Group Management

Groups can be used to associate multiple users to content as viewers or collaborators.

An administrator in RStudio Connect can use the dashboard, specifically the "People" tab to create groups and manage their members. Group support is available for all authentication providers and enabled by default.

Note: Groups can also be managed via the Connect Server API.

Group support can be disabled with Authorization.UserGroups.

Note: Disabling setting is not effective if groups are still present. RStudio Connect will issue a warning on startup and ignore this setting. In order to use this setting all groups must be removed first.

Remote Group Management

Some authentication providers can manage their own groups without manual intervention. For example, groups are always managed by the provider for LDAP and they can be managed by the provider optionally using proxied, SAML or OAuth2 authentication. Under these scenarios, there's no group section under the "People" tab in the Connect dashboard.

Group Ownership

When a group is created manually in the Connect dashboard, the user that created the group is set as the group's owner. There are two exceptions to this:

  1. If you are using the LDAP authentication provider, groups in RStudio Connect will have no owners since they are controlled by the related LDAP system.

  2. If you are using the SAML, OAuth2 or Proxied authentication provider and you have enabled automatic group provisioning, the groups created during the login process will have no owners.

Note: The rules above also apply to groups created via Connect Server API.

Publisher Ownership

In older releases of RStudio Connect publishers were allowed to create groups. To do so without proper consent of an administrator has made it more difficult to appropriately manage access to content. As such, by default publishers are no longer allowed to create groups.

The following should be noted about this change.

  • Any groups created, and therefore owned, by publishers in an older release of RStudio Connect will still be owned by the same user.

  • Publishers will still be able to add members to or remove members from the groups they own.

  • Publishers will still be able to delete groups that they own.

  • Publishers will not be able to create any new groups going forward.

  • Publishers will still be able to remove themselves from groups they don't own. This also applies to viewers.

If there is a reason that publishers should be allowed to create groups (i.e., to restore the legacy behavior), set the Authorization.PublishersCanOwnGroups configuration option to true.

Administrators can take control over existing groups with the help of the usermanager CLI tool which allows assigning a new owner to a group with the alter command.

Proxied Authentication, SAML and OAuth2 (OpenID) Group Membership Management

RStudio Connect can be configured to automatically assign users to existing groups according to the list of group names sent by the proxy or the SAML Identity Provider (IdP). For every login attempt the list of group names received will be compared with the current memberships the user has, adding the user as a member of newly listed groups and removing the user from groups no longer listed by the proxy or the IdP.

To enable group assignment in proxied authentication use the setting ProxyAuth.GroupsHeader.

In SAML authentication use the setting SAML.GroupsAttribute or select a SAML IdP profile (Azure, Okta, OneLogin, etc.) which will define this setting automatically.

In OAuth2 (OpenID) authentication use the setting OAuth2.GroupsClaim.

Note: The list of groups sent by the proxy or IdP will override any memberships defined manually or via the Connect Server API. However, these operations should still be used between login attempts to keep the group memberships in sync with the IdP or the authentication engine behind the proxy.

Proxied Authentication, SAML and OAuth2 (OpenID) Provisioned Groups

In addition to memberships, RStudio Connect can also be configured to automatically provision (create) groups according to the list of group names sent by the proxy. This can be enabled by using ProxyAuth.GroupsAutoProvision or SAML.GroupsAutoProvision or OAuth2.GroupsAutoProvision.

This means that groups not yet present will be created in RStudio Connect for a user when the user logs in.

Note: In this mode groups are left in RStudio Connect if they have no members in order to preserve their association to content. If you wish to remove the emtpy groups use the settings ProxyAuth.GroupsAutoRemoval or SAML.GroupsAutoRemoval or OAuth2.GroupsAutoRemoval.

In this mode groups must be managed directly through the OAuth OP, SAML IdP or the authentication engine behind the proxy. There's no Connect dashboard support to manage these groups.

Note: An administrator can still use the Connect Server API to manage groups between user login attempts. Care should be taken when removing groups via API. That action will also remove all association a group may have with some content.

RStudio Connect will no longer enforce its own naming convention for groups in this scenario, since the names are always defined by the authentication provider or via the Connect Server API.

Matching Groups' Identifiers

By default, RStudio Connect will match the list of groups send by the authentication provider against the names of the groups that exist in RStudio Connect. Some authentication providers such as Azure do not send group names, using instead their unique identifiers (such as GUIDs).

To support this scenario, RStudio Connect can be configured to match the groups' unique identifiers.

To enable group matching by unique id:

In order to properly set a unique identifier for groups you should either:

  • Create new groups via the Connect Server API, which will require the unique_id field to create groups. This unique identifier needs to match the one to be sent by provider during authentication.

  • Create new groups automatically with the GroupsAutoProvision option enabled for the respective authentication provider. At first, these groups' names will be the same as their unique identifiers. The Connect Server API or the usermanager CLI tool must be used to update these names to more user-friendly values. You can also create groups with the Connect Server API ahead of any login attempts to avoid the need of renaming them.

Note: When using GroupsByUniqueId enabled and GroupsAutoProvision disabled in the respective authentication provider, groups can no longer be created via the Dashboard given that unique identifiers cannot be assigned with this interface. The controls for creating new groups will not be visible in this scenario.

When GroupsByUniqueId is enabled, RStudio Connect can no longer ensure the uniqueness the groups' names.

Note: The lack of uniqueness makes it difficult for content hosted by RStudio Connect to rely on the groups passed in the RStudio-Connect-Credentials header. In this case the option Authorization.ContentCredentialsUseGUID should be enabled so that content will receive the globally unique identifiers assigned by RStudio Connect. These are the same identifiers used with the Connect Server API.

Preferably, GroupsByUniqueId should be enabled before you have any groups in RStudio Connect. If any groups have already been created and you wish to use this option, it is strongly recommended to run the usermanager --groups --normalize-ids command to make these existing groups functional under the new setting. See the User Management CLI appendix to learn more.

Note: The usermanager command above should also be run if you decide to disable GroupsByUniqueId in a later time.

LDAP Groups

RStudio Connect needs to be configured to automatically recognize LDAP groups. See the LDAP section.

LDAP groups must be managed directly through LDAP or Active Directory. The Connect dashboard does not support management of LDAP groups.

For LDAP, the group information is stored in RStudio Connect when an LDAP group is associated with some content.

Note: An administrator can still use the Connect Server API to manage groups between user login attempts. Care should be taken when removing groups via API. That action will also remove all association a group may have with some content.

OAuth2 (OpenID Connect) Group Members using Google

New remote OAuth2 user information is stored in RStudio Connect when a OAuth2 user is associated with a group. This allows a user to be present in RStudio Connect ahead of a first login. This is similar to the association of users with some content.

Assigning User Roles using Groups

It is possible to map group memberships to user roles in RStudio Connect. You can use Automatic User Role Mapping to map groups returned during authentication to valid user roles in RStudio Connect.

Command-Line Interface

Connect includes a usermanager command for some basic group management tasks. This utility helps you list groups and modify their attributes. This can be helpful in the event that no one can access a Connect administrative user account.

The tool can also be used to adjust group name or ownership and it can transfer content permissions and members between groups and even remove groups entirely from RStudio Connect.

The usermanager can adjust the Unique IDs of groups in case this identification has been modified in the configured authentication provider or after switching between providers.

See the User Management CLI appendix for more information on using the usermanager CLI to manage users.