Link users to applications
Closed this issue · 3 comments
=== Version ===
- v2.1.0
=== Steps to reproduce ===
- Before v2.1.0, it was possible to link a user with an application. It is not possible anymore with v2.1.0. Indeed, it is only possible to link a user with an image. If you want to deploy 4 applications and manage a group of users for each application, you'll need to create 4 different images, which implies 4 VM always up (pool set to 1) which is not efficient.
- Could it be possible to link a user to an image and then link it to several applications inside the image?
I expected the 420th issue to be a little bit high.
Regarding images, users, groups and applications. Relationships are as follow:
- Users belongs to groups
- Images belongs to groups
- Applications belongs to images
To sum up, a group allows access to images for users.
Applications are part of images and access cannot be controlled on a per application basis. This is because once you have access to an instance, you gain administrator access on the execution server, therefore access control on applications is not guaranteed anymore.
With that in mind, it would however be possible to select which application is presented to the group's user for an image. Doing that will not guarantee isolation between applications but would solve the need to create 4 images.
With version 2.0, I thought we were accessing the instance using administrator access as well and it wasn't a problem to link applications to user.
Anyway, this problem is seen as a regression by our customer this is why I first set the label to bug instead of enhancement.
2.0 indeed offered to set applications to group but there was a security concern as these applications were not properly isolated between each other.