Advanced User / Group Topics
Command-Line Interface
Posit Connect includes a usermanager
CLI tool for some basic user management tasks. Some examples of what can be done with it are:
List users and modify their attributes. (This can be helpful in the event that no one can access a Connect administrative user account.)
Transfer ownership of content and groups between users as well as memberships to groups, permissions to content, content subscriptions and, under certain circumstances, even API keys
Remove users that are not owners of any content or groups in Posit Connect
Adjust the Unique IDs of users. (Useful when identification has been modified in the configured authentication provider or after switching between providers.)
See the User Management CLI appendix for more information on using the usermanager
CLI to manage users.
Publisher Ownership of Groups
In older releases of Posit Connect, publishers were allowed to create groups. Unfortunately, many customers found that doing this without the proper consent of an administrator made it difficult to holistically manage access to content. As such, by default, publishers are no longer allowed to create groups.
The following should be noted about this change.
Any groups created, and therefore owned, by publishers in an older release of Posit Connect will still be owned by the same user.
Publishers will still be able to add members to or remove members from the groups they own.
Publishers will still be able to delete groups that they own.
Publishers will not be able to create any new groups going forward.
Publishers will still be able to remove themselves from groups they don’t own. This also applies to viewers.
If there is a reason that publishers should be allowed to create groups (i.e., to restore the legacy behavior), set the Authorization.PublishersCanOwnGroups
configuration option to true
.
If you do enable Authorization.PublishersCanOwnGroups
, you should also consider whether to allow users provisioned by publishers, as detailed below.
Administrators can take control over existing groups using the alter
command of the usermanager
CLI tool.
Users Provisioned By Publishers
In older releases of Posit Connect, publishers were allowed to add users from a remote system, such as Active Directory or LDAP. Many customers found that doing this without the proper consent of an administrator made it difficult to holistically limit the number of Connect user accounts or to manage access to content. As such, by default, publishers are no longer allowed to add users.
If there is a reason that publishers should be allowed to add other users (i.e., to restore the legacy behavior), set the Authorization.PublishersCanAddUsers
configuration option to true
.
If you do enable Authorization.PublishersCanAddUsers
, you should also consider whether to allow publisher ownership of groups, as detailed above.
Credentials For Content
Posit Connect can report users and groups identities to content via the HTTP headers Shiny-Server-Credentials
and RStudio-Connect-Credentials
in different ways. Each one has a targeted use case.
Most Common: Names
By default, Posit Connect will report the username and the names of the groups that user is a member of in the content credentials.
This satisfies most common scenarios, and it should be the preferred option used when migrating applications from Shiny Server Pro.
In large organizations with hundreds of groups, it is possible to have users or groups duplicates, for example, from different sub-departments with same name or users with the same first initial and same last name. Please be sure to consult your IT department to confirm whether this condition is possible in your environment. If so, consider using one of the alternatives below.
Uniqueness and Leverage the Connect Server API: Using Posit Connect GUIDs
Posit Connect can report the public GUIDs for users and groups with the option Authorization.ContentCredentialsUseGUID
. Not only are these values guaranteed to be unique and permanent, but they can also be leveraged to query for additional information about users and groups using the Connect Server API.
External Resources and Uniqueness: Using Distinguished Names (DNs)
This option is only available when using LDAP/AD authentication.
Posit Connect can report users’ and groups’ DNs when the option Authorization.ContentCredentialsUseDN
is enabled.
This option can be used if content running in Connect requires DNs in order to identify users in external resources or to access LDAP/AD directly for more specific queries.
Beware that differently from GUIDs, DNs may not be permanent in LDAP/AD and might change over time.