13 Group Management
Groups can be used to associate multiple users to content as viewers or collaborators.
An administrator in RStudio Connect can use the dashboard, specifically the “People” tab to create groups and manage their members. Group support is available for all authentication providers and enabled by default.
Note: Groups can also be managed via the Connect Server API.
Group support can be disabled with Authorization.UserGroups.
Note: Disabling setting is not effective if groups are still present. RStudio Connect will issue a warning on startup and ignore this setting. In order to use this setting all groups must be removed first.
13.1 Remote Group Management
Some authentication providers can manage their own groups without manual intervention. For example, groups are always managed by the provider for LDAP and they can be managed by the provider optionally using proxied authentication. Under these scenarios, there’s no group section under the “People” tab in the Connect dashboard.
13.2 Group Ownership
When a group is created manually in the Connect dashboard, the user that created the group is set as the group’s owner. There are two exceptions to this:
- If you are using the LDAP authentication provider, groups in RStudio Connect will have no owners since they are controlled by the related LDAP system.
- If you are using the Proxied authentication provider and you have enabled automatic group provisioning, the groups created during the login process will have no owners.
Note: The rules above also apply to groups created via Connect Server API.
13.2.1 Publisher Ownership
In older releases of RStudio Connect publishers were allowed to create groups. To do so without proper consent of an administrator has made it more difficult to appropriately manage access to content. As such, by default publishers are no longer allowed to create groups.
The following should be noted about this change.
- Any groups created, and therefore owned, by publishers in an older release of RStudio Connect will still be owned by the same user.
- Publishers will still be able to add members to or remove members from the groups they own.
- Publishers will still be able to delete groups that they own.
- Publishers will not be able to create any new groups going forward.
- Publishers will still be able to remove themselves from groups they don’t own. This also applies to viewers.
If there is a reason that publishers should be allowed to create groups (i.e.,
to restore the legacy behavior), set the Authorization.PublishersCanOwnGroups
configuration option to true.
Administrators can take control over existing groups with the help of the
usermanager CLI tool which allows assigning a new owner to a group with the
alter command.
13.3 Proxied Authentication & SAML Group Membership Management
RStudio Connect can be configured to automatically assign users to existing groups according to the list of group names sent by the proxy or the SAML Identity Provider (IdP). For every login attempt the list of group names received will be compared with the current memberships the user has, adding the user as a member of newly listed groups and removing the user from groups no longer listed by the proxy or the IdP.
To enable group assignment use the setting ProxyAuth.GroupsHeader.
Note: The list of groups sent by the proxy or IdP will override any memberships defined manually or via the Connect Server API. However, these operations should still be used between login attempts to keep the group memberships in sync with the IdP or the authentication engine behind the proxy.
13.3.1 Proxied Authentication & SAML Provisioned Groups
In addition to memberships, RStudio Connect can also be configured to automatically
provision (create) groups according to the list of group names sent by the proxy.
This can be enabled by using ProxyAuth.GroupsAutoProvision
or SAML.GroupsAutoProvision.
This means that groups not yet present will be created in RStudio Connect for a user when the user logs in.
Note: In this mode groups are left in RStudio Connect if they have no members in order to preserve their association to content. If you wish to remove the emtpy groups use the settings
ProxyAuth.GroupsAutoRemovalorSAML.GroupsAutoRemoval.
In this mode groups must be managed directly through the SAML IdP or the authentication engine behind the proxy. There’s no Connect dashboard support to manage these groups.
Note: An administrator can still use the Connect Server API to manage groups between user login attempts. Care should be taken when removing groups via API. That action will also remove all association a group may have with some content.
13.4 LDAP Groups
RStudio Connect needs to be configured to automatically recognize LDAP groups. See 11.6.
LDAP groups must be managed directly through LDAP or Active Directory. The Connect dashboard does not support management of LDAP groups.
For LDAP, the group information is stored in RStudio Connect when an LDAP group is associated with some content.
Note: An administrator can still use the Connect Server API to manage groups between user login attempts. Care should be taken when removing groups via API. That action will also remove all association a group may have with some content.
13.5 OAuth2 Group Members
New remote OAuth2 user information is stored in RStudio Connect when a OAuth2 user is associated with a group. This allows a user to be present in RStudio Connect ahead of a first login. This is similar to the association of users with some content.
13.6 Command-Line Interface
Connect includes a usermanager command for some basic group management tasks.
This utility helps you list groups and modify their attributes. This can be helpful
in the event that no one can access a Connect administrative user account.
The tool can also be used to adjust group name or ownership and it can transfer content permissions and members between groups and even remove groups entirely from RStudio Connect.
The usermanager can adjust the Unique IDs of groups in case this identification
has been modified in the configured authentication provider or after switching
between providers.
See Appendix B for more information on using the usermanager CLI to
manage users.