GUACAMOLE-220: Update SQL Server mapping with respect to user group support.

2025-09-06 21:27:40 +00:00 · 2018-09-08 18:52:10 -07:00
parent dec7b3c340
commit ee35620194
19 changed files with 1218 additions and 167 deletions
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/base/EntityMapper.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.base.EntityMapper" >
+
+    <!--
+      * SQL fragment which tests whether the value of the given column matches
+      * the given entity ID. If group identifiers are provided, the IDs of the
+      * entities for all groups having those identifiers are tested, as well.
+      * Disabled groups are ignored.
+      *
+      * @param column
+      *     The name of the column to test. This column MUST contain an entity
+      *     ID (a foreign key into the [guacamole_entity] table).
+      *
+      * @param entityID
+      *     The ID of the specific entity to test the column against.
+      *
+      * @param groups
+      *     A collection of group identifiers to additionally test the column
+      *     against. Though this functionality is optional, a collection must
+      *     always be given, even if that collection is empty.
+      -->
+    <sql id="isRelatedEntity">
+        (
+            ${column} = ${entityID}
+            <if test="!${groups}.isEmpty()">
+                OR ${column} IN (
+                    SELECT [guacamole_entity].entity_id
+                    FROM [guacamole_entity]
+                    JOIN [guacamole_user_group] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                        type = 'USER_GROUP'
+                        AND name IN
+                            <foreach collection="${groups}" item="effectiveGroup"
+                                     open="(" separator="," close=")">
+                                #{effectiveGroup,jdbcType=VARCHAR}
+                            </foreach>
+                        AND disabled = 0
+                )
+            </if>
+        )
+    </sql>
+
+    <!-- Select names of all effective groups (including inherited) -->
+    <select id="selectEffectiveGroupIdentifiers" resultType="string">
+
+        WITH [related_entity] ([entity_id]) AS (
+            SELECT
+                [guacamole_user_group].entity_id
+            FROM [guacamole_user_group]
+            JOIN [guacamole_user_group_member] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+            WHERE
+                [guacamole_user_group_member].member_entity_id = #{entity.entityID}
+                AND [guacamole_user_group].disabled = 0
+            <if test="!effectiveGroups.isEmpty()">
+                UNION ALL
+                    SELECT
+                        [guacamole_entity].entity_id
+                    FROM [guacamole_entity]
+                    JOIN [guacamole_user_group] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                        type = 'USER_GROUP'
+                        AND name IN
+                            <foreach collection="effectiveGroups" item="effectiveGroup"
+                                     open="(" separator="," close=")">
+                                #{effectiveGroup,jdbcType=VARCHAR}
+                            </foreach>
+                        AND [guacamole_user_group].disabled = 0
+            </if>
+            UNION ALL
+                SELECT
+                    [guacamole_user_group].entity_id
+                FROM [related_entity]
+                JOIN [guacamole_user_group_member] ON [related_entity].entity_id = [guacamole_user_group_member].member_entity_id
+                JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+                WHERE
+                    [guacamole_user_group].disabled = 0
+        )
+        SELECT DISTINCT name
+        FROM [related_entity]
+        JOIN [guacamole_entity] ON [related_entity].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].type = 'USER_GROUP';
+
+    </select>
+
+    <!-- Insert single entity -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="entity.entityID"
+            parameterType="org.apache.guacamole.auth.jdbc.base.EntityModel">
+
+        INSERT INTO [guacamole_entity] (
+            name,
+            type
+        )
+        VALUES (
+            #{entity.identifier,jdbcType=VARCHAR},
+            #{entity.entityType,jdbcType=VARCHAR}
+        )
+
+    </insert>
+
+</mapper>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionMapper.xml
@@ -68,7 +68,11 @@
        SELECT connection_id
        FROM [guacamole_connection_permission]
        WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ'
    </select>

@@ -89,7 +93,11 @@
        WHERE
            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
            <if test="parentIdentifier == null">parent_id IS NULL</if>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ'
    </select>

@@ -170,7 +178,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND [guacamole_connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_connection_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

        SELECT primary_connection_id, [guacamole_sharing_profile].sharing_profile_id
@@ -181,7 +193,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

        SELECT
@@ -195,7 +211,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

    </select>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionRecordMapper.xml
@@ -79,7 +79,10 @@
            #{record.sharingProfileIdentifier,jdbcType=INTEGER},
            #{record.sharingProfileName,jdbcType=VARCHAR},
            (SELECT user_id FROM [guacamole_user]
-             WHERE username = #{record.username,jdbcType=VARCHAR}),
+             JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+             WHERE
+                   [guacamole_entity].name = #{record.username,jdbcType=VARCHAR}
+               AND [guacamole_entity].type = 'USER'),
            #{record.username,jdbcType=VARCHAR},
            #{record.startDate,jdbcType=TIMESTAMP},
            #{record.endDate,jdbcType=TIMESTAMP}
@@ -161,13 +164,21 @@
        <!-- Restrict to readable connections -->
        JOIN [guacamole_connection_permission] ON
                [guacamole_connection_history].connection_id = [guacamole_connection_permission].connection_id
-            AND [guacamole_connection_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_connection_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND [guacamole_connection_permission].permission = 'READ'

        <!-- Restrict to readable users -->
        JOIN [guacamole_user_permission] ON
                [guacamole_connection_history].user_id = [guacamole_user_permission].affected_user_id
-            AND [guacamole_user_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND [guacamole_user_permission].permission = 'READ'

        <!-- Search terms -->
@@ -178,7 +189,10 @@
                [guacamole_connection_history].user_id IN (
                    SELECT user_id
                    FROM [guacamole_user]
-                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                    JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                            POSITION(#{term.term,jdbcType=VARCHAR} IN [guacamole_entity].name) > 0
+                        AND [guacamole_entity].type = 'USER'
                )

                OR [guacamole_connection_history].connection_id IN (
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connectiongroup/ConnectionGroupMapper.xml
@@ -69,7 +69,11 @@
        SELECT connection_group_id
        FROM [guacamole_connection_group_permission]
        WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ'
    </select>

@@ -90,7 +94,11 @@
        WHERE
            <if test="parentIdentifier != null">parent_id = #{parentIdentifier,jdbcType=INTEGER}</if>
            <if test="parentIdentifier == null">parent_id IS NULL</if>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ'
    </select>

@@ -161,7 +169,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

        SELECT parent_id, [guacamole_connection_group].connection_group_id
@@ -172,7 +184,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

        SELECT parent_id, [guacamole_connection].connection_id
@@ -183,7 +199,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

        SELECT
@@ -197,7 +217,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

    </select>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionGroupPermissionMapper.xml
@@ -25,24 +25,26 @@

    <!-- Result mapper for connection permissions -->
    <resultMap id="ConnectionGroupPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"             property="userID"           jdbcType="INTEGER"/>
-        <result column="username"            property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"           property="entityID"         jdbcType="INTEGER"/>
        <result column="permission"          property="type"             jdbcType="VARCHAR"
                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
        <result column="connection_group_id" property="objectIdentifier" jdbcType="INTEGER"/>
    </resultMap>

-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
    <select id="select" resultMap="ConnectionGroupPermissionResultMap">

        SELECT
-            [guacamole_connection_group_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
            connection_group_id
        FROM [guacamole_connection_group_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_group_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_connection_group_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>

    </select>

@@ -50,26 +52,32 @@
    <select id="selectOne" resultMap="ConnectionGroupPermissionResultMap">

        SELECT
-            [guacamole_connection_group_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
            connection_group_id
        FROM [guacamole_connection_group_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_group_permission].user_id = [guacamole_user].user_id
        WHERE
-            [guacamole_connection_group_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = #{type,jdbcType=VARCHAR}
            AND connection_group_id = #{identifier,jdbcType=INTEGER}

    </select>

-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
    <select id="selectAccessibleIdentifiers" resultType="string">

        SELECT DISTINCT connection_group_id 
        FROM [guacamole_connection_group_permission]
        WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND connection_group_id IN
                <foreach collection="identifiers" item="identifier"
                         open="(" separator="," close=")">
@@ -87,12 +95,12 @@
    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">

        DELETE FROM [guacamole_connection_group_permission]
-        WHERE (user_id, permission, connection_group_id) IN
+        WHERE
            <foreach collection="permissions" item="permission"
-                     open="(" separator="," close=")">
-                (#{permission.userID,jdbcType=INTEGER},
-                 #{permission.type,jdbcType=VARCHAR},
-                 #{permission.objectIdentifier,jdbcType=INTEGER})
+                     open="(" separator=" OR " close=")">
+                (entity_id = #{permission.entityID,jdbcType=INTEGER} AND
+                 permission = #{permission.type,jdbcType=VARCHAR} AND
+                 connection_group_id = #{permission.objectIdentifier,jdbcType=INTEGER})
            </foreach>

    </delete>
@@ -101,24 +109,24 @@
    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">

        INSERT INTO [guacamole_connection_group_permission] (
-            user_id,
+            entity_id,
            permission,
            connection_group_id
        )
        SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
            permissions.permission,
            permissions.connection_group_id
        FROM
            <foreach collection="permissions" item="permission"
                     open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                       #{permission.type,jdbcType=VARCHAR} AS permission,
                       #{permission.objectIdentifier,jdbcType=INTEGER} AS connection_group_id
            </foreach>
        AS permissions
        WHERE NOT EXISTS (SELECT 1 FROM [guacamole_connection_group_permission]
-            WHERE [guacamole_connection_group_permission].user_id = permissions.user_id AND
+            WHERE [guacamole_connection_group_permission].entity_id = permissions.entity_id AND
            [guacamole_connection_group_permission].permission = permissions.permission AND
            [guacamole_connection_group_permission].connection_group_id = permissions.connection_group_id
        );
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/ConnectionPermissionMapper.xml
@@ -25,24 +25,26 @@

    <!-- Result mapper for connection permissions -->
    <resultMap id="ConnectionPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"       property="userID"           jdbcType="INTEGER"/>
-        <result column="username"      property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"     property="entityID"         jdbcType="INTEGER"/>
        <result column="permission"    property="type"             jdbcType="VARCHAR"
                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
        <result column="connection_id" property="objectIdentifier" jdbcType="INTEGER"/>
    </resultMap>

-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
    <select id="select" resultMap="ConnectionPermissionResultMap">

        SELECT
-            [guacamole_connection_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
            connection_id
        FROM [guacamole_connection_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>

    </select>

@@ -50,26 +52,32 @@
    <select id="selectOne" resultMap="ConnectionPermissionResultMap">

        SELECT
-            [guacamole_connection_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
            connection_id
        FROM [guacamole_connection_permission]
-        JOIN [guacamole_user] ON [guacamole_connection_permission].user_id = [guacamole_user].user_id
        WHERE
-            [guacamole_connection_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = #{type,jdbcType=VARCHAR}
            AND connection_id = #{identifier,jdbcType=INTEGER}

    </select>

-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
    <select id="selectAccessibleIdentifiers" resultType="string">

        SELECT DISTINCT connection_id 
        FROM [guacamole_connection_permission]
        WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND connection_id IN
                <foreach collection="identifiers" item="identifier"
                         open="(" separator="," close=")">
@@ -90,7 +98,7 @@
        WHERE
            <foreach collection="permissions" item="permission"
                     open="(" separator=" OR " close=")">
-                (user_id = #{permission.userID,jdbcType=INTEGER} AND
+                (entity_id = #{permission.entityID,jdbcType=INTEGER} AND
                 permission = #{permission.type,jdbcType=VARCHAR} AND
                 connection_id = #{permission.objectIdentifier,jdbcType=INTEGER})
            </foreach>
@@ -101,24 +109,24 @@
    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">

        INSERT INTO [guacamole_connection_permission] (
-            user_id,
+            entity_id,
            permission,
            connection_id
        )
        SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
            permissions.permission,
            permissions.connection_id
        FROM
            <foreach collection="permissions" item="permission"
                     open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER} AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                       #{permission.type,jdbcType=VARCHAR} AS permission,
                       #{permission.objectIdentifier,jdbcType=INTEGER} AS connection_id
            </foreach>
        AS permissions
        WHERE NOT EXISTS ( SELECT 1 FROM [guacamole_connection_permission]
-            WHERE [guacamole_connection_permission].user_id = permissions.user_id AND
+            WHERE [guacamole_connection_permission].entity_id = permissions.entity_id AND
            [guacamole_connection_permission].permission = permissions.permission AND
            [guacamole_connection_permission].connection_id = permissions.connection_id
        );
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SharingProfilePermissionMapper.xml
@@ -25,24 +25,26 @@

    <!-- Result mapper for sharing profile permissions -->
    <resultMap id="SharingProfilePermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"            property="userID"           jdbcType="INTEGER"/>
-        <result column="username"           property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"          property="entityID"         jdbcType="INTEGER"/>
        <result column="permission"         property="type"             jdbcType="VARCHAR"
                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
        <result column="sharing_profile_id" property="objectIdentifier" jdbcType="INTEGER"/>
    </resultMap>

-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
    <select id="select" resultMap="SharingProfilePermissionResultMap">

        SELECT
-            [guacamole_sharing_profile_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
            sharing_profile_id
        FROM [guacamole_sharing_profile_permission]
-        JOIN [guacamole_user] ON [guacamole_sharing_profile_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_sharing_profile_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>

    </select>

@@ -50,26 +52,32 @@
    <select id="selectOne" resultMap="SharingProfilePermissionResultMap">

        SELECT
-            [guacamole_sharing_profile_permission].user_id,
-            username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
            sharing_profile_id
        FROM [guacamole_sharing_profile_permission]
-        JOIN [guacamole_user] ON [guacamole_sharing_profile_permission].user_id = [guacamole_user].user_id
        WHERE
-            [guacamole_sharing_profile_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = #{type,jdbcType=VARCHAR}
            AND sharing_profile_id = #{identifier,jdbcType=INTEGER}

    </select>

-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
    <select id="selectAccessibleIdentifiers" resultType="string">

        SELECT DISTINCT sharing_profile_id
        FROM [guacamole_sharing_profile_permission]
        WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND sharing_profile_id IN
                <foreach collection="identifiers" item="identifier"
                         open="(" separator="," close=")">
@@ -90,7 +98,7 @@
        WHERE
            <foreach collection="permissions" item="permission"
                     open="(" separator=" OR " close=")">
-                (user_id = #{permission.userID,jdbcType=INTEGER} AND
+                (entity_id = #{permission.entityID,jdbcType=INTEGER} AND
                 permission = #{permission.type,jdbcType=VARCHAR} AND
                 sharing_profile_id = #{permission.objectIdentifier,jdbcType=INTEGER})
            </foreach>
@@ -101,24 +109,24 @@
    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">

        INSERT INTO [guacamole_sharing_profile_permission] (
-            user_id,
+            entity_id,
            permission,
            sharing_profile_id
        )
        SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
            permissions.permission,
            permissions.sharing_profile_id
        FROM
            <foreach collection="permissions" item="permission"
                     open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER} AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                       #{permission.type,jdbcType=VARCHAR} AS permission,
                       #{permission.objectIdentifier,jdbcType=INTEGER} AS sharing_profile_id
            </foreach>
        AS permissions
        WHERE NOT EXISTS (SELECT 1 FROM [guacamole_sharing_profile_permission]
-            WHERE [guacamole_sharing_profile_permission].user_id = permissions.user_id
+            WHERE [guacamole_sharing_profile_permission].entity_id = permissions.entity_id
            AND [guacamole_sharing_profile_permission].permission = permissions.permission
            AND [guacamole_sharing_profile_permission].sharing_profile_id = permissions.sharing_profile_id
        );
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/SystemPermissionMapper.xml
@@ -25,36 +25,40 @@

    <!-- Result mapper for system permissions -->
    <resultMap id="SystemPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.SystemPermissionModel">
-        <result column="user_id"    property="userID"   jdbcType="INTEGER"/>
-        <result column="username"   property="username" jdbcType="VARCHAR"/>
+        <result column="entity_id"  property="entityID" jdbcType="INTEGER"/>
        <result column="permission" property="type"     jdbcType="VARCHAR"
                javaType="org.apache.guacamole.net.auth.permission.SystemPermission$Type"/>
    </resultMap>

-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
    <select id="select" resultMap="SystemPermissionResultMap">

-        SELECT
-            [guacamole_system_permission].user_id,
-            username,
+        SELECT DISTINCT
+            #{entity.entityID} AS entity_id,
            permission
        FROM [guacamole_system_permission]
-        JOIN [guacamole_user] ON [guacamole_system_permission].user_id = [guacamole_user].user_id
-        WHERE [guacamole_system_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>

    </select>

    <!-- Select the single permission matching the given criteria -->
    <select id="selectOne" resultMap="SystemPermissionResultMap">

-        SELECT
-            [guacamole_system_permission].user_id,
-            username,
+        SELECT DISTINCT
+            #{entity.entityID} AS entity_id,
            permission
        FROM [guacamole_system_permission]
-        JOIN [guacamole_user] ON [guacamole_system_permission].user_id = [guacamole_user].user_id
        WHERE
-            [guacamole_system_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = #{type,jdbcType=VARCHAR}

    </select>
@@ -66,7 +70,7 @@
        WHERE
            <foreach collection="permissions" item="permission"
                     open="(" separator=" OR " close=")">
-                     (user_id = #{permission.userID,jdbcType=INTEGER}
+                     (entity_id = #{permission.entityID,jdbcType=INTEGER}
                      AND permission = #{permission.type,jdbcType=VARCHAR})
            </foreach>

@@ -76,21 +80,21 @@
    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.SystemPermissionModel">

        INSERT INTO [guacamole_system_permission] (
-            user_id,
+            entity_id,
            permission
        )
        SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
            permissions.permission
        FROM
            <foreach collection="permissions" item="permission"
                     open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                       #{permission.type,jdbcType=VARCHAR} AS permission
            </foreach>
        AS permissions
        WHERE NOT EXISTS (SELECT 1 FROM [guacamole_system_permission]
-            WHERE [guacamole_system_permission].user_id = permissions.user_id
+            WHERE [guacamole_system_permission].entity_id = permissions.entity_id
            AND [guacamole_system_permission].permission = permissions.permission
        );

--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserGroupPermissionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserGroupPermissionMapper.xml
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.permission.UserGroupPermissionMapper" >
+
+    <!-- Result mapper for user group permissions -->
+    <resultMap id="UserGroupPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+        <result column="entity_id"         property="entityID"         jdbcType="INTEGER"/>
+        <result column="permission"        property="type"             jdbcType="VARCHAR"
+                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
+        <result column="affected_name"     property="objectIdentifier" jdbcType="INTEGER"/>
+    </resultMap>
+
+    <!-- Select all permissions for a given entity -->
+    <select id="select" resultMap="UserGroupPermissionResultMap">
+
+        SELECT
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
+            permission,
+            affected_entity.name AS affected_name
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Select the single permission matching the given criteria -->
+    <select id="selectOne" resultMap="UserGroupPermissionResultMap">
+
+        SELECT
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
+            permission,
+            affected_entity.name AS affected_name
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND permission = #{type,jdbcType=VARCHAR}
+            AND affected_entity.name = #{identifier,jdbcType=VARCHAR}
+            AND affected_entity.type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
+    <select id="selectAccessibleIdentifiers" resultType="string">
+
+        SELECT DISTINCT affected_entity.name
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.name IN
+                <foreach collection="identifiers" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+            AND permission IN
+                <foreach collection="permissions" item="permission"
+                         open="(" separator="," close=")">
+                    #{permission,jdbcType=VARCHAR}
+                </foreach>
+            AND affected_entity.type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Delete all given permissions -->
+    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        DELETE [guacamole_user_group_permission]
+        FROM [guacamole_user_group_permission]
+        JOIN [guacamole_user_group] affected_group ON [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        JOIN [guacamole_entity] affected_entity ON affected_group.entity_id = affected_entity.entity_id
+        WHERE
+            <foreach collection="permissions" item="permission"
+                     open="(" separator=" OR " close=")">
+                ([guacamole_user_group_permission].entity_id = #{permission.entityID,jdbcType=INTEGER} AND
+                 permission = #{permission.type,jdbcType=VARCHAR} AND
+                 affected_entity.name = #{permission.objectIdentifier,jdbcType=VARCHAR} AND
+                 affected_entity.type = 'USER_GROUP')
+            </foreach>
+
+    </delete>
+
+    <!-- Insert all given permissions -->
+    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
+
+        INSERT INTO [guacamole_user_group_permission] (
+            entity_id,
+            permission,
+            affected_user_group_id
+        )
+        SELECT DISTINCT
+            permissions.entity_id,
+            permissions.permission,
+            affected_group.user_group_id
+        FROM
+            <foreach collection="permissions" item="permission"
+                     open="(" separator="UNION ALL" close=")">
+                SELECT #{permission.entityID,jdbcType=INTEGER}         AS entity_id,
+                       #{permission.type,jdbcType=VARCHAR}             AS permission,
+                       #{permission.objectIdentifier,jdbcType=VARCHAR} AS affected_name
+            </foreach>
+        AS permissions
+        JOIN [guacamole_entity] affected_entity ON
+                affected_entity.name = permissions.affected_name
+            AND affected_entity.type = 'USER_GROUP'
+        JOIN [guacamole_user_group] affected_group ON affected_group.entity_id = affected_entity.entity_id
+        WHERE NOT EXISTS (SELECT 1 FROM [guacamole_user_group_permission]
+            WHERE [guacamole_user_group_permission].entity_id = permissions.entity_id
+            AND [guacamole_user_group_permission].permission = permissions.permission
+            AND [guacamole_user_group_permission].affected_user_group_id = affected_group.user_group_id
+        );
+
+    </insert>
+
+</mapper>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserPermissionMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/permission/UserPermissionMapper.xml
@@ -25,25 +25,29 @@

    <!-- Result mapper for user permissions -->
    <resultMap id="UserPermissionResultMap" type="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">
-        <result column="user_id"           property="userID"           jdbcType="INTEGER"/>
-        <result column="username"          property="username"         jdbcType="VARCHAR"/>
+        <result column="entity_id"         property="entityID"         jdbcType="INTEGER"/>
        <result column="permission"        property="type"             jdbcType="VARCHAR"
                javaType="org.apache.guacamole.net.auth.permission.ObjectPermission$Type"/>
-        <result column="affected_username" property="objectIdentifier" jdbcType="INTEGER"/>
+        <result column="affected_name"     property="objectIdentifier" jdbcType="INTEGER"/>
    </resultMap>

-    <!-- Select all permissions for a given user -->
+    <!-- Select all permissions for a given entity -->
    <select id="select" resultMap="UserPermissionResultMap">

        SELECT
-            [guacamole_user_permission].user_id,
-            [guacamole_user].username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
-            affected.username AS affected_username
+            affected_entity.name AS affected_name
        FROM [guacamole_user_permission]
-        JOIN [guacamole_user] ON [guacamole_user_permission].user_id = [guacamole_user].user_id
-        JOIN [guacamole_user] affected ON [guacamole_user_permission].affected_user_id = affected.user_id
-        WHERE [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.type = 'USER'

    </select>

@@ -51,55 +55,66 @@
    <select id="selectOne" resultMap="UserPermissionResultMap">

        SELECT
-            [guacamole_user_permission].user_id,
-            [guacamole_user].username,
+            #{entity.entityID,jdbcType=INTEGER} AS entity_id,
            permission,
-            affected.username AS affected_username
+            affected_entity.name AS affected_name
        FROM [guacamole_user_permission]
-        JOIN [guacamole_user] ON [guacamole_user_permission].user_id = [guacamole_user].user_id
-        JOIN [guacamole_user] affected ON [guacamole_user_permission].affected_user_id = affected.user_id
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
        WHERE
-            [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = #{type,jdbcType=VARCHAR}
-            AND affected.username = #{identifier,jdbcType=INTEGER}
+            AND affected_entity.name = #{identifier,jdbcType=VARCHAR}
+            AND affected_entity.type = 'USER'

    </select>

-    <!-- Select identifiers accessible by the given user for the given permissions -->
+    <!-- Select identifiers accessible by the given entity for the given permissions -->
    <select id="selectAccessibleIdentifiers" resultType="string">

-        SELECT DISTINCT username
+        SELECT DISTINCT affected_entity.name
        FROM [guacamole_user_permission]
-        JOIN [guacamole_user] ON [guacamole_user_permission].affected_user_id = [guacamole_user].user_id
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
        WHERE
-            [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
-            AND username IN
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{entity.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND affected_entity.name IN
                <foreach collection="identifiers" item="identifier"
                         open="(" separator="," close=")">
-                    #{identifier,jdbcType=INTEGER}
+                    #{identifier,jdbcType=VARCHAR}
                </foreach>
            AND permission IN
                <foreach collection="permissions" item="permission"
                         open="(" separator="," close=")">
                    #{permission,jdbcType=VARCHAR}
                </foreach>
+            AND affected_entity.type = 'USER'

    </select>

    <!-- Delete all given permissions -->
    <delete id="delete" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">

-        DELETE FROM [guacamole_user_permission]
-        USING [guacamole_user] affected
+        DELETE [guacamole_user_permission]
+        FROM [guacamole_user_permission]
+        JOIN [guacamole_user] affected_user ON [guacamole_user_permission].affected_user_id = affected_user.user_id
+        JOIN [guacamole_entity] affected_entity ON affected_user.entity_id = affected_entity.entity_id
        WHERE
-            [guacamole_user_permission].affected_user_id = affected.user_id
-            AND ([guacamole_user_permission].user_id, permission, affected.username) IN
-                <foreach collection="permissions" item="permission"
-                         open="(" separator="," close=")">
-                    (#{permission.userID,jdbcType=INTEGER},
-                     #{permission.type,jdbcType=VARCHAR},
-                     #{permission.objectIdentifier,jdbcType=INTEGER})
-                </foreach>
+            <foreach collection="permissions" item="permission"
+                     open="(" separator=" OR " close=")">
+                ([guacamole_user_permission].entity_id = #{permission.entityID,jdbcType=INTEGER} AND
+                 permission = #{permission.type,jdbcType=VARCHAR} AND
+                 affected_entity.name = #{permission.objectIdentifier,jdbcType=VARCHAR} AND
+                 affected_entity.type = 'USER')
+            </foreach>

    </delete>

@@ -107,27 +122,30 @@
    <insert id="insert" parameterType="org.apache.guacamole.auth.jdbc.permission.ObjectPermissionModel">

        INSERT INTO [guacamole_user_permission] (
-            user_id,
+            entity_id,
            permission,
            affected_user_id
        )
        SELECT DISTINCT
-            permissions.user_id,
+            permissions.entity_id,
            permissions.permission,
-            [guacamole_user].user_id
+            affected_user.user_id
        FROM
            <foreach collection="permissions" item="permission"
                     open="(" separator="UNION ALL" close=")">
-                SELECT #{permission.userID,jdbcType=INTEGER}                                 AS user_id,
+                SELECT #{permission.entityID,jdbcType=INTEGER} AS entity_id,
                       #{permission.type,jdbcType=VARCHAR} AS permission,
-                       #{permission.objectIdentifier,jdbcType=INTEGER}                       AS username
+                       #{permission.objectIdentifier,jdbcType=INTEGER} AS affected_name
            </foreach>
        AS permissions
-        JOIN [guacamole_user] ON [guacamole_user].username = permissions.username
+        JOIN [guacamole_entity] affected_entity ON
+                affected_entity.name = permissions.affected_name
+            AND affected_entity.type = 'USER'
+        JOIN [guacamole_user] affected_user ON affected_user.entity_id = affected_entity.entity_id
        WHERE NOT EXISTS (SELECT 1 FROM [guacamole_user_permission]
-            WHERE [guacamole_user_permission].user_id = permissions.user_id
+            WHERE [guacamole_user_permission].entity_id = permissions.entity_id
            AND [guacamole_user_permission].permission = permissions.permission
-            AND [guacamole_user_permission].affected_user_id = [guacamole_user].user_id
+            AND [guacamole_user_permission].affected_user_id = affected_user.user_id
        );

    </insert>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/sharingprofile/SharingProfileMapper.xml
@@ -52,7 +52,11 @@
        SELECT sharing_profile_id
        FROM [guacamole_sharing_profile_permission]
        WHERE
-            user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ'
    </select>

@@ -99,7 +103,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

        SELECT
@@ -113,7 +121,11 @@
                     open="(" separator="," close=")">
                #{identifier,jdbcType=INTEGER}
            </foreach>
-            AND user_id = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

    </select>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/PasswordRecordMapper.xml
@@ -41,8 +41,9 @@
            [guacamole_user_password_history].password_date
        FROM [guacamole_user_password_history]
        JOIN [guacamole_user] ON [guacamole_user_password_history].user_id = [guacamole_user].user_id
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
        WHERE
-            [guacamole_user].username = #{username,jdbcType=VARCHAR}
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
        ORDER BY
            [guacamole_user_password_history].password_date DESC

--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserMapper.xml
@@ -28,7 +28,8 @@

        <!-- User properties -->
        <id     column="user_id"             property="objectID"           jdbcType="INTEGER"/>
-        <result column="username"            property="identifier"         jdbcType="VARCHAR"/>
+        <result column="entity_id"           property="entityID"           jdbcType="INTEGER"/>
+        <result column="name"                property="identifier"         jdbcType="VARCHAR"/>
        <result column="password_hash"       property="passwordHash"       jdbcType="BINARY"/>
        <result column="password_salt"       property="passwordSalt"       jdbcType="BINARY"/>
        <result column="password_date"       property="passwordDate"       jdbcType="TIMESTAMP"/>
@@ -57,17 +58,24 @@

    <!-- Select all usernames -->
    <select id="selectIdentifiers" resultType="string">
-        SELECT username
-        FROM [guacamole_user]
+        SELECT name
+        FROM [guacamole_entity]
+        WHERE [guacamole_entity].type = 'USER'
    </select>

    <!-- Select usernames of all readable users -->
    <select id="selectReadableIdentifiers" resultType="string">
-        SELECT username
+        SELECT [guacamole_entity].name
        FROM [guacamole_user]
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
        JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
        WHERE
-            [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_entity].type = 'USER'
            AND permission = 'READ'
    </select>

@@ -77,7 +85,8 @@

        SELECT
            [guacamole_user].user_id,
-            [guacamole_user].username,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
            password_hash,
            password_salt,
            password_date,
@@ -98,11 +107,13 @@
                WHERE [guacamole_user_history].user_id = [guacamole_user].user_id
            ) AS last_active
        FROM [guacamole_user]
-        WHERE [guacamole_user].username IN
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
            <foreach collection="identifiers" item="identifier"
                     open="(" separator="," close=")">
                #{identifier,jdbcType=VARCHAR}
-            </foreach>;
+            </foreach>
+            AND [guacamole_entity].type = 'USER';

        SELECT
            [guacamole_user_attribute].user_id,
@@ -110,11 +121,13 @@
            [guacamole_user_attribute].attribute_value
        FROM [guacamole_user_attribute]
        JOIN [guacamole_user] ON [guacamole_user].user_id = [guacamole_user_attribute].user_id
-        WHERE username IN
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
            <foreach collection="identifiers" item="identifier"
                     open="(" separator="," close=")">
-                #{identifier,jdbcType=INTEGER}
-            </foreach>;
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER';

    </select>

@@ -124,7 +137,8 @@

        SELECT
            [guacamole_user].user_id,
-            [guacamole_user].username,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
            password_hash,
            password_salt,
            password_date,
@@ -145,13 +159,19 @@
                WHERE [guacamole_user_history].user_id = [guacamole_user].user_id
            ) AS last_active
        FROM [guacamole_user]
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
        JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
-        WHERE [guacamole_user].username IN
+        WHERE [guacamole_entity].name IN
            <foreach collection="identifiers" item="identifier"
                     open="(" separator="," close=")">
                #{identifier,jdbcType=VARCHAR}
            </foreach>
-            AND [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

        SELECT
@@ -160,13 +180,19 @@
            [guacamole_user_attribute].attribute_value
        FROM [guacamole_user_attribute]
        JOIN [guacamole_user] ON [guacamole_user].user_id = [guacamole_user_attribute].user_id
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
        JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
-        WHERE username IN
+        WHERE [guacamole_entity].name IN
            <foreach collection="identifiers" item="identifier"
                     open="(" separator="," close=")">
-                #{identifier,jdbcType=INTEGER}
+                #{identifier,jdbcType=VARCHAR}
            </foreach>
-            AND [guacamole_user_permission].user_id = #{user.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND permission = 'READ';

    </select>
@@ -176,8 +202,9 @@
            resultSets="users,arbitraryAttributes">

        SELECT
-            user_id,
-            username,
+            [guacamole_user].user_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
            password_hash,
            password_salt,
            password_date,
@@ -198,8 +225,10 @@
                WHERE [guacamole_user_history].user_id = [guacamole_user].user_id
            ) AS last_active
        FROM [guacamole_user]
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
        WHERE
-            [guacamole_user].username = #{username,jdbcType=VARCHAR};
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER';

        SELECT
            [guacamole_user_attribute].user_id,
@@ -207,14 +236,19 @@
            [guacamole_user_attribute].attribute_value
        FROM [guacamole_user_attribute]
        JOIN [guacamole_user] ON [guacamole_user].user_id = [guacamole_user_attribute].user_id
-        WHERE username = #{username,jdbcType=VARCHAR};
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER'

    </select>

    <!-- Delete single user by username -->
    <delete id="delete">
-        DELETE FROM [guacamole_user]
-        WHERE username = #{identifier,jdbcType=VARCHAR}
+        DELETE FROM [guacamole_entity]
+        WHERE
+            name = #{identifier,jdbcType=VARCHAR}
+            AND type = 'USER'
    </delete>

    <!-- Insert single user -->
@@ -222,7 +256,7 @@
            parameterType="org.apache.guacamole.auth.jdbc.user.UserModel">

        INSERT INTO [guacamole_user] (
-            username,
+            entity_id,
            password_hash,
            password_salt,
            password_date,
@@ -239,7 +273,7 @@
            organizational_role
        )
        VALUES (
-            #{object.identifier,jdbcType=VARCHAR},
+            #{object.entityID,jdbcType=VARCHAR},
            #{object.passwordHash,jdbcType=BINARY},
            #{object.passwordSalt,jdbcType=BINARY},
            #{object.passwordDate,jdbcType=TIMESTAMP},
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserParentUserGroupMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserParentUserGroupMapper.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.user.UserParentUserGroupMapper" >
+
+    <!-- Select the names of all parent user groups -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select the names of all readable parent user groups -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete parent groups by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert parent groups by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            [guacamole_user_group].user_group_id,
+            #{parent.entityID,jdbcType=INTEGER}
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_user_group].user_group_id NOT IN (
+                SELECT [guacamole_user_group_member].user_group_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserRecordMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/user/UserRecordMapper.xml
@@ -44,8 +44,9 @@
            [guacamole_user_history].end_date
        FROM [guacamole_user_history]
        JOIN [guacamole_user] ON [guacamole_user_history].user_id = [guacamole_user].user_id
+        JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
        WHERE
-            [guacamole_user].username = #{username,jdbcType=VARCHAR}
+            [guacamole_entity].name = #{username,jdbcType=VARCHAR}
        ORDER BY
            [guacamole_user_history].start_date DESC,
            [guacamole_user_history].end_date DESC
@@ -66,7 +67,10 @@
        VALUES (
            #{record.remoteHost,jdbcType=VARCHAR},
            (SELECT user_id FROM [guacamole_user]
-             WHERE username = #{record.username,jdbcType=VARCHAR}),
+             JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+             WHERE
+                   [guacamole_entity].name = #{record.username,jdbcType=VARCHAR}
+               AND [guacamole_entity].type = 'USER'),
            #{record.username,jdbcType=VARCHAR},
            #{record.startDate,jdbcType=TIMESTAMP},
            #{record.endDate,jdbcType=TIMESTAMP}
@@ -79,7 +83,10 @@
        UPDATE [guacamole_user_history]
        SET remote_host = #{record.remoteHost,jdbcType=VARCHAR},
            user_id     = (SELECT user_id FROM [guacamole_user]
-                           WHERE username = #{record.username,jdbcType=VARCHAR}),
+                           JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                           WHERE
+                                   [guacamole_entity].name = #{record.username,jdbcType=VARCHAR}
+                               AND [guacamole_entity].type = 'USER'),
            username    = #{record.username,jdbcType=VARCHAR},
            start_date  = #{record.startDate,jdbcType=TIMESTAMP},
            end_date    = #{record.endDate,jdbcType=TIMESTAMP}
@@ -105,7 +112,10 @@
                [guacamole_user_history].user_id IN (
                    SELECT user_id
                    FROM [guacamole_user]
-                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                    JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                            POSITION(#{term.term,jdbcType=VARCHAR} IN [guacamole_entity].name) > 0
+                        AND [guacamole_entity].type = 'USER'),
                )

                <if test="term.startDate != null and term.endDate != null">
@@ -144,7 +154,11 @@
        <!-- Restrict to readable users -->
        JOIN [guacamole_user_permission] ON
                [guacamole_user_history].user_id       = [guacamole_user_permission].affected_user_id
-            AND [guacamole_user_permission].user_id    = #{user.objectID,jdbcType=INTEGER}
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
            AND [guacamole_user_permission].permission = 'READ'

        <!-- Search terms -->
@@ -155,7 +169,10 @@
                [guacamole_user_history].user_id IN (
                    SELECT user_id
                    FROM [guacamole_user]
-                    WHERE POSITION(#{term.term,jdbcType=VARCHAR} IN username) > 0
+                    JOIN [guacamole_entity] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+                    WHERE
+                            POSITION(#{term.term,jdbcType=VARCHAR} IN [guacamole_entity].name) > 0
+                        AND [guacamole_entity].type = 'USER'
                )

                <if test="term.startDate != null and term.endDate != null">
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMapper.xml
@@ -0,0 +1,229 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupMapper" >
+
+    <!-- Result mapper for user group objects -->
+    <resultMap id="UserGroupResultMap" type="org.apache.guacamole.auth.jdbc.usergroup.UserGroupModel" >
+
+        <!-- User group properties -->
+        <id     column="user_group_id" property="objectID"   jdbcType="INTEGER"/>
+        <result column="entity_id"     property="entityID"   jdbcType="INTEGER"/>
+        <result column="name"          property="identifier" jdbcType="VARCHAR"/>
+        <result column="disabled"      property="disabled"   jdbcType="BOOLEAN"/>
+
+        <!-- Arbitrary attributes -->
+        <collection property="arbitraryAttributes" resultSet="arbitraryAttributes"
+                    ofType="org.apache.guacamole.auth.jdbc.base.ArbitraryAttributeModel"
+                    column="user_group_id" foreignColumn="user_group_id">
+            <result property="name"     column="attribute_name"  jdbcType="VARCHAR"/>
+            <result property="value"    column="attribute_value" jdbcType="VARCHAR"/>
+        </collection>
+
+    </resultMap>
+
+    <!-- Select all group names -->
+    <select id="selectIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_entity]
+        WHERE [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select names of all readable groups -->
+    <select id="selectReadableIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Select multiple groups by name -->
+    <select id="select" resultMap="UserGroupResultMap"
+            resultSets="users,arbitraryAttributes">
+
+        SELECT
+            [guacamole_user_group].user_group_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
+            disabled
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP';
+
+        SELECT
+            [guacamole_user_group_attribute].user_group_id,
+            [guacamole_user_group_attribute].attribute_name,
+            [guacamole_user_group_attribute].attribute_value
+        FROM [guacamole_user_group_attribute]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_attribute].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP';
+
+    </select>
+
+    <!-- Select multiple groups by name only if readable -->
+    <select id="selectReadable" resultMap="UserGroupResultMap"
+            resultSets="users,arbitraryAttributes">
+
+        SELECT
+            [guacamole_user_group].user_group_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
+            disabled
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND permission = 'READ';
+
+        SELECT
+            [guacamole_user_group_attribute].user_group_id,
+            [guacamole_user_group_attribute].attribute_name,
+            [guacamole_user_group_attribute].attribute_value
+        FROM [guacamole_user_group_attribute]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_attribute].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE [guacamole_entity].name IN
+            <foreach collection="identifiers" item="identifier"
+                     open="(" separator="," close=")">
+                #{identifier,jdbcType=VARCHAR}
+            </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND permission = 'READ';
+
+    </select>
+
+    <!-- Select single group by name -->
+    <select id="selectOne" resultMap="UserGroupResultMap"
+            resultSets="users,arbitraryAttributes">
+
+        SELECT
+            [guacamole_user_group].user_group_id,
+            [guacamole_entity].entity_id,
+            [guacamole_entity].name,
+            disabled
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name = #{name,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER_GROUP';
+
+        SELECT
+            [guacamole_user_group_attribute].user_group_id,
+            [guacamole_user_group_attribute].attribute_name,
+            [guacamole_user_group_attribute].attribute_value
+        FROM [guacamole_user_group_attribute]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_attribute].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name = #{name,jdbcType=VARCHAR}
+            AND [guacamole_entity].type = 'USER_GROUP'
+
+    </select>
+
+    <!-- Delete single group by name -->
+    <delete id="delete">
+        DELETE FROM [guacamole_entity]
+        WHERE
+            name = #{identifier,jdbcType=VARCHAR}
+            AND type = 'USER_GROUP'
+    </delete>
+
+    <!-- Insert single group -->
+    <insert id="insert" useGeneratedKeys="true" keyProperty="object.objectID"
+            parameterType="org.apache.guacamole.auth.jdbc.usergroup.UserGroupModel">
+
+        INSERT INTO [guacamole_user_group] (
+            entity_id,
+            disabled
+        )
+        VALUES (
+            #{object.entityID,jdbcType=VARCHAR},
+            #{object.disabled,jdbcType=BOOLEAN}
+        )
+
+    </insert>
+
+    <!-- Update single group -->
+    <update id="update" parameterType="org.apache.guacamole.auth.jdbc.usergroup.UserGroupModel">
+        UPDATE [guacamole_user_group]
+        SET disabled = #{object.disabled,jdbcType=BOOLEAN}
+        WHERE user_group_id = #{object.objectID,jdbcType=VARCHAR}
+    </update>
+
+    <!-- Delete attributes associated with group -->
+    <delete id="deleteAttributes">
+        DELETE FROM [guacamole_user_group_attribute]
+        WHERE user_group_id = #{object.objectID,jdbcType=INTEGER}
+    </delete>
+
+    <!-- Insert attributes for group -->
+    <insert id="insertAttributes" parameterType="org.apache.guacamole.auth.jdbc.base.ArbitraryAttributeModel">
+        INSERT INTO [guacamole_user_group_attribute] (
+            user_group_id,
+            attribute_name,
+            attribute_value
+        )
+        VALUES
+            <foreach collection="object.arbitraryAttributes" item="attribute" separator=",">
+                (#{object.objectID,jdbcType=INTEGER},
+                 #{attribute.name,jdbcType=VARCHAR},
+                 #{attribute.value,jdbcType=VARCHAR})
+            </foreach>
+    </insert>
+
+</mapper>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserGroupMapper.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupMemberUserGroupMapper" >
+
+    <!-- Select the names of all member user groups -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        WHERE
+            [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select the names of all readable member user groups -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        JOIN [guacamole_user_group] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete member groups by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = member_entity_id
+        WHERE
+            user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert member groups by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            #{parent.objectID,jdbcType=INTEGER},
+            [guacamole_entity].entity_id
+        FROM [guacamole_entity]
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier}
+                </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].entity_id NOT IN (
+                SELECT [guacamole_user_group_member].member_entity_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupMemberUserMapper.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupMemberUserMapper" >
+
+    <!-- Select the username of all member users -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        WHERE
+            [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+    </select>
+
+    <!-- Select the usernames of all readable member users -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group_member].member_entity_id
+        JOIN [guacamole_user] ON [guacamole_user].entity_id = [guacamole_entity].entity_id
+        JOIN [guacamole_user_permission] ON affected_user_id = [guacamole_user].user_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete member users by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = member_entity_id
+        WHERE
+            user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert member users by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            #{parent.objectID,jdbcType=INTEGER},
+            [guacamole_entity].entity_id
+        FROM [guacamole_entity]
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier}
+                </foreach>
+            AND [guacamole_entity].type = 'USER'
+            AND [guacamole_entity].entity_id NOT IN (
+                SELECT [guacamole_user_group_member].member_entity_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].user_group_id = #{parent.objectID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupParentUserGroupMapper.xml
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/usergroup/UserGroupParentUserGroupMapper.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+    "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+
+<mapper namespace="org.apache.guacamole.auth.jdbc.usergroup.UserGroupParentUserGroupMapper" >
+
+    <!-- Select the names of all parent user groups -->
+    <select id="selectChildIdentifiers" resultType="string">
+        SELECT name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+    </select>
+
+    <!-- Select the names of all readable parent user groups -->
+    <select id="selectReadableChildIdentifiers" resultType="string">
+        SELECT [guacamole_entity].name
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group_member].user_group_id = [guacamole_user_group].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        JOIN [guacamole_user_group_permission] ON affected_user_group_id = [guacamole_user_group].user_group_id
+        WHERE
+            <include refid="org.apache.guacamole.auth.jdbc.base.EntityMapper.isRelatedEntity">
+                <property name="column"   value="[guacamole_user_group_permission].entity_id"/>
+                <property name="entityID" value="#{user.entityID,jdbcType=INTEGER}"/>
+                <property name="groups"   value="effectiveGroups"/>
+            </include>
+            AND [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND permission = 'READ'
+    </select>
+
+    <!-- Delete parent groups by name -->
+    <delete id="delete">
+        DELETE [guacamole_user_group_member]
+        FROM [guacamole_user_group_member]
+        JOIN [guacamole_user_group] ON [guacamole_user_group].user_group_id = [guacamole_user_group_member].user_group_id
+        JOIN [guacamole_entity] ON [guacamole_entity].entity_id = [guacamole_user_group].entity_id
+        WHERE
+            member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+    </delete>
+
+    <!-- Insert parent groups by name -->
+    <insert id="insert">
+        INSERT INTO [guacamole_user_group_member] (
+            user_group_id,
+            member_entity_id
+        )
+        SELECT DISTINCT
+            [guacamole_user_group].user_group_id,
+            #{parent.entityID,jdbcType=INTEGER}
+        FROM [guacamole_user_group]
+        JOIN [guacamole_entity] ON [guacamole_user_group].entity_id = [guacamole_entity].entity_id
+        WHERE
+            [guacamole_entity].name IN
+                <foreach collection="children" item="identifier"
+                         open="(" separator="," close=")">
+                    #{identifier,jdbcType=VARCHAR}
+                </foreach>
+            AND [guacamole_entity].type = 'USER_GROUP'
+            AND [guacamole_user_group].user_group_id NOT IN (
+                SELECT [guacamole_user_group_member].user_group_id
+                FROM [guacamole_user_group_member]
+                WHERE [guacamole_user_group_member].member_entity_id = #{parent.entityID,jdbcType=INTEGER}
+            )
+    </insert>
+
+</mapper>