            </foreach>
+            AND [guacamole_entity].type = 'USER';
 
         SELECT
             [guacamole_user_attribute].user_id,
@@ -110,11 +121,13 @@
             [guacamole_user_attribute].attribute_value
         FROM [guacamole_user_attribute]
         JOIN [guacamole_user] ON [guacamole_user].user_id = [guacamole_user_attribute].user_id
-        WHERE username IN
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
             <foreach collection="identifiers" item="identifier"
                      open="(" separator="," close=")">
-                #{identifier,jdbcType=INTEGER}
-            </foreach>;
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER';
 
     </select>
 
@@ -124,7 +137,8 @@
 
         SELECT
             [guacamole_user].user_id,
-            [guacamole_user].username,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
             password_hash,
             password_salt,
             password_date,
@@ -145,13 +159,19 @@
                 WHERE [guacamole_user_history].user_id = [guacamole_user].user_id
             ) AS last_active
         FROM [guacamole_user]
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
         JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
-        WHERE [guacamole_user].username IN
+        WHERE [guacamole_entity].name IN
             <foreach collection="identifiers" item="identifier"
                      open="(" separator="," close=")">
                 #{identifier,jdbcType=VARCHAR}
             </foreach>
-            AND [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
         SELECT
@@ -160,13 +180,19 @@
             [guacamole_user_attribute].attribute_value
         FROM [guacamole_user_attribute]
         JOIN [guacamole_user] ON [guacamole_user].user_id = [guacamole_user_attribute].user_id
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
         JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
-        WHERE username IN
+        WHERE [guacamole_entity].name IN
             <foreach collection="identifiers" item="identifier"
                      open="(" separator="," close=")">
-                #{identifier,jdbcType=INTEGER}
+                #{identifier,jdbcType=VARCHAR}
             </foreach>
-            AND [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND permission = 'READ';
 
     </select>
@@ -176,8 +202,9 @@
             resultSets="users,arbitraryAttributes">
 
         SELECT
-            user_id,
-            username,
+            [guacamole_user].user_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
             password_hash,
             password_salt,
             password_date,
@@ -198,8 +225,10 @@
                 WHERE [guacamole_user_history].user_id = [guacamole_user].user_id
             ) AS last_active
         FROM [guacamole_user]
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
         WHERE
-            [guacamole_user].username = #{username,jdbcType=VARCHAR};
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER';
 
         SELECT
             [guacamole_user_attribute].user_id,
@@ -207,14 +236,19 @@
             [guacamole_user_attribute].attribute_value
         FROM [guacamole_user_attribute]
         JOIN [guacamole_user] ON [guacamole_user].user_id = [guacamole_user_attribute].user_id
-        WHERE username = #{username,jdbcType=VARCHAR};
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER'
 
     </select>
 
     <!-- Delete single user by username -->
     <delete id="delete">
-        DELETE FROM [guacamole_user]
-        WHERE username = #{identifier,jdbcType=VARCHAR}
+        DELETE FROM [guacamole_entity]
+        WHERE
+            name = #{identifier,jdbcType=VARCHAR}
+            AND type = 'USER'
     </delete>
 
     <!-- Insert single user -->
@@ -222,7 +256,7 @@
             parameterType="org.apache.guacamole.auth.jdbc.user.UserModel">
 
         INSERT INTO [guacamole_user] (
-            username,
+            entity_id,
             password_hash,
             password_salt,
             password_date,
@@ -239,7 +273,7 @@
             organizational_role
         )
         VALUES (
-            #{object.identifier,jdbcType=VARCHAR},
+            #{object.entityID,jdbcType=VARCHAR},
             #{object.passwordHash,jdbcType=BINARY},
             #{object.passwordSalt,jdbcType=BINARY},
             #{object.passwordDate,jdbcType=TIMESTAMP},

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserParentUserGroupMapper.xml

@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.user.UserParentUserGroupMapper" >
+
+    <!-- Select the names of all parent user groups -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select the names of all readable parent user groups -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete parent groups by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert parent groups by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            [guacamole_user_group].user_group_id,
+            #{parent.entityID,jdbcType=INTEGER}
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_user_group].user_group_id NOT IN (
+                SELECT [guacamole_user_group_member].user_group_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserRecordMapper.xml

@@ -44,8 +44,9 @@
             [guacamole_user_history].end_date
         FROM [guacamole_user_history]
         JOIN [guacamole_user] ON [guacamole_user_history].user_id = [guacamole_user].user_id
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
         WHERE
-            [guacamole_user].username = #{username,jdbcType=VARCHAR}
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
         ORDER BY
             [guacamole_user_history].start_date DESC,
             [guacamole_user_history].end_date DESC
@@ -66,7 +67,10 @@
         VALUES (
             #{record.remoteHost,jdbcType=VARCHAR},
             (SELECT user_id FROM [guacamole_user]
-             WHERE username = #{record.username,jdbcType=VARCHAR}),
+             JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+             WHERE
+                   [guacamole_entity].name = #{record.username,jdbcType=VARCHAR}
+               AND [guacamole_entity].type = 'USER'),
             #{record.username,jdbcType=VARCHAR},
             #{record.startDate,jdbcType=TIMESTAMP},
             #{record.endDate,jdbcType=TIMESTAMP}
@@ -79,7 +83,10 @@
         UPDATE [guacamole_user_history]
         SET remote_host = #{record.remoteHost,jdbcType=VARCHAR},
             user_id     = (SELECT user_id FROM [guacamole_user]
-                           WHERE username = #{record.username,jdbcType=VARCHAR}),
+                           JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                           WHERE
+                                   [guacamole_entity].name = #{record.username,jdbcType=VARCHAR}
+                               AND [guacamole_entity].type = 'USER'),
             username    = #{record.username,jdbcType=VARCHAR},
             start_date  = #{record.startDate,jdbcType=TIMESTAMP},
             end_date    = #{record.endDate,jdbcType=TIMESTAMP}
@@ -105,7 +112,10 @@
                 [guacamole_user_history].user_id IN (
                     SELECT user_id
                     FROM [guacamole_user]
-                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                    JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                            POSITION(#{term.term,jdbcType=VARCHAR} IN [guacamole_entity].name) > 0
+                        AND [guacamole_entity].type = 'USER'),
                 )
 
                 <if test="term.startDate != null and term.endDate != null">
@@ -144,7 +154,11 @@
         <!-- Restrict to readable users -->
         JOIN [guacamole_user_permission] ON
                 [guacamole_user_history].user_id       = [guacamole_user_permission].affected_user_id
-            AND [guacamole_user_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
             AND [guacamole_user_permission].permission = 'READ'
 
         <!-- Search terms -->
@@ -155,7 +169,10 @@
                 [guacamole_user_history].user_id IN (
                     SELECT user_id
                     FROM [guacamole_user]
-                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                    JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                            POSITION(#{term.term,jdbcType=VARCHAR} IN [guacamole_entity].name) > 0
+                        AND [guacamole_entity].type = 'USER'
                 )
 
                 <if test="term.startDate != null and term.endDate != null">

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMapper.xml

@@ -0,0 +1,229 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupMapper" >
+
+    <!-- Result mapper for user group objects -->
+    <resultMap id="UserGroupResultMap" type="org.apache.guacamole.auth.jdbc.usergroup.UserGroupModel" >
+
+        <!-- User group properties -->
+        <id     column="user_group_id" property="objectID"   jdbcType="INTEGER"/>
+        <result column="entity_id"     property="entityID"   jdbcType="INTEGER"/>
+        <result column="name"          property="identifier" jdbcType="VARCHAR"/>
+        <result column="disabled"      property="disabled"   jdbcType="BOOLEAN"/>
+
+        <!-- Arbitrary attributes -->
+        <collection property="arbitraryAttributes" resultSet="arbitraryAttributes"
+                    ofType="org.apache.guacamole.auth.jdbc.base.ArbitraryAttributeModel"
+                    column="user_group_id" foreignColumn="user_group_id">
+            <result property="name"     column="attribute_name"  jdbcType="VARCHAR"/>
+            <result property="value"    column="attribute_value" jdbcType="VARCHAR"/>
+        </collection>
+
+    </resultMap>
+
+    <!-- Select all group names -->
+    <select id="selectIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_entity]
+        WHERE [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select names of all readable groups -->
+    <select id="selectReadableIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select multiple groups by name -->
+    <select id="select" resultMap="UserGroupResultMap"
+            resultSets="users,arbitraryAttributes">
+
+        SELECT
+            [guacamole_user_group].user_group_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
+            disabled
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP';
+
+        SELECT
+            [guacamole_user_group_attribute].user_group_id,
+            [guacamole_user_group_attribute].attribute_name,
+            [guacamole_user_group_attribute].attribute_value
+        FROM [guacamole_user_group_attribute]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_attribute].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP';
+
+    </select>
+
+    <!-- Select multiple groups by name only if readable -->
+    <select id="selectReadable" resultMap="UserGroupResultMap"
+            resultSets="users,arbitraryAttributes">
+
+        SELECT
+            [guacamole_user_group].user_group_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
+            disabled
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND permission = 'READ';
+
+        SELECT
+            [guacamole_user_group_attribute].user_group_id,
+            [guacamole_user_group_attribute].attribute_name,
+            [guacamole_user_group_attribute].attribute_value
+        FROM [guacamole_user_group_attribute]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_attribute].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND permission = 'READ';
+
+    </select>
+
+    <!-- Select single group by name -->
+    <select id="selectOne" resultMap="UserGroupResultMap"
+            resultSets="users,arbitraryAttributes">
+
+        SELECT
+            [guacamole_user_group].user_group_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
+            disabled
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name = #{name,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER_GROUP';
+
+        SELECT
+            [guacamole_user_group_attribute].user_group_id,
+            [guacamole_user_group_attribute].attribute_name,
+            [guacamole_user_group_attribute].attribute_value
+        FROM [guacamole_user_group_attribute]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_attribute].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name = #{name,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Delete single group by name -->
+    <delete id="delete">
+        DELETE FROM [guacamole_entity]
+        WHERE
+            name = #{identifier,jdbcType=VARCHAR}
+            AND type = 'USER_GROUP'
+    </delete>
+
+    <!-- Insert single group -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="object.objectID"
+            parameterType="org.apache.guacamole.auth.jdbc.usergroup.UserGroupModel">
+
+        INSERT INTO [guacamole_user_group] (
+            entity_id,
+            disabled
+        )
+        VALUES (
+            #{object.entityID,jdbcType=VARCHAR},
+            #{object.disabled,jdbcType=BOOLEAN}
+        )
+
+    </insert>
+
+    <!-- Update single group -->
+    <update id="update" parameterType="org.apache.guacamole.auth.jdbc.usergroup.UserGroupModel">
+        UPDATE [guacamole_user_group]
+        SET disabled = #{object.disabled,jdbcType=BOOLEAN}
+        WHERE user_group_id = #{object.objectID,jdbcType=VARCHAR}
+    </update>
+
+    <!-- Delete attributes associated with group -->
+    <delete id="deleteAttributes">
+        DELETE FROM [guacamole_user_group_attribute]
+        WHERE user_group_id = #{object.objectID,jdbcType=INTEGER}
+    </delete>
+
+    <!-- Insert attributes for group -->
+    <insert id="insertAttributes" parameterType="org.apache.guacamole.auth.jdbc.base.ArbitraryAttributeModel">
+        INSERT INTO [guacamole_user_group_attribute] (
+            user_group_id,
+            attribute_name,
+            attribute_value
+        )
+        VALUES
+            <foreach collection="object.arbitraryAttributes" item="attribute" separator=",">
+                (#{object.objectID,jdbcType=INTEGER},
+                 #{attribute.name,jdbcType=VARCHAR},
+                 #{attribute.value,jdbcType=VARCHAR})
+            </foreach>
+    </insert>
+
+</mapper>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.xml

@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupMemberUserGroupMapper" >
+
+    <!-- Select the names of all member user groups -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        WHERE
+            [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select the names of all readable member user groups -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        JOIN [guacamole_user_group] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete member groups by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = member_entity_id
+        WHERE
+            user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert member groups by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            #{parent.objectID,jdbcType=INTEGER},
+            [guacamole_entity].entity_id
+        FROM [guacamole_entity]
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier}
+                </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].entity_id NOT IN (
+                SELECT [guacamole_user_group_member].member_entity_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserMapper.xml

@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupMemberUserMapper" >
+
+    <!-- Select the username of all member users -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        WHERE
+            [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+    </select>
+
+    <!-- Select the usernames of all readable member users -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        JOIN [guacamole_user] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete member users by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = member_entity_id
+        WHERE
+            user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert member users by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            #{parent.objectID,jdbcType=INTEGER},
+            [guacamole_entity].entity_id
+        FROM [guacamole_entity]
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier}
+                </foreach>
+            AND [guacamole_entity].type = 'USER'
+            AND [guacamole_entity].entity_id NOT IN (
+                SELECT [guacamole_user_group_member].member_entity_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>

extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupParentUserGroupMapper.xml

@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupParentUserGroupMapper" >
+
+    <!-- Select the names of all parent user groups -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select the names of all readable parent user groups -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete parent groups by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert parent groups by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            [guacamole_user_group].user_group_id,
+            #{parent.entityID,jdbcType=INTEGER}
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_user_group].user_group_id NOT IN (
+                SELECT [guacamole_user_group_member].user_group_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>