Group Management

Publishers and Collaborators can use “groups” to associate multiple users to content as viewers or collaborators. This can often provide an easier alternative to maintaining a discrete list of users associated with each instance of published content.

Important

By default, publishers can use the groups already available in Posit Connect, but they cannot themselves add new groups. If your use case requires publishers to have such privileges, please see the section on Publisher Ownership of Groups on the Advanced User / Group Topics appendix.

Depending upon the authentication provider that Posit Connect is configured to use, groups will either be managed locally (by Posit Connect) or managed remotely (by your authentication provider). The functionality available from within Posit Connect will change depending upon this relationship as well as the capabilities of the authentication provider.

Local Group Management

An administrator in Posit Connect can use the dashboard, specifically the “People” tab to create groups and manage their members. Groups can also be managed via the Connect Server API. Group support is available for all authentication providers and enabled by default.

Note

Local group support can be disabled with Authorization.UserGroups. Disabling this setting is not effective if groups are still present. Posit Connect will issue a warning on startup and ignore this setting. In order to use this setting all groups must be removed first.

Remote Group Management

Posit Connect provides the ability to reference externally managed groups from some authentication providers. When these are configured, management of the remote groups remains the responsibility of the external authentication provider. While the Posit Connect dashboard may provide some convenience functionality, the remote authentication provider’s interfaces should be used for most membership operations.

Within the Posit Connect dashboard (group section under “People” tab), references to the externally managed groups are configured by “adding” a group. Memberships for these referenced groups are locally synchronized in Posit Connect through several mechanisms:

  • Group memberships are updated on each and every successful login attempt.

  • Changes to group memberships are only detected if the user logs out and logs back in.

  • Group references not yet known by Posit Connect are created on each successful login attempt when Automatic Group Provisioning is enabled for the auth provider.

Align LDAP Groups

Posit Connect supports either locally managed groups or remotely managed groups for LDAP. Having a mix of both local and remote groups simultaneously is not supported.

To change your Posit Connect server from one group management mode to another, make the configuration file change, then use the usermanager CLI tool align-ldap-groups command to review and resolve issues with any group that does not belong to the new configuration.

The align-ldap-groups tool can be used to bulk delete groups from the old management mode, but it also provides information about the relationships each group has to existing content items on the server. By evaluating each group interactively with the tool, you can review the potential effect that removing or transferring an old group would have on user access permissions before making a decision.

Note

To configure remotely managed LDAP groups, the following attributes must be set correctly in your Posit Connect server configuration file:

If the attributes above are not appropriately configured, Posit Connect will target local groups mode instead of remote.