Administrative Dashboard

Workbench

Posit Workbench includes an administrative dashboard with the following features:

1. Monitoring of active sessions and their CPU and memory utilization;
2. The ability to suspend, forcibly terminate, or assume control of any active session;
3. Historical usage data for individual Workbench users (session time, memory, CPU, logs);
4. Historical system statistics (CPU, memory, active sessions, system load); and
5. Searchable Workbench server log (view all messages or just those for individual users)
6. The ability to lock users, preventing them from signing in to Workbench

The dashboard can be an invaluable tool in understanding Workbench server usage and capacity as well as to diagnose and resolve problems.

Note that at this time, historical monitoring is not available for sessions spawned via the Job Launcher.

Enabling the dashboard

The administrative dashboard is accessed at the following URL:

http://<server-address>/admin

The administrative dashboard is disabled by default. To enable it you set the admin-enabled option. You can also specify that only users of certain group have access to the dashboard using the admin-group option. For example:

/etc/rstudio/rserver.conf

admin-enabled=1
admin-group=rstudio-admins

You can specify a single group as the above example does or a comma-delimited list of groups. For example:

/etc/rstudio/rserver.conf

admin-group=server-admins,rstudio-admins,domain-admins

Note that changes to the configuration will not take effect until the Workbench server process is restarted.

Administrator superusers

You can further designate a certain user or group of users as administrative “superusers”. Superusers have the following additional privileges:

1. Suspend or terminate active sessions
2. Assume control of active sessions (e.g. for troubleshooting)
3. Login to Workbench as any other user

Administrative superusers do not have root privilege on the system, but rather have a narrow set of delegated privileges that are useful in managing and supporting Workbench. You can define the users with this privilege using the admin-superuser-group setting. For example:

/etc/rstudio/rserver.conf

admin-superuser-group=rstudio-superuser-admins

Note that as with the admin groups above, you can specify a single group as the above example does or a comma-delimited list of groups. For example:

/etc/rstudio/rserver.conf

admin-superuser-group=rstudio-superuser-admins,domain-admins

Changes to the configuration will not take effect until the Workbench server process is restarted. Admin superusers can also be added via the command line. See Adding users to the user database.

User impersonation restrictions

The ability to login as other users and assume control of existing sessions is not available if you are authenticating with SAML SSO, Google Accounts, OpenID, or Proxied Authentication. This is because these authentication mechanisms use a different user-identity mechanism which isn’t compatible with the way that user session impersonation is implemented.

Workbench log time zone

You can control the time zone in which the Workbench server logs are displayed in the admin dashboard by the use of the admin-monitor-log-use-server-time-zone option. For example:

/etc/rstudio/rserver.conf

admin-monitor-log-use-server-time-zone=1

Setting this option to 1 will display the Workbench server logs in the system’s time zone. The default value of 0 will display the log times in UTC.

Licensing considerations

If you have been granted a license which has a limit on the total number of users that may use Workbench (i.e. named user licensing), you will need to control user access to Workbench. Each unique user that signs in to Workbench will count against your available user limit. If too many users sign in and attempt to use Workbench, new users will be denied, as the license limit will be reached.

If this occurs, please contact sales@posit.co to purchase additional users.

For more information on licensing, see License management.