Jump to content
Welcome to our new Citrix community!
  • 0

Application Groups best practices


Carlos Pacheco1709161285

Question

Hi,

 

I inherited an environment where there was a mix of application permissions:

some directly added to the apps, some with permissions to the delivery groups and others permissions to application groups.

 

I am trying to simplify as it is very confusing. The challenge is that I have application group(s) and applications within the group with their own set of permissions.

For instance,

 

Application Group Office - Permission AD group "IT-users"

Word inside the application group - Permission AD group "Helpdesk basic"

Excel inside the application group - Permission AD group "Helpdesk powerusers"

 

I don't want to specify permissions on each App.

I am trying to get away from all of this and simply create an application group for each application if necessary. That way I can control all permissions on the Application group.

 

Is this best practice?

Link to comment

3 answers to this question

Recommended Posts

  • 0

I don't see anything wrong with your example.  These permissions are there to give you the micro control over what your end user sees. 

 

If these permissions don't align with your business requirements, then you could change them.  You don't *HAVE* to assign permissions in both locations.  If I were to interpret your business requirements from your example above, I'd say:

 

  • You want to grant Office to your IT Users.
    • The Helpdesk Basic users should only see an icon for Word.  
    • The Helpdesk powerusers should only see an icon Excel
    • Both 'basic users' and 'power users' are also a member of IT-Users (if not, then these permissions are pointless)

You have to keep in mind that these are just icons.  This will not stop either group from actually running word or excel once they're on the server.

 

 

 

 

Link to comment
  • 0
4 minutes ago, Joe Robinson said:

I don't see anything wrong with your example.  These permissions are there to give you the micro control over what your end user sees. 

 

If these permissions don't align with your business requirements, then you could change them.  You don't *HAVE* to assign permissions in both locations.  If I were to interpret your business requirements from your example above, I'd say:

 

  • You want to grant Office to your IT Users.
    • The Helpdesk Basic users should only see an icon for Word.  
    • The Helpdesk powerusers should only see an icon Excel
    • Both 'basic users' and 'power users' are also a member of IT-Users (if not, then these permissions are pointless)

You have to keep in mind that these are just icons.  This will not stop either group from actually running word or excel once they're on the server.

 

 

 

 

thanks for the reply, so you dont see a need to create individual application groups for Helpdesk basic users and another for Helpdesk powerusers? the idea is not to have application permissions on each application that way I can publish any of those apps to different application groups in the future.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...