Publishers and Collaborators can use "groups" to associate multiple users to content as viewers or collaborators. This can often provide an easier alternative to maintaining a discrete list of users associated with each instance of published content.
By default, publishers can use the groups already available in Posit Connect, but they cannot themselves add new groups. If your use case requires publishers to have such privileges, please see the section on Publisher Ownership of Groups on the Advanced User / Group Topics appendix.
Depending upon the authentication provider that Posit Connect is configured to use, groups will either be managed locally (by Posit Connect) or managed remotely (by your authentication provider). The functionality available from within Posit Connect will change depending upon this relationship as well as the capabilities of the authentication provider.
Local Group Management#
An administrator in Posit Connect can use the dashboard, specifically the "People" tab to create groups and manage their members. Groups can also be managed via the Connect Server API. Group support is available for all authentication providers and enabled by default.
Local group support can be disabled with
Disabling this setting is not effective if groups are still present. Posit
Connect will issue a warning on startup and ignore this setting. In order to
use this setting all groups must be removed first.
Remote Group Management#
Posit Connect provides the ability to reference externally managed groups from some authentication providers. When these are configured, management of the remote groups remains the responsibility of the external authentication provider. While the Posit Connect dashboard may provide some convenience functionality, the remote authentication provider's interfaces should be used for most membership operations.
Within the Posit Connect dashboard (group section under "People" tab), references to the externally managed groups are configured by "adding" a group. Memberships for these referenced groups are locally synchronized in Posit Connect through several mechanisms:
Group memberships are updated on each and every successful login attempt.
Changes to group memberships are only detected if the user logs out and logs back in.
Group references not yet known by Posit Connect are created on each successful login attempt when
Automatic Group Provisioningis enabled for the auth provider.
Align LDAP Groups#
Posit Connect supports either locally managed groups or remotely managed groups for LDAP. Having a mix of both local and remote groups simultaneously is not supported.
To change your Posit Connect server from one group management mode to another, make the
configuration file change, then use the
usermanager CLI tool
align-ldap-groups command to review and resolve issues
with any group that does not belong to the new configuration.
align-ldap-groups tool can be used to bulk delete
groups from the old management mode, but it also provides information about the relationships
each group has to existing content items on the server. By evaluating each group interactively
with the tool, you can review the potential effect that removing or transferring an old group
would have on user access permissions before making a decision.
To configure remotely managed LDAP groups, the following attributes must be set correctly in your Posit Connect server configuration file:
If the attributes above are not appropriately configured, Posit Connect will target local groups mode instead of remote.