User Management
User accounts in Posit Connect associate users from an authentication provider with a set of capabilities (default role plus content specific permissions). Posit Connect can integrate with different authentication providers (as described in the Authentication section), with varying degrees of customization / control for general user attributes.
Within Connect, every user account is configured with a role that controls their default capabilities on the system. User permissions to access and manage content which has been published to the Posit Connect server varies. These permissions depend on what role has been granted to a user’s account by the content owner (the account that published the content to the server).
The Authorization.DefaultUserRole
property specifies the role for new accounts and defaults to viewer
. Authorization.DefaultUserRole
can be either viewer
or publisher
. New accounts are not permitted to automatically have the administrator
role. For all authentication providers, the first user is always created as administrator
.
See the usermanager
section more information about CLI commands for user management. These commands include options to list and alter users or groups, and transfer items to another user or group.
There are no restrictions regarding roles for the users created via the Connect Server API.
User Roles
User accounts can be assigned any of the following roles, with the exception of Anonymous, which is the role which non-authenticated users are assigned automatically.
- Administrator
- Publisher
- Viewer
- Anonymous
The role of Administrator requires system permissions and access typically only available to IT support staff. Data scientists, analysts, and others working in Python and R will most likely want Publisher roles as they need to publish content to the server. Users who view or consume the published content are likely to need only Viewer roles but in some cases when viewing unrestricted content, can use Anonymous access (in which case, they will not have an account within Posit Connect).
Your external authentication provider might be able to return user profile information that maps to valid user roles in Posit Connect. For example, the user’s position or department might be available as part of the user attribute returned during authentication and these could be leveraged to select a user role. Further details specific for each authentication provider can be found within the Authentication section.
Administrator
Administrative users on Connect are empowered to inspect and manage various settings on the server. Regardless of their level of privilege on some piece of content (Viewer, Collaborator, or neither), Administrators can manage Collaborators and Viewers on content, manage the runtime settings for applications and APIs, and adjust the schedules for executable reports. Additionally, only Administrators can modify the RunAs settings (User Account for Processes) for content through the Connect dashboard. Administrators can also modify Vanity URLs for content. They can make these modifications even when they don’t have the ability to view the content. Administrators and the original content owner can delete content. Administrators can also deploy content to Connect in the same capacity as a Publisher.
Administrators are not automatically added to content and do not see all content on their homepage unless they select the All Server Content view. Administrators do not have implicit rights to view content or download the source bundles. If an administrator visits a report without viewership privileges to the report, a request access page displays rather than the report’s content. Despite being unable to see the contents of the report, Administrators can still manage the settings for all content. Because an Administrator has the ability to manage the collaborators and viewers of others’ content on the system, they can choose to add themselves as a Viewer or Collaborator on the report to gain access. Administrative overrides of permissions on content require that the Administrator take an explicit action which is captured in the audit log.
Connect Administrator accounts do not need to have privileged access to the systems where Connect is installed. The system administrators who manage Connect installations do not need to have Connect Administrator accounts. Many organizations have overlap between systems administrators and Connect Administrators, but it is not required.
Publisher
Accounts with a Publisher role can deploy content into Posit Connect. They are able to configure settings and access controls associated with the content they have published. Publishers can help manage another user’s content when made a Collaborator of that content. By default, they can also modify Vanity URLs for content they own and collaborate on, though Administrators can disable this ability.
By default, Publishers cannot add new users or groups to Posit Connect. If your use case requires Publishers to have such privileges, please see the section on Publisher Ownership of Groups, and Users Provisioned By Publishers on the Advanced User / Group Topics appendix.
Viewer
Accounts with Viewer roles can be added as a viewer to specific content. Viewers can sign into the Connect dashboard. They can discover and access content listed for Anyone
, All users - login required
, and content for which they are granted access. They can access the settings associated with any of the content they are able to view. Viewers can also email themselves copies of documents they are permitted to see. Viewers can also see all users and groups in Posit Connect.
Viewers can request Publisher permissions. From the Content page of your dashboard, click Publish. The Request Publisher Permissions dialogue opens. Click Request. Your Administrator must approve the request before Publisher permissions are granted.
Any logged-in user can list all the other existing users. To limit what Viewers can see use Authorization.ViewersCanOnlySeeThemselves
.
Anonymous
An Anonymous visitor to Posit Connect who is not authenticated with the system can view content that has been marked as viewable by anyone. Anonymous viewers access content through direct URLs and will not have any view into Connect.
User Permissions
The functionality available to any user for any specific piece of content depends upon their default role and the specific permissions they have been granted. Permissions modify the user’s role downward (becoming more restrictive) for a specific piece of content (i.e., a Publisher can become a Collaborator or Viewer or have no access).
Publishers can assign / grant permissions for content that they either own or have been added as a Collaborator for. Administrators can add themselves as Collaborators to any content on the system. Depending on the content specific access settings, Publishers and Viewers might only have Viewer access or even no access to the content.
The effect of the permissions granted depend on the type of content. Base role permissions are used for general access to the Posit Connect dashboard although what is visible within the dashboard is a result of the permissions granted to the user.
All Content
In general, the permissions available to a user follow the abilities outlined in the role descriptions. For example, a Publisher who only has Viewer rights would experience the permissions granted to the Viewer role for a specific piece of content.
Executable Reports
Access controls and user privileges apply to every public version of a report. For example, if the default version of a report is accessible to Anyone
, all public versions are accessible to Anyone
.
- Anonymous Visitors
-
Every version of a report has a unique URL (accessible by opening the content with ‘Open Solo’). Reports must be listed for
Anyone
for the URL to be available to anonymous users. - Viewers
-
Viewers have the ability to view a report through the Connect dashboard. They can discover and toggle between public versions of a report. They can email themselves the current version of a report. They can not see parameters for different versions of a report. They can see the distribution and schedule for public versions.
- Collaborators
-
Collaborators have the privileges of Viewers and additionally can: view parameters for public versions, change parameters and run ad hoc reports, create new versions, schedule versions, setup distribution lists, and request reports to be refreshed. Collaborators can also create private versions that are not discoverable or accessible by any other user.
- Publisher
-
The Publisher who published the content to the Posit Connect server is considered the owner of the content. They have full control over all functionality associated with the content.
Applications & APIs
- Collaborators
-
Collaborators can change the runtime settings for applications and APIs.
Account Management
Adding Accounts
Accounts can be either created upon first login or provisioned ahead of time. Details and capabilities differ by authentication provider. Please refer to the specific chapter for the product / provider you are integrating with.
User Renaming
Administrators can alter the usernames of existing users on the system regardless of the current authentication system. Users can still access their deployed content and content that has been shared with them. If they have existing vanity URLs with their username incorporated, none of those are altered. They will, of course, need to use the new username when logging in.
If the user has authenticated inside of the RStudio IDE, they can still deploy using a previous connection; however, the IDE continues displaying their old username during deployments. To minimize the risk of future ambiguity, we recommend that the user disconnect and reconnect their IDE to Posit Connect so that the valid username is displayed.
Locked Accounts
You can prohibit a user from accessing Posit Connect by locking their account. This control is available to administrative users when editing user profile information in the Posit Connect dashboard.
Locked users are prohibited from signing into Posit Connect, deploying content, and otherwise interacting with the service.
A locked account is not deleted and deployed content continues to be available. A non-personal report configured with scheduling and distribution will continue to execute according to its schedule. A locked user no longer receives scheduled content at their email address.
Content owned by a locked user can be deleted by a collaborator or by an administrative user. Each piece of deployed content must be deleted individually; there is no bulk removal.
A locked user can be subsequently unlocked. All their previously allowed abilities are immediately restored.
Locked users do not count against the user account limit specified by the Posit Connect product license.
Your Posit Connect Software License only allows for locked accounts to permanently terminate access. If you need to purchase additional users, please speak to your dedicated Posit Customer Success contact or email sales@posit.co.
Removing Accounts
Removing accounts from Posit Connect is considered a last resort option.
Users are kept around so the content and groups they might own, as well as the historical and audit information associated with user is not left without a reference.
For these reasons, locking accounts is the preferred option.
If the decision is to remove the account, use the usermanager
CLI tool. The removal process requires that the user does not own anything in Posit Connect. It’s possible to transfer the user’s assets to another user ahead of the account removal. This transfer is also possible with the usermanager
.
Operational metrics will still refer to the removed user account. See the Operational Metrics section for details about what information is being tracked.
Once the user account is removed, the only place where the user information can still be found is in the audit logs. See the Audit Logs section for details.