RStudio Connect Viewer Account Permissions to Hide Other Users

Hi,

Is there a way to set RStudio Connect viewer account permissions such that the viewer will not be able to see who else has permission to the Shiny app?
We tried setting Authorization.UsersListingMinRole to publisher but this doesn't stop a viewer from seeing who else has access to applications they have access to.

Best,
Gibran

1 Like

Thanks for sharing this point! We have some work in the pipeline related to these types of permissions, and will definitely record your use case in our feature tracker so that we can keep it in mind as we improve this story!

Unfortunately, I do not believe there is a straightforward way to accomplish this today (i.e. you would need to deploy separate apps, or reduce privileges to anonymous... both pretty much show stoppers). UserListingMinRole is mostly about the ability to "list" users (i.e. for the People page). In an application's ACLs, the users are "already enumerated."

One other approach that you might take to this problem is to use groups to abstract away the names of users in your ACLs. Instead of "Cole and Sally have access," it might be "Users Of App 5." In RStudio Connect 1.7.2 (just announced last week), we announced support for groups on all authentication providers. There is some other fun stuff in that release too!

https://blog.rstudio.com/2019/03/22/announcing-rstudio-connect-1-7-2/

1 Like

Thanks a lot, Cole. Looking forward to the new permissions feature. Is there an estimated date when it could be available?

The group feature also looks like a good solution to the problem if the user would not be able to see who else is a member. For some reason, we are not able to get groups working yet but I may open a seperate thread for that.

Thanks again.

Glad to hear that the group feature may be helpful for you @gibran! Do you mind my asking what authentication provider you are using? RStudio Connect 1.7.2 just added group support for other auth providers (previously, groups were only available for Google OAuth 2.0 and LDAP/ActiveDirectory). It may be that upgrading could solve your group problems!

Unfortunately, we do not have any timeline attached to our implementation of more granular permissions. Revamping the permissions structure is something we plan to do carefully and so timeline is a secondary concern :slight_smile: We would much rather do it right!

In the meantime, if you are using a non-LDAP authentication source (i.e. and groups are defined within Connect), programmatic management of groups might be helpful for you:

https://docs.rstudio.com/connect/api/#groups
https://docs.rstudio.com/connect/user/cookbook.html#create-an-rstudio-connect-group-from-ldap

Hey @cole. We're actually on 1.7.2 and using proxied auth since we need to support both SAML and external users through HTTP Basic auth. We tried the group suggestion you made, but it seems like even if the groups header isn't set, any request to RStudio Connect will zero out all the group memberships. It's kind of strange because the table https://blog.rstudio.com/2019/03/22/announcing-rstudio-connect-1-7-2/ says that proxied supports local and remote groups, but it seems like it only supports remote groups. At the very least isn't wasn't clear from the documentation to use local groups.

1 Like

Thanks for sharing @cwinkowski! Sorry for the trouble there. Proxied auth can admittedly be a bit of a trick to set up!

Specifically with respect to groups, you can have a look at the following section in the admin guide.

https://docs.rstudio.com/connect/admin/group-management.html#proxied-authentication-group-membership-management

Proxied Authentication can use "local groups," which means groups defined at the RStudio Connect server level only and maintained either in the UI or via the RStudio Connect Server API. However, when it uses "remote groups," it is offloading group management to the proxy (your "remote" proxied authentication provider). In that setup, you should set ProxyAuth.GroupsHeader and ProxyAuth.GroupsAutoProvision. Note also the existence of the option to use ProxyAuth.GroupsAutoRemoval.

If you are having trouble getting this working, please feel free to open a support ticket and we will be happy to assist you in a more formal fashion!

EDIT: "Local groups" are defined in the "People" pane in the UI. Go to People > Groups, and Admins will be able to create / manage group membership. As I mentioned above, membership / group creation can also be managed via REST requests to the RStudio Connect Server API (see https://docs.rstudio.com/connect/api/ )

Thanks a lot, @cole. We were able to get groups working but it seems that doesn't really solve what we were trying to do. It seems that everyone in a group is able to see who else is in that group. Is there a way to set the permissions of a viewer inside a group where they are not able to see who else is in the group?

Best,
Gibran

Thanks for clarifying @gibran, and I'm very sorry for your trouble. That is much less-than-ideal behavior. Similar to above, in this case the groups are doing the user enumeration :sob:

We are in process of thinking through a more granular permission structure in RStudio Connect that would hopefully allow this type of fine-grained control over access (as I mentioned above... I'm basically just a :parrot: ) . We will record your use case so we are sure to keep it in mind during that feature work!

In the meantime, I know this is less than ideal, but it might be worth thinking about "remote groups," i.e. managed by the proxy. In this setup, the Connect Groups Dashboard is turned off and group management / membership is only done through the authentication proxy and the Connect Server API (by an admin). This is described in more detail in the documentation below:

https://docs.rstudio.com/connect/admin/group-management.html#proxied-authentication-provisioned-groups

Following up here, I was unfortunately mistaken - the Groups dashboard is not "turned off" during remote group management. The button to access it is gone and the dashboard is not, therefore, "navigable," but the group membership information is still accessible. As a result, your best bet is probably to wait until we clean this story up. Very sorry for the difficulty!

Thanks a lot, @cole. Please update whenever it is implemented. Thanks again for all your help.

A post was split to a new topic: RStudio Connect - Feature Discussion - Permissions on Tags

One quick update on this one. RStudio Connect 1.7.6 was just released, and supports a configuration option for: Authorization.ViewersCanOnlySeeThemselves. If this idea was or is interesting to you, please check it out and let us know how it goes! If you have more feedback, places where you would like to see this functionality improved / expanded / changed in the future, or questions, please feel free to start a new thread!

https://blog.rstudio.com/2019/06/24/rstudio-connect-1-7-6/

1 Like