diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/AuthenticatedUser.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/AuthenticatedUser.java
index a6aab2b15..beaca0166 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/AuthenticatedUser.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/AuthenticatedUser.java
@@ -25,17 +25,16 @@ package net.sourceforge.guacamole.net.auth.mysql;
 import org.glyptodon.guacamole.net.auth.Credentials;
 
 /**
- * Represents an authenticated user via their database ID and corresponding
- * credentials.
+ * Associates a user with the credentials they used to authenticate.
  *
  * @author Michael Jumper 
  */
 public class AuthenticatedUser {
 
     /**
-     * The database ID of this user.
+     * The user that authenticated.
      */
-    private final int userID;
+    private final MySQLUser user;
 
     /**
      * The credentials given when this user authenticated.
@@ -43,28 +42,28 @@ public class AuthenticatedUser {
     private final Credentials credentials;
 
     /**
-     * Creates a new AuthenticatedUser associated with the given database ID
-     * and credentials.
+     * Creates a new AuthenticatedUser associating the given user with their
+     * corresponding credentials.
      *
-     * @param userID
-     *     The database ID of the user this object should represent.
+     * @param user
+     *     The user this object should represent.
      *
      * @param credentials 
      *     The credentials given by the user when they authenticated.
      */
-    public AuthenticatedUser(int userID, Credentials credentials) {
-        this.userID = userID;
+    public AuthenticatedUser(MySQLUser user, Credentials credentials) {
+        this.user = user;
         this.credentials = credentials;
     }
 
     /**
-     * Returns the ID of this user.
+     * Returns the user that authenticated.
      *
      * @return 
-     *     The ID of this user.
+     *     The user that authenticated.
      */
-    public int getUserID() {
-        return userID;
+    public MySQLUser getUser() {
+        return user;
     }
 
     /**
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java
index ece180551..10c706c87 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLAuthenticationProvider.java
@@ -66,12 +66,15 @@ public class MySQLAuthenticationProvider implements AuthenticationProvider {
         // Get user service
         UserService userService = injector.getInstance(UserService.class);
 
-        // Get user
+        // Authenticate user
         MySQLUser user = userService.retrieveUser(credentials);
         if (user != null) {
+
+            // Upon successful authentication, return new user context
             MySQLUserContext context = injector.getInstance(MySQLUserContext.class);
-            context.init(user);
+            context.init(new AuthenticatedUser(user, credentials));
             return context;
+
         }
 
         // Otherwise, unauthorized
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
index 55766260d..12374f426 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/MySQLUserContext.java
@@ -43,7 +43,7 @@ public class MySQLUserContext implements UserContext {
     /**
      * The the user owning this context.
      */
-    private MySQLUser currentUser;
+    private AuthenticatedUser currentUser;
 
     /**
      * User directory restricted by the permissions of the user associated
@@ -58,13 +58,14 @@ public class MySQLUserContext implements UserContext {
      * @param currentUser
      *     The user owning this context.
      */
-    public void init(MySQLUser currentUser) {
+    public void init(AuthenticatedUser currentUser) {
         this.currentUser = currentUser;
+        userDirectory.init(currentUser);
     }
 
     @Override
     public User self() {
-        return currentUser;
+        return currentUser.getUser();
     }
 
     @Override
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
index 9014c7238..d8bbbf32c 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/UserDirectory.java
@@ -42,12 +42,29 @@ import org.mybatis.guice.transactional.Transactional;
  */
 public class UserDirectory implements Directory<String, User> {
 
+    /**
+     * The user this user directory belongs to. Access is based on his/her
+     * permission settings.
+     */
+    private AuthenticatedUser currentUser;
+    
     /**
      * Service for managing user objects.
      */
     @Inject
     private UserService userService;
 
+    /**
+     * Set the user for this directory.
+     *
+     * @param currentUser
+     *     The user whose permissions define the visibility of other users in
+     *     this directory.
+     */
+    public void init(AuthenticatedUser currentUser) {
+        this.currentUser = currentUser;
+    }
+    
     @Override
     public void move(String identifier, Directory<String, User> groupIdentifier) 
             throws GuacamoleException {
@@ -56,43 +73,40 @@ public class UserDirectory implements Directory<String, User> {
 
     @Override
     public User get(String identifier) throws GuacamoleException {
-        return userService.retrieveObject(identifier);
+        return userService.retrieveObject(currentUser, identifier);
     }
 
     @Override
     @Transactional
     public Collection<User> getAll(Collection<String> identifiers) throws GuacamoleException {
-        return Collections.<User>unmodifiableCollection(userService.retrieveObjects(identifiers));
+        Collection<MySQLUser> objects = userService.retrieveObjects(currentUser, identifiers);
+        return Collections.<User>unmodifiableCollection(objects);
     }
 
     @Override
     @Transactional
     public Set<String> getIdentifiers() throws GuacamoleException {
-        // STUB
-        return userService.getIdentifiers();
+        return userService.getIdentifiers(currentUser);
     }
 
     @Override
     @Transactional
     public void add(User object) throws GuacamoleException {
-        // STUB
         MySQLUser user = (MySQLUser) object;
-        userService.createObject(user);
+        userService.createObject(currentUser, user);
     }
 
     @Override
     @Transactional
     public void update(User object) throws GuacamoleException {
-        // STUB
         MySQLUser user = (MySQLUser) object;
-        userService.updateObject(user);
+        userService.updateObject(currentUser, user);
     }
 
     @Override
     @Transactional
     public void remove(String identifier) throws GuacamoleException {
-        // STUB
-        userService.deleteObject(identifier);
+        userService.deleteObject(currentUser, identifier);
     }
 
 }
diff --git a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/DirectoryObjectService.java b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/DirectoryObjectService.java
index f33744d25..933551009 100644
--- a/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/DirectoryObjectService.java
+++ b/extensions/guacamole-auth-mysql/src/main/java/net/sourceforge/guacamole/net/auth/mysql/service/DirectoryObjectService.java
@@ -26,8 +26,10 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Set;
+import net.sourceforge.guacamole.net.auth.mysql.AuthenticatedUser;
 import net.sourceforge.guacamole.net.auth.mysql.DirectoryObject;
 import net.sourceforge.guacamole.net.auth.mysql.dao.DirectoryObjectMapper;
+import org.glyptodon.guacamole.GuacamoleException;
 
 /**
  * Service which provides convenience methods for creating, retrieving, and
@@ -89,7 +91,11 @@ public abstract class DirectoryObjectService<ObjectType extends DirectoryObject<
     }
 
     /**
-     * Retrieves the single object that has the given identifier, if it exists.
+     * Retrieves the single object that has the given identifier, if it exists
+     * and the user has permission to read it.
+     *
+     * @param user
+     *     The user retrieving the object.
      *
      * @param identifier
      *     The identifier of the object to retrieve.
@@ -98,10 +104,11 @@ public abstract class DirectoryObjectService<ObjectType extends DirectoryObject<
      *     The object having the given identifier, or null if no such object
      *     exists.
      */
-    public ObjectType retrieveObject(String identifier) {
+    public ObjectType retrieveObject(AuthenticatedUser user,
+            String identifier) {
 
         // Pull objects having given identifier
-        Collection<ObjectType> objects = retrieveObjects(Collections.singleton(identifier));
+        Collection<ObjectType> objects = retrieveObjects(user, Collections.singleton(identifier));
 
         // If no such object, return null
         if (objects.isEmpty())
@@ -118,6 +125,10 @@ public abstract class DirectoryObjectService<ObjectType extends DirectoryObject<
     
     /**
      * Retrieves all objects that have the identifiers in the given collection.
+     * Only objects that the user has permission to read will be returned.
+     *
+     * @param user
+     *     The user retrieving the objects.
      *
      * @param identifiers
      *     The identifiers of the objects to retrieve.
@@ -125,7 +136,8 @@ public abstract class DirectoryObjectService<ObjectType extends DirectoryObject<
      * @return
      *     The objects having the given identifiers.
      */
-    public Collection<ObjectType> retrieveObjects(Collection<String> identifiers) {
+    public Collection<ObjectType> retrieveObjects(AuthenticatedUser user,
+            Collection<String> identifiers) {
 
         // Do not query if no identifiers given
         if (identifiers.isEmpty())
@@ -141,10 +153,18 @@ public abstract class DirectoryObjectService<ObjectType extends DirectoryObject<
      * exists, an error will be thrown. The internal model object will be
      * updated appropriately to contain the new database ID.
      *
+     * @param user
+     *     The user creating the object.
+     *
      * @param object
      *     The object to create.
+     *
+     * @throws GuacamoleException
+     *     If the user lacks permission to create the object, or an error
+     *     occurs while creating the object.
      */
-    public void createObject(ObjectType object) {
+    public void createObject(AuthenticatedUser user, ObjectType object)
+        throws GuacamoleException {
         getObjectMapper().insert(object.getModel());
     }
 
@@ -152,10 +172,18 @@ public abstract class DirectoryObjectService<ObjectType extends DirectoryObject<
      * Deletes the object having the given identifier. If no such object
      * exists, this function has no effect.
      *
+     * @param user
+     *     The user deleting the object.
+     *
      * @param identifier
      *     The identifier of the object to delete.
+     *
+     * @throws GuacamoleException
+     *     If the user lacks permission to delete the object, or an error
+     *     occurs while deleting the object.
      */
-    public void deleteObject(String identifier) {
+    public void deleteObject(AuthenticatedUser user, String identifier)
+        throws GuacamoleException {
         getObjectMapper().delete(identifier);
     }
 
@@ -163,20 +191,32 @@ public abstract class DirectoryObjectService<ObjectType extends DirectoryObject<
      * Updates the given object in the database, applying any changes that have
      * been made. If no such object exists, this function has no effect.
      *
+     * @param user
+     *     The user updating the object.
+     *
      * @param object
      *     The object to update.
+     *
+     * @throws GuacamoleException
+     *     If the user lacks permission to update the object, or an error
+     *     occurs while updating the object.
      */
-    public void updateObject(ObjectType object) {
+    public void updateObject(AuthenticatedUser user, ObjectType object)
+        throws GuacamoleException {
         getObjectMapper().update(object.getModel());
     }
 
     /**
-     * Returns the set of all identifiers for all objects in the database.
+     * Returns the set of all identifiers for all objects in the database that
+     * the user has read access to.
+     *
+     * @param user
+     *     The user retrieving the identifiers.
      *
      * @return
      *     The set of all identifiers for all objects in the database.
      */
-    public Set<String> getIdentifiers() {
+    public Set<String> getIdentifiers(AuthenticatedUser user) {
         return getObjectMapper().selectIdentifiers();
     }