Skip to content

Provisioning Users and Groups for RStudio Pro Products#

Provisioning users and groups in RStudio Pro Products can be done in a variety of different ways.

Important

RStudio Server Pro users and groups must exist on the underlying Linux server, whereas RStudio Connect users usually do not, so user and group provisioning works quite differently between the two products.

RStudio Server Pro#

In RStudio Server Pro, users and groups must exist in the underlying Linux server. RStudio Server Pro has no notion of users and groups that are distinct from those on the Linux server, so provisioning users and groups for RStudio Server Pro is the same as provisioning Linux users and groups on the server.

Generally, you will want your authentication provider's groups to be used in RStudio Server Pro and you will configure both Linux users and Linux groups to be provisioned from your authentication provider. It is always possible to have users provisioned by your authentication provider and to manually manage Linux groups on the server.

Provisioning Options In RStudio Server Pro#

  • Default/System: Manually create and manage users and groups on the Linux server.
  • All Other: Create Linux users manually or automatically via sssd.

RStudio Connect#

RStudio Connect requires that users be provisioned in RStudio Connect itself. In most configurations, users do not need to be provisioned with local system accounts. All authentication types default to just-in-time provisioning of users, where users are created in RStudio Connect when they are first authenticated.

Should you wish to use the Applications.RunAsCurrentUser setting, you will need to configure RStudio Connect for PAM authentication and to provision Linux users corresponding to authenticated users in RStudio Connect via sssd.

User Provisioning in RStudio Connect#

For all authentication types, the default is to allow just-in-time provisioning of user accounts on a user's first login. This can be disabled by setting the <AuthType>.RegisterOnFirstLogin setting to false. Generally you will only disable this setting if you want to do all user provisioning ahead-of-time.

Note

If using PAM authentication, the corresponding Linux user must already have been created on the server.

If using default/password authentication, users can manually be provisioned via the User dashboard.

For all other authentication types, ahead-of-time user provisioning can only be done via the RStudio Connect User API.

If the product is being configured to use PAM authentication, Linux system accounts must also exist before provisioning, typically accomplished via sssd.

Using Groups in RStudio Connect#

Groups can be created in RStudio Connect

  • Automatically when a group member logs in for the first time by setting the <AuthProvider>.GroupsAutoProvision setting; or

  • Manually in the Groups dashboard or via the RStudio Connect Server API.

In either case, group memberships will be fetched from the authentication provider.

Automatic provisioning is preferable when you want all of a user's groups to exist in RStudio Connect, while manual provisioning may be preferable when the user belongs to many groups in the authentication provider, only some of which are relevant to RStudio Connect.

Linux Account Provisioning#

Local Linux accounts are always required in RStudio Server Pro and are required in RStudio Connect when using PAM authentication.

These accounts can be created:

  • Manually on the server

  • Automatically from LDAP or Active Directory via sssd

Warning

Manual account creation is not recommended in high-availability or load-balanced configurations, because UIDs must match across nodes.

For more information on sssd, please see the RStudio support article:

In addition, RStudio staff have found these Internet resources to be useful: