Advanced User / Group Topics¶
RStudio Connect includes a
usermanager CLI tool for some basic user management tasks.
Some examples of what can be done with it are:
List users and modify their attributes. (This can be helpful in the event that no one can access a Connect administrative user account.)
Transfer ownership of content and groups between users as well as memberships to groups, permissions to content, content subscriptions and, under certain circumstances, even API keys
Remove users that are not owners of any content or groups in RStudio Connect
Adjust the Unique IDs of users. (Useful when identification has been modified in the configured authentication provider or after switching between providers.)
See the User Management CLI appendix for more
information on using the
usermanager CLI to manage users.
Publisher Ownership of Groups¶
In older releases of RStudio Connect, publishers were allowed to create groups. Unfortunately, many customers found that doing this without the proper consent of an administrator made it difficult to holistically manage access to content. As such, by default, publishers are no longer allowed to create groups.
The following should be noted about this change.
Any groups created, and therefore owned, by publishers in an older release of RStudio Connect will still be owned by the same user.
Publishers will still be able to add members to or remove members from the groups they own.
Publishers will still be able to delete groups that they own.
Publishers will not be able to create any new groups going forward.
Publishers will still be able to remove themselves from groups they don't own. This also applies to viewers.
If there is a reason that publishers should be allowed to create groups
(i.e., to restore the legacy behavior), set the
configuration option to
Administrators can take control over existing groups using the
alter command of the
usermanager CLI tool.
Credentials For Content¶
RStudio Connect can report users and groups identities to content
via the HTTP headers
in different ways. Each one has a targeted use case.
Most Common: Names¶
By default, RStudio Connect will report the username and the names of the groups that user is a member of in the content credentials.
This satisfies most common scenarios, and it should be the preferred option used when migrating applications from Shiny Server Pro.
In large organizations with hundreds of groups, it is possible to have users or groups duplicates, for example, from different sub-departments with same name or users with the same first initial and same last name. Please be sure to consult your IT department to confirm whether this condition is possible in your environment. If so, consider using one of the alternatives below.
Uniqueness and Leverage the Connect Server API: Using RStudio Connect GUIDs¶
RStudio Connect can report the public GUIDs for users and groups with the option
Not only are these values guaranteed to be unique and permanent, but they can
also be leveraged to query for additional information about users and groups
using the Connect Server API.
External Resources and Uniqueness: Using Distinguished Names (DNs)¶
This option is only available when using LDAP/AD authentication.
RStudio Connect can report users' and groups' DNs when the option
Authorization.ContentCredentialsUseDN is enabled.
This option can be used if content running in Connect requires DNs in order to identify users in external resources or to access LDAP/AD directly for more specific queries.
Beware that differently from GUIDs, DNs may not be permanent in LDAP/AD and might change over time.