diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java
index 7d19cfe9a..52487acb8 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java
@@ -146,6 +146,7 @@ public class MySQLAuthenticationProvider implements AuthenticationProvider {
                     bind(MySQLConnection.class);
                     bind(MySQLUser.class);
                     bind(MySQLUserContext.class);
+                    bind(MySQLRootConnectionGroup.class);
                     bind(MySQLSystemPermissionSet.class);
                     bind(PasswordEncryptionService.class).to(SHA256PasswordEncryptionService.class);
                     bind(SaltService.class).to(SecureRandomSaltService.class);
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLRootConnectionGroup.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLRootConnectionGroup.java
new file mode 100644
index 000000000..167b71414
--- /dev/null
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLRootConnectionGroup.java
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2013 Glyptodon LLC
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+package net.sourceforge.guacamole.net.auth.mysql;
+
+import com.google.inject.Inject;
+import java.util.Collections;
+import java.util.Set;
+import net.sourceforge.guacamole.net.auth.mysql.service.ConnectionService;
+import org.glyptodon.guacamole.GuacamoleException;
+import org.glyptodon.guacamole.GuacamoleSecurityException;
+import org.glyptodon.guacamole.net.GuacamoleSocket;
+import org.glyptodon.guacamole.net.auth.ConnectionGroup;
+import org.glyptodon.guacamole.protocol.GuacamoleClientInformation;
+
+/**
+ * The root connection group, here represented as its own dedicated object as
+ * the database does not contain an actual root group.
+ *
+ * @author Michael Jumper
+ */
+public class MySQLRootConnectionGroup implements ConnectionGroup {
+
+    /**
+     * The user this group belongs to. Access is based on his/her permission
+     * settings.
+     */
+    private AuthenticatedUser currentUser;
+
+    /**
+     * Service for managing connection objects.
+     */
+    @Inject
+    private ConnectionService connectionService;
+    
+    /**
+     * Creates a new, empty MySQLRootConnectionGroup.
+     */
+    public MySQLRootConnectionGroup() {
+    }
+
+    /**
+     * Initializes this root connection group, associating it with the current
+     * authenticated user.
+     *
+     * @param currentUser
+     *     The user that created or retrieved this object.
+     */
+    public void init(AuthenticatedUser currentUser) {
+        this.currentUser = currentUser;
+    }
+
+    @Override
+    public String getName() {
+        return MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER;
+    }
+
+    @Override
+    public void setName(String name) {
+        throw new UnsupportedOperationException("The root connection group cannot be modified.");
+    }
+
+    @Override
+    public String getParentIdentifier() {
+        return null;
+    }
+
+    @Override
+    public void setParentIdentifier(String parentIdentifier) {
+        throw new UnsupportedOperationException("The root connection group cannot be modified.");
+    }
+
+    @Override
+    public Type getType() {
+        return ConnectionGroup.Type.ORGANIZATIONAL;
+    }
+
+    @Override
+    public void setType(Type type) {
+        throw new UnsupportedOperationException("The root connection group cannot be modified.");
+    }
+
+    @Override
+    public Set<String> getConnectionIdentifiers() throws GuacamoleException {
+        return connectionService.getRootIdentifiers(currentUser);
+    }
+
+    @Override
+    public Set<String> getConnectionGroupIdentifiers()
+            throws GuacamoleException {
+        /* STUB */
+        return Collections.EMPTY_SET;
+    }
+
+    @Override
+    public String getIdentifier() {
+        return MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER;
+    }
+
+    @Override
+    public void setIdentifier(String identifier) {
+        throw new UnsupportedOperationException("The root connection group cannot be modified.");
+    }
+
+    @Override
+    public GuacamoleSocket connect(GuacamoleClientInformation info)
+            throws GuacamoleException {
+        throw new GuacamoleSecurityException("Permission denied.");
+    }
+
+    @Override
+    public int getActiveConnections() {
+        return 0;
+    }
+
+}
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
index 60353bcce..c5877d592 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
@@ -24,6 +24,7 @@ package net.sourceforge.guacamole.net.auth.mysql;
 
 
 import com.google.inject.Inject;
+import com.google.inject.Provider;
 import java.util.Collections;
 import org.glyptodon.guacamole.GuacamoleException;
 import org.glyptodon.guacamole.net.auth.Connection;
@@ -58,7 +59,13 @@ public class MySQLUserContext implements UserContext {
      */
     @Inject
     private ConnectionDirectory connectionDirectory;
-    
+
+    /**
+     * Provider for creating the root group.
+     */
+    @Inject
+    private Provider<MySQLRootConnectionGroup> rootGroupProvider;
+
     /**
      * Initializes the user and directories associated with this context.
      *
@@ -69,6 +76,7 @@ public class MySQLUserContext implements UserContext {
 
         this.currentUser = currentUser;
 
+        // Init directories
         userDirectory.init(currentUser);
         connectionDirectory.init(currentUser);
 
@@ -97,13 +105,12 @@ public class MySQLUserContext implements UserContext {
 
     @Override
     public ConnectionGroup getRootConnectionGroup() throws GuacamoleException {
-        /* STUB */
-        return new SimpleConnectionGroup(
-            MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER, 
-            MySQLConstants.CONNECTION_GROUP_ROOT_IDENTIFIER, 
-            Collections.EMPTY_LIST,
-            Collections.EMPTY_LIST
-        );
+
+        // Build and return a root group for the current user
+        MySQLRootConnectionGroup rootGroup = rootGroupProvider.get();
+        rootGroup.init(currentUser);
+        return rootGroup;
+
     }
 
 }
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
index 4ddd9578f..a5bd28d28 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/ConnectionService.java
@@ -24,6 +24,7 @@ package net.sourceforge.guacamole.net.auth.mysql.service;
 
 import com.google.inject.Inject;
 import com.google.inject.Provider;
+import java.util.Set;
 import net.sourceforge.guacamole.net.auth.mysql.AuthenticatedUser;
 import net.sourceforge.guacamole.net.auth.mysql.MySQLConnection;
 import net.sourceforge.guacamole.net.auth.mysql.dao.ConnectionMapper;
@@ -130,4 +131,30 @@ public class ConnectionService extends DirectoryObjectService<MySQLConnection, C
         
     }
 
+    /**
+     * Returns the set of all identifiers for all connections within the root
+     * connection group that the user has read access to.
+     *
+     * @param user
+     *     The user retrieving the identifiers.
+     *
+     * @return
+     *     The set of all identifiers for all connections in the root
+     *     connection group that the user has read access to.
+     *
+     * @throws GuacamoleException
+     *     If an error occurs while reading identifiers.
+     */
+    public Set<String> getRootIdentifiers(AuthenticatedUser user) throws GuacamoleException {
+
+        // Bypass permission checks if the user is a system admin
+        if (user.getUser().isAdministrator())
+            return connectionMapper.selectIdentifiersWithin(null);
+
+        // Otherwise only return explicitly readable identifiers
+        else
+            return connectionMapper.selectReadableIdentifiersWithin(user.getUser().getModel(), null);
+
+    }
+
 }