Provisioning Users and Groups for RStudio Pro Products#
Provisioning users and groups in RStudio Pro Products can be done in a variety of different ways.
RStudio Workbench users and groups must exist on the underlying Linux server, whereas RStudio Connect users usually do not, so user and group provisioning works quite differently between the two products.
In RStudio Workbench, users and groups must exist in the underlying Linux server. RStudio Workbench has no notion of users and groups that are distinct from those on the Linux server, so provisioning users and groups for RStudio Workbench is the same as provisioning Linux users and groups on the server.
Generally, you will want your authentication provider's groups to be used in RStudio Workbench and you will configure both Linux users and Linux groups to be provisioned from your authentication provider. It is always possible to have users provisioned by your authentication provider and to manually manage Linux groups on the server.
Provisioning Options In RStudio Workbench#
- Default/System: Manually create and manage users and groups on the Linux server.
- All Other: Create Linux users manually or automatically via sssd.
RStudio Connect requires that users be provisioned in RStudio Connect itself. In most configurations, users do not need to be provisioned with local system accounts. All authentication types default to just-in-time provisioning of users, where users are created in RStudio Connect when they are first authenticated.
Should you wish to use the
Applications.RunAsCurrentUser setting, you will need to configure RStudio Connect for PAM authentication and to provision Linux users corresponding to authenticated users in RStudio Connect via sssd.
User Provisioning in RStudio Connect#
For all authentication types, the default is to allow just-in-time provisioning of user accounts on a user's first login. This can be disabled by setting the
<AuthType>.RegisterOnFirstLogin setting to
Generally you will only disable this setting if you want to do all user provisioning ahead-of-time.
If using PAM authentication, the corresponding Linux user must already have been created on the server.
If using default/password authentication, users can manually be provisioned via the User dashboard.
For all other authentication types, ahead-of-time user provisioning can only be done via the RStudio Connect User API.
If the product is being configured to use PAM authentication, Linux system accounts must also exist before provisioning, typically accomplished via sssd.
Using Groups in RStudio Connect#
Groups can be created in RStudio Connect
Automatically when a group member logs in for the first time by setting the
Manually in the
Groupsdashboard or via the RStudio Connect Server API.
In either case, group memberships will be fetched from the authentication provider.
Automatic provisioning is preferable when you want all of a user's groups to exist in RStudio Connect, while manual provisioning may be preferable when the user belongs to many groups in the authentication provider, only some of which are relevant to RStudio Connect.
Linux Account Provisioning#
Local Linux accounts are always required in RStudio Workbench and are required in RStudio Connect when using PAM authentication.
These accounts can be created:
Manually on the server
Automatically from LDAP or Active Directory via
Manual account creation is not recommended in high-availability or load-balanced configurations, because UIDs must match across nodes.
For more information on
sssd, please see the RStudio support article:
In addition, RStudio staff have found these Internet resources to be useful: