11 User Management

11.1 User Roles

Every RStudio Connect user account is configured with a role that controls their default capabilities on the system. Data scientists, analysts and others working in R will most likely want “publisher” accounts. Other users are likely to need only “viewer” accounts.

The Authorization.DefaultUserRole property specifies the role for new accounts and defaults to viewer. Authorization.DefaultUserRole may be either viewer or publisher; new accounts are not permitted to automatically have the administrator role. For all authentication providers, the first user is always created as administrator.

Note: There are no restrictions regarding roles for the users created via the Connect Server API.

Administrator

RStudio Connect administrator accounts have permissions which allow them to manage the service. This includes setting the role of an account and configuring email settings. Administrators may or may not be system administrators. The specific capabilities of an administrator are documented here.

Publisher

Accounts with a “publisher” role are allowed to deploy content into RStudio Connect. They can also help manage another user’s content when made a “collaborator” of that content.

Viewer

“Viewer” accounts can be added as a viewer to specific content. They can discover that content through the RStudio Connect dashboard and see its settings. Viewers can also email themselves copies of documents they are permitted to see.

Anonymous

An anonymous visitor to RStudio Connect who is not authenticated with the system can view content that has been marked as viewable by “Anyone”.

Note: Any logged-in user can list all the other existing users. To limit who can list users use the UsersListingMinRole property within the Authorization configuration section to specify the minimum role allowed to list users.

For example: Authorization.UsersListingMinRole = "administrator" will allow only administrators to list all users while publishers and viewers would only see themselves.

This setting does not affect the ability publishers have to add other users to content as collaborators or viewers.

11.2 User Provisioning

How a user gets created in RStudio Connect depends on the capabilities offered by the configured authentication provider. See 10

11.2.1 Password

Note: Sending emails is a prerequisite for password authentication. See 2.2.4

The users can be created by an admin or they can register themselves through the RStudio Connect dashboard. The Connect Server API can also be used to create users ahead of the first login.

The users created by an admin or via Connect Server API without a password will receive an email confirmation which should be used to configure a password.

Existing user accounts can reset their passwords through the Connect login page.

11.2.1.1 Self Registration

When using password authentication, users can self-register by clicking the “Sign Up” button on the login page. Self-registered accounts will be created with the role specified in the Authentication.DefaultUserRole property (see 11.1).

If you wish to disable self-registration, please use the configuration setting Password.SelfRegistration = false. See A.11

When self-registration is disabled, the first account (the admin) is still created using self-registration. All other accounts must be created by an administrator.

11.2.2 OAuth

OAuth users are created in RStudio Connect upon the first successful login attempt.

The authentication will happen entirely in the Google Auth engine which once completed will return the remote user information to RStudio Connect.

Note: User search support is conditional to your Google Auth infrastructure. See 10.7

New users can also be created ahead of their first login by searching based on their email or name and then associating the remote user found in the results with some content as either a viewer or collaborator.

Note: New users can only be selected as collaborators when Authorization.DefaultUserRole = publisher.

Currently there is no support in the Connect Server API for adding OAuth users programmatically.

11.2.3 LDAP

LDAP users are created in RStudio Connect upon the first successful login attempt.

Note: To restrict which users can login, see the setting LDAP.PermittedLoginGroup.

RStudio Connect will forward the entered LDAP credentials to the LDAP or Active Directory server which once authenticated will return the remote users information.

Note: User search support for LDAP requires bind credentials or anonymous bind. See 10.6

New users can also be created ahead of their first login by searching based on their email or name and then associating the remote user found in the results with some content as either a viewer or collaborator.

Note: New users can only be selected as collaborators when Authorization.DefaultUserRole = publisher.

Currently there is no support in the Connect Server API for adding LDAP users programmatically.

11.2.4 Proxy

Proxy authentication will create users in RStudio Connect upon the first successful login attempt.

The authentication happens entirely in the Proxy placed in front of RStudio Connect which expects to receive from the former a HTTP header containing the username of the authenticated remote user account.

The Connect Server API can be used to create Proxy users. This option enables associating users with content ahead of their first login attempt.

Note: The username is the user’s unique identification in Connect. Users created via the API must match exactly the username expected to be received through the authentication proxy.

Currently, there is no support for creating Proxy users manually via the Connect dashboard.

11.2.5 PAM

PAM authentication will create users in RStudio Connect upon the first successful login attempt.

PAM authentication relies on local Unix accounts. Users must login to RStudio Connect with their Unix credentials which is authenticated by the Linux system hosting Connect.

The Connect Server API can be used to create PAM users. This option enables associating users with content ahead of their first login attempt.

Note: The username is the user’s unique identification in Connect. Users created via the API must match exactly the username for the respective Unix user.

Currently, there is no support for creating PAM users manually via the Connect dashboard.

11.3 Group Support

Groups can be used to associate multiple users to content as viewers or collaborators.

An administrator in RStudio Connect can use the dashboard to create groups and to manage their members. Group support is enabled for Password and OAuth authentication providers.

Note: New remote OAuth user information is stored in RStudio Connect when a OAuth user is associated with a group. This is similar to the association with content.

Currently, there is no group support for PAM or Proxy authentication providers.

11.3.1 LDAP Groups

RStudio Connect needs to be configured to automatically recognize LDAP groups. See 10.6.

LDAP groups must be managed directly through LDAP or Active Directory.

Note: Remote LDAP group information is stored in RStudio Connect when the LDAP group is associated with content.

11.4 User Permissions

Administrators and Publishers can be assigned permissions for content published to RStudio Connect.

11.4.1 All Content

Anonymous Visitors

Anonymous users can access content listed for Anyone. Anonymous viewers access content through direct URLs and will not have any view into Connect.

Viewers

“Viewers” can sign into the Connect dashboard and discover and access content listed for Anyone, All users - login required, and content for which they are granted access.

Collaborators

“Collaborators” can change access controls and add Viewers and other Collaborators.

Administrators

“Administrators” have all the permissions of Collaborators. Administrators are not automatically added to content and will not see all content on their homepage. Administrators can proactively add themselves as Collaborators or Viewers to any content. Administrators can set vanity URLs and change the RunAs user. Administrators and the original content owner can delete content.

11.4.2 R Markdown Reports

Access controls and user privileges apply to every public version of a report. For example, if the default version of a report is accessible to Anyone, all public versions will be accessible to Anyone.

Anonymous Visitors

Every version of a report has a unique URL (accessible by opening the content with ‘Open Solo’). Reports must be listed for Anyone for the URL to be available to anonymous users.

Viewers

“Viewers” have the ability to view a report through the Connect dashboard. They can discover and toggle between public versions of a report. They can email themselves the current version of a report. They can not see parameters for different versions of a report. They can see the distribution and schedule for public versions.

Collaborators

“Collaborators” have the privileges of Viewers and additionally can: view parameters for public versions, change parameters and run ad hoc reports, create new versions, schedule versions, setup distribution lists, and request reports to be refreshed. Collaborators can also create private versions that are not discoverable or accessible by any other user.

11.4.3 Shiny Applications & Plumber APIs

Collaborators

“Collaborators” can change the runtime settings for Shiny applications and Plumber APIs.

11.5 Administrator Capabilities

Administrative users on RStudio Connect are empowered to inspect and manage various settings on the server. Regardless of their level of privilege on some piece of content (viewer, collaborator, or neither), administrators can manage collaborators and viewers on content, manage the runtime settings for Shiny applications and Plumber APIs, and adjust the schedules for R Markdown documents. Additionally, only administrators can modify the Vanity Path and RunAs settings for content through the web dashboard; they can do so even on content that they don’t have the ability to view the content.

Administrators do not have implicit rights to view content or download the source bundles. If an administrator visits a report without viewership privileges to the report, they will see an error message rather than the report’s content. Despite being unable to see the contents of the report, administrators can still manage the settings for all content. Because an administrator has the ability to manage the collaborators and viewers of others’ content on the system, they can choose to add themselves as a viewer or collaborator on the report to gain access. Administrative overrides of permissions on content require that the administrator take an explicit action which is captured in the audit log.

11.6 Locked Accounts

You can prohibit a user from accessing RStudio Connect by “locking” their account. This control is available to administrative users when editing user profile information in the RStudio Connect dashboard.

Locked users are prohibited from signing into RStudio Connect, deploying content, and otherwise interacting with the service.

A locked account is not deleted and deployed content continues to be available. A non-personal report configured with scheduling and distribution will continue to execute according to its schedule. A locked user no longer receives scheduled content at their email address.

Content owned by a locked user can be deleted by a collaborator or by an administrative user. Each piece of deployed content must be deleted individually; there is no bulk removal.

A locked user can be subsequently unlocked. All their previously allowed abilities are immediately restored.

11.7 Username Requirements

Connect’s username requirements vary depending upon the authentication provider. Please see 10.3 for more information on username requirements.

11.8 User Renaming

Administrators may alter the usernames of existing users on the system regardless of the current authentication system. Users will still be able to access their deployed content and content that has been shared with them. If they have existing vanity URLs with their username incorporated, none of those will be altered. They will, of course, need to use the new username when logging in.

If the user has authenticated inside of the RStudio IDE, they will still be able to deploy using a previous connection; however, the IDE will continue displaying their old username during deployments. To minimize the risk of future ambiguity, we recommend that the user disconnect and reconnect their IDE to RStudio Connect so that the valid username is displayed.

11.9 Command-Line Interface

Connect includes a usermanager command for some basic user management tasks. This utility helps you list users and modify user attributes in the event that no one can access a Connect administrative user account.

See Appendix B for more information on using the usermanager CLI to manage users.