User and Group Management

As an administrator, you will need to manage users and groups that are accessing your instance. As you saw in lab 4, the way users are added to Connect will depend on the authentication mechanism you use. Their role (Administrator, Publisher, or Viewer) will be assigned depending on your configuration and authentication settings. This lesson provides an overview of the administrative tasks you’ll perform to manage users once they have been created on the Connect server, and their groups.

NoteTimings for this chapter

• Reading time: 15 minutes
• Documentation reading time: 25-45 minutes
• Hands-on exercise time: 15-30 minutes

TipRequired Reading

• User Management

Key stakeholders involved in user and group management:

Stakeholder Role	Core Responsibility	Key Action
1. Application Administrator (Software/App Admin)	Manages the user account and permissions within the application itself.	Manages the software, updates the configuration to use authentication applications, may consume groups created upstream or manages groups inside the application.
2. IAM Administrator (Auth Admin)	Manages the central Identity Provider (IdP) and the authentication process.	Configures SSO, monitors automated provisioning/de-provisioning syncs, and manages security groups in the IdP.
3. User Data/Group Manager (HR/Service Desk)	Manages the source of truth data and the groups that drive the access.	Ensures user attributes are correct, adds users to the trigger access groups, and initiates onboarding/offboarding.

There are 3 ways to manage users and groups in Connect:

• through the web interface;
• using the usermanager CLI utility that gets installed in the /opt/rstudio-connect/bin folder;
• using the web API, directly or through the R or Python SDKs.

The table below shows common user and group management tasks and which methods support them. “Local” refers to users known to Connect, and “remote” to users that only exist in the authentication system.

In the table below, some task can be performed regardless of the authentication provider you use (✅), others depend on the authentication method used (🟡). Check the documentation for more details.

Task	Web Interface	CLI\(^1\)	API
List/search local users and groups\(^2\)	✅	✅	✅
Change local user role	✅	✅	✅
Local group membership\(^2\)	✅		✅
Create local user			🟡
Search for remote users			🟡
Get local user/group details	✅	✅	✅
Update local user/group info\(^2\)	🟡	🟡	🟡
Lock local user	✅	✅	✅
Transfer content ownership		✅
Delete local user		✅
Delete local group\(^2\)		🟡	🟡

\(^1\): Note that the CLI utility requires the Connect service to be stopped unless your installation uses PostgreSQL for internal storage. We recommend using it only for tasks that require this utility, such as transferring content ownership and deleting users.

\(^2\): Groups are useful to grant viewer or collaborator access to multiple people based on teams or projects. Just like users, groups can be managed locally, or remotely. Locally, groups are managed either using the web interface, the usermanager CLI utility, or the Connect API. With remote group management, Connect relies on the information coming from your authentication provider.

TipResources

To learn more about user and group management in Connect, especially the actions that can be taken with the CLI utility or the API, check the following resources:

• usermanager CLI documentation
• Connect API documentation for user management and for group management

Exploring users and groups using the web interface

Add yourself to content you don’t have access to

As an administrator, you can edit settings associated with any content deployed on the instance you manage. You can do this without having access to the content itself. But, as an administrator, you can add other users (including yourself) to content they do not have access to. These changes are recorded in the audit log.

Let’s practice this using the only Shiny app available on the instance.

1. Navigate to the web interface of Connect, and log in using the user ashley (password: ashley).
2. In the “Content” tab, you should see the “Shiny Geyser Example” listed. Note that it belongs to “John Doe”. Click on its title.
3. Note that you cannot see the content of this Shiny application as you don’t have access to it yet.
4. Click on the “Settings” menu in the top right, and:
   • Give “collaborator” access for this content to user “Joe Golly”, (you will need to click on the eye icon, to change the role from “Viewer” to “Collaborator”).
   • Give yourself (Ashley Awesome) the “viewer” role.
5. Make sure to click the “Save” button at the top of the bar so that the changes can take effect.
6. You can now see the output of this Shiny app being displayed.

Create and Manage groups

An administrator can also create and manage groups. Groups are useful to control access to content for teams. Here you will create a new group and give it viewer access to the Shiny app on your instance.

1. In Connect’s web interface, navigate to the “People” section
2. Click on the “Groups” menu, and on “Add Group”
3. Call this new group “Analytics” (make sure to use an uppercase A)
4. Click on the name of the group, and add the member “Bingo Nameo” and yourself (“Ashley Awesome”).
5. Go back to the setting section for the “Shiny Geyser Example” content, and give the “Analytics” group, the “viewer” role (don’t forget to save your change).

Using the CLI for Transferring Content and Locking users

When a user leaves the organization or no longer needs access to Connect it is recommended that you lock that user’s account, so that the individual is no longer able to access Connect. A locked user does not count towards your Named User license count. Locking a user also does not remove or alter content deployed by that user, so content that others depend on remains operational.

However, after a user leaves the company, it can be useful to reassign their content to a different user.

Users can be locked by admins from the web interface, the API, or the CLI utility. It is this last option you will use in this lab to lock the user john. Before locking this user, you will transfer the content he owns to ashley.

When using the CLI utility, the Connect service must be stopped first.

Most commands display a confirmation before executing actions.

Before starting, log into Connect (as ashley, password: ashley). Under the “Content” tab, note that there is a single application deployed on this server, and that its owner is John Doe. You are now ready to lock John’s account and transfer his content to Ashley.

1. Because your instance of Connect uses SQLite for internal data management, to run the usermanager CLI utility, you need to stop Connect.

   TipHint

   sudo systemctl stop rstudio-connect.service

2. Use usermanager with the command alter to lock the user john

   TipHint

   sudo /opt/rstudio-connect/bin/usermanager alter --username john --lock

3. Use usermanager with the command transfer to reassign John’s content to Ashley

   TipHint

   sudo /opt/rstudio-connect/bin/usermanager transfer --source-username john --target-username ashley

4. Use the following command to list users known to your instance, and confirm that john has been locked. But by default, locked users are not listed, so you need to add the --include-locked flag to see them.

   sudo /opt/rstudio-connect/bin/usermanager list --include-locked

5. Restart Connect

   TipHint

   sudo systemctl start rstudio-connect.service

6. It takes a few seconds for the web interface to come back online. Once it’s up, you can confirm that the Shiny app on the server is now owned by “Ashley Awesome”. Under the “People” tab, you will also notice that “John” is now marked as being locked.

7. Click on the “Check” button to confirm that you completed all the steps for this lesson.

Summary

• Posit Connect provides three approaches for user and group management - the web interface (most user-friendly), the usermanager CLI utility (for advanced tasks), and the web API with its SDKs (in R and Python, for programmatic access). Each method has specific capabilities. All administrative actions are logged in the audit trail for accountability.

• The web interface handles most common tasks, while the CLI is required for sensitive operations like user deletion and content transfers.

• Best practices include locking accounts when users leave the organization (which preserves content while removing access), transferring content ownership to active users, and using groups to manage team-based access efficiently.