Advanced User / Group Topics

Command-Line Interface

Posit Connect includes a usermanager CLI tool for some basic user management tasks. Some examples of what can be done with it are:

  • List users and modify their attributes. (This can be helpful in the event that no one can access a Connect administrative user account.)

  • Transfer ownership of content and groups between users as well as memberships to groups, permissions to content, content subscriptions and, under certain circumstances, even API keys

  • Remove users that are not owners of any content or groups in Posit Connect

  • Adjust the Unique IDs of users. (Useful when identification has been modified in the configured authentication provider or after switching between providers.)

See the User Management CLI appendix for more information on using the usermanager CLI to manage users.

Publisher Ownership of Groups

In older releases of Posit Connect, publishers were allowed to create groups. Unfortunately, many customers found that doing this without the proper consent of an administrator made it difficult to holistically manage access to content. As such, by default, publishers are no longer allowed to create groups.

The following should be noted about this change.

  • Any groups created, and therefore owned, by publishers in an older release of Posit Connect will still be owned by the same user.

  • Publishers will still be able to add members to or remove members from the groups they own.

  • Publishers will still be able to delete groups that they own.

  • Publishers will not be able to create any new groups going forward.

  • Publishers will still be able to remove themselves from groups they don’t own. This also applies to viewers.

If there is a reason that publishers should be allowed to create groups (i.e., to restore the legacy behavior), set the Authorization.PublishersCanOwnGroups configuration option to true.

Tip

If you do enable Authorization.PublishersCanOwnGroups, you should also consider whether to allow users provisioned by publishers, as detailed below.

Note

Administrators can take control over existing groups using the alter command of the usermanager CLI tool.

Users Provisioned By Publishers

In older releases of Posit Connect, publishers were allowed to add users from a remote system, such as Active Directory or LDAP. Many customers found that doing this without the proper consent of an administrator made it difficult to holistically limit the number of licensed users or to manage access to content. As such, by default, publishers are no longer allowed to add users.

If there is a reason that publishers should be allowed to add other users (i.e., to restore the legacy behavior), set the Authorization.PublishersCanAddUsers configuration option to true.

Tip

If you do enable Authorization.PublishersCanAddUsers, you should also consider whether to allow publisher ownership of groups, as detailed above.

Credentials For Content

Posit Connect can report users and groups identities to content via the HTTP headers Shiny-Server-Credentials and RStudio-Connect-Credentials in different ways. Each one has a targeted use case.

Most Common: Names

By default, Posit Connect will report the username and the names of the groups that user is a member of in the content credentials.

This satisfies most common scenarios, and it should be the preferred option used when migrating applications from Shiny Server Pro.

Important

In large organizations with hundreds of groups, it is possible to have users or groups duplicates, for example, from different sub-departments with same name or users with the same first initial and same last name. Please be sure to consult your IT department to confirm whether this condition is possible in your environment. If so, consider using one of the alternatives below.

Uniqueness and Leverage the Connect Server API: Using Posit Connect GUIDs

Posit Connect can report the public GUIDs for users and groups with the option Authorization.ContentCredentialsUseGUID. Not only are these values guaranteed to be unique and permanent, but they can also be leveraged to query for additional information about users and groups using the Connect Server API.

External Resources and Uniqueness: Using Distinguished Names (DNs)

Important

This option is only available when using LDAP/AD authentication.

Posit Connect can report users’ and groups’ DNs when the option Authorization.ContentCredentialsUseDN is enabled.

This option can be used if content running in Connect requires DNs in order to identify users in external resources or to access LDAP/AD directly for more specific queries.

Warning

Beware that differently from GUIDs, DNs may not be permanent in LDAP/AD and might change over time.