Provisioning Users and Groups for Posit Professional Products

Provisioning users and groups in Posit professional products can be done in a variety of different ways.

Note

Workbench users and groups must exist on the underlying Linux server, whereas Connect users usually do not, so user and group provisioning works quite differently between the two products.

Workbench

In Workbench, users and groups must exist in the underlying Linux server. Workbench has no notion of users and groups that are distinct from those on the Linux server, so provisioning users and groups for Workbench is the same as provisioning Linux users and groups on the server.

Generally, you will want your authentication provider’s groups to be used in Workbench and you will configure both Linux users and Linux groups to be provisioned from your authentication provider. It is always possible to have users provisioned by your authentication provider and to manually manage Linux groups on the server.

Provisioning Options In Workbench

  • Default/System: Manually create and manage users and groups on the Linux server.
  • All Other: Create Linux users manually or automatically via sssd.

Connect

Connect requires that users be provisioned in Connect itself. In most configurations, users do not need to be provisioned with local system accounts. All authentication types default to just-in-time provisioning of users, where users are created in Connect when they are first authenticated.

Should you wish to use the Applications.RunAsCurrentUser setting, you will need to configure Connect for PAM authentication and to provision Linux users corresponding to authenticated users in Connect via sssd.

User Provisioning in Connect

For all authentication types, the default is to allow just-in-time provisioning of user accounts on a user’s first login. This can be disabled by setting the <AuthType>.RegisterOnFirstLogin setting to false. Generally you will only disable this setting if you want to do all user provisioning ahead-of-time.

Note

If using PAM authentication, the corresponding Linux user must already have been created on the server.

If using default/password authentication, users can manually be provisioned via the User dashboard.

For all other authentication types, ahead-of-time user provisioning can only be done via the Connect User API.

If the product is being configured to use PAM authentication, Linux system accounts must also exist before provisioning, typically accomplished via sssd.

Using Groups in Connect

Groups can be created in Connect

  • Automatically when a group member logs in for the first time by setting the <AuthProvider>.GroupsAutoProvision setting; or

  • Manually in the Groups dashboard or via the Connect Server API.

In either case, group memberships will be fetched from the authentication provider.

Automatic provisioning is preferable when you want all of a user’s groups to exist in Connect, while manual provisioning may be preferable when the user belongs to many groups in the authentication provider, only some of which are relevant to Connect.

Linux Account Provisioning

Local Linux accounts are always required in Workbench and are required in Connect when using PAM authentication.

These accounts can be created:

  • Manually on the server

  • Automatically from LDAP or Active Directory via sssd

Note

Manual account creation is not recommended in high-availability or load-balanced configurations, because UIDs must match across nodes.

For more information on sssd, please see the Posit support article:

In addition, Posit staff have found these Internet resources to be useful: