Support

Automatically Assigning Roles to RStudio Connect Users

Follow

In RStudio Connect 1.8.4 and later, you can automatically assign RStudio Connect user roles from a group or other attribute returned from your authentication provider. These settings are available for LDAP, SAML, OIDC, or Proxied Authentication and are not available for PAM or built-in password authentication.

There are three possible roles in RStudio Connect - administrator, publisher, and viewer. For more specifics on these roles, please see the RStudio Connect Administration Guide.

This article will walk through the steps to properly configure and troubleshoot this functionality. Complete details on configuration options are in the RStudio Connect Administration Guide.

Groups to Roles

In most cases, you’ll want to map groups from the authentication provider to the RStudio Connect roles. The steps below rely on having groups configured in RStudio Connect.

  1. Determine which groups you want to map to which RStudio Connect roles. For example, let’s suppose you want to accomplish the mapping below.
Group RStudio Connect Role
IT-Administrators Administrator
Data-Science-Leaders Administrator
Data-Science Publisher
Sales Viewer
  1. Add to the Authorization section of the RStudio Connect configuration file. For the configuration above, you’d add:
; /etc/rstudio-connect/rstudio-connect.gcfg
[Authorization]
UserRoleGroupMapping = true
PublisherRoleMapping = Data-Science
AdministratorRoleMapping = Data-Science-Leaders
AdministratorRoleMapping = IT-Administrators

Note that you don’t have to include groups that are getting the viewer role. Anyone not in an enumerated group will be given the Authorization.DefaultUserRole, which defaults to viewer.

  1. Restart RStudio Connect with the new configuration.

Please see the Logging and Troubleshooting section at the bottom of the article for details on troubleshooting.

For complete details, please see the RStudio Connect Administration Guide.

Mapping From an Attribute

You can also use an arbitrary attribute returned by your authentication provider to map to RStudio Connect user roles.

  1. Determine which attribute you wish you use, and how it will map to groups you want to map to which RStudio Connect roles. For example, let’s suppose your authentication provider returned an attribute named Department, and you wanted to accomplish the mapping below.
Department RStudio Connect Role
IT Administrator
Engineering Publisher
HR Viewer
Marketing Viewer
  1. Configure which attribute is to be used for mapping in the authentication section. Depending on your authentication configuration, it will be one of LDAP.UserRoleAttribute, SAML.RoleAttribute, OAuth2.RoleClaim, or ProxyAuth.RoleHeader. For example, if your RStudio Connect server were configured with LDAP, you would add the following to your RStudio Connect configuration file.
; /etc/rstudio-connect/rstudio-connect.gcfg
[LDAP]
UserAttributeRole = Department
  1. Add the mapping from the attribute to the RStudio Connect roles to the RStudio Connect configuration. For the mapping in this case, you would add the following to your RStudio Connect configuration file.
; /etc/rstudio-connect/rstudio-connect.gcfg
[Authorization]
UserRoleMapping = true
PublisherRoleMapping = Engineering
AdministratorRoleMapping = IT

Note that this example doesn’t include the attribute values that are getting the viewer role. Anyone not in an enumerated group will be given the Authorization.DefaultUserRole, which defaults to viewer.

  1. Restart RStudio Connect with the new configuration.

Please see the Logging and Troubleshooting section at the bottom of the article for details on troubleshooting.

For complete details on this setting, please see the RStudio Connect Administration Guide.

Using an Attribute Directly (No Mapping)

In the examples above, the RStudio Connect user roles were mapped from a group or attribute returned by the authentication provider. It is also possible to use an RStudio Connect user role that is directly provided by an attribute. For that attribute to be correctly mapped to RStudio Connect roles, it must only take on the values viewer, publisher, or administrator.

Suppose your authentication provider returns the attribute RSC-Role that is the individual’s role in RStudio Connect. To configure RStudio Connect to get the user’s role from this attribute, you should

  1. Add the attribute to the RStudio Connect configuration file for your authentication type. The field will be one of LDAP.UserRoleAttribute, SAML.RoleAttribute, OAuth2.RoleClaim, or ProxyAuth.RoleHeader. For example, if your server were configured to use LDAP, you would add the following to your configuration.
; /etc/rstudio-connect/rstudio-connect.gcfg
[LDAP]
UserAttributeRole = RSC-Role
  1. Restart RStudio Connect with the new configuration.

Please see the Logging and Troubleshooting section at the bottom of the article for details on troubleshooting.

For more details on configuration, please see the RStudio Connect Administration Guide.

When and How Are Roles Determined

Roles are checked at every login attempt, so user roles can be changed entirely by altering the user’s groups or attributes in the authentication provider. No changes are directly needed in RStudio Connect once role mapping is configured.

If a user is being provisioned for the first time and their group or attribute does not have a match in the configuration, they will be assigned the default defined in Authorization.DefaultUserRole, which itself defaults to viewer. If a user is logging in again and their group or attribute does not have a match in the configuration, they will keep their existing role and will not be reassigned.

If someone were a member of multiple groups with different roles, they will be given the one with the most privileges. For example, from the Groups to Role example, if someone were a member of both the Data-Science and Data-Science-Leaders groups, they would be given the Administrator role. Should you wish to reverse that and give the least permissive role, you can use the Authorization.UserRoleMappingRestrictive.

Logging and Troubleshooting

In order to see the logging below, you should set Logging = true in your authentication provider’s section.

If you run into trouble with this configuration, please feel free to file a ticket with our support team for help.

The following messages may then appear in the /var/log/rstudio-connect.log, depending on your configuration.

LDAP properly matches groups

Matched at least one group as role '<role>'

Mapping matched for any non-LDAP authentication provider

Matched '<provider value>' as role (<role>)

Mapping matched, different from current role

Matched '<provider value>' as new role (<role>), replacing (<previous match role>)

No mapping found for an attribute value

No mapping matches the value '<provider value>'. Retains the current role or applies the default (<role>) for new users

No mapping found for a group value

No mapping matches the values: '<provider value>'. Retains the current role or applies the default (<role>) for new users

Using an attribute (no mapping) with an invalid value (not viewer, publisher, administrator)

Given role '<provider value>' is not a valid role. Retains the current role or applies the default (<role>) for new users

Comments