2. User Management
In this section, you will learn:
- how to add users manually and automatically
- options for locking a user from Workbench
- options for setting user and group limits
- how to track the number of people using Workbench
User Account Management
Every user of Posit Workbench must have a local system account provisioned on the Linux server.
As an administrator, you can either manually create these users, or provision them using LDAP. The latter is preferred because overall user and group management is more straightforward.
Provisioning User Accounts with LDAP
Provisioning users via LDAP should be used when possible. The advantages include using the LDAP server for central identity management of users and groups (including the ability to restrict access to a subset of users), less administrative burden when there is a large user population, and automatically keeping UIDs in sync across multiple nodes.
By also configuring sssd
and PAM, users will be automatically provisioned on the Linux server, meaning their local system account and home directory will be created automatically upon initial login.
Automatic user provisioning requires an LDAP server and configuration of sssd
and PAM.
Manually adding a User
If an LDAP server is unavailable, you can manually add users via a Linux command to create the user’s account (e.g., useradd -m
).
Workbench matches the authenticating user to their Linux account by username unless configured to match against another attribute (e.g., SAML)
User Roles
There are four types of users in Posit Workbench:
Workbench Users — the standard user who can authenticate in and start new sessions
Workbench Administrators - users with added permissions to access the Workbench Admin Dashboard
Workbench Administrator Superusers - users with additional permissions for Workbench Admin Dashboard access and a narrow set of delegated privileges that are useful in managing and supporting the server
Server Administrators - not necessarily a named user in Workbench (i.e. not taking a licensed seat), this Linux user is focused on Workbench installation and maintenance on the server
Review the Workbench User Guide to understand the difference between each user type.
Locking User Accounts
Posit Workbench is licensed for a specific quantity of named users.
You can lock a user when a user leaves your organization, or when you need to terminate a user’s access to the server environment permanently. Locking is intended to be a permanent action.
You should review the Posit Workbench Software License Descriptions to confirm your use case for locking a user aligns with the license terms.
Locking a user prevents that user from logging in to Posit Workbench, but it does not delete the system user account or their home directory. You should decide what to do with the data of the locked user as part of your organization’s data management and backup policy.
Tracking User Totals
To remain in compliance with your license and plan for future licensing needs, you will want to keep track of the number of users on your server. In a single server installation or a single cluster with one shared database across all the nodes, you can view the user total by:
Reviewing the Admin Dashboard
Using the Workbench CLI
If you have multiple Workbench environments, you’ll need to aggregate the list of users for each environment, counting the total number of unique users across all the environments.
User Sessions
After a user has successfully logged in to Workbench, they can start a session with any of the supported IDEs (i.e., RStudio Pro, VS Code, JupyterLab, and Jupyter Notebook) that are installed on the server. To successfully start sessions, each user must have a home directory.
When a user initiates a session, Workbench will momentarily run as root to initiate a session on behalf of the logged-in user. Once the session is started, session processes will run under the logged-in user’s account. Inside the session, the user will have access to any files on the system that Linux permissions allow their Linux user to access.
Session Management
A session is a running instance of a supported IDEs. There are several possible states for a session:
- Active: session is running and in use
- Idle: session is running without recent user interaction or processing
- Suspended: (For RStudio Pro sessions only) The session is not running and Workbench has saved session information to disk. Clicking the session on the home page restores it along with all active work
- Pending: Workbench is in the process of making the session available.
- Shutting Down: The session has been exited by quitting or force quitting, and any unsaved work will be lost
Admins can configure some of the settings that determine when sessions change state. The Workbench User Guide has more detail on Session Management page.
🚀 Launch the exercise environment!
In the exercise environment you will get experience:
manually adding users to Workbench
restricting access to Workbench by LDAP groups
enable the Admin Dashboard and view user counts and metrics
familiarize yourself with the Workbench CLI tool for user management
Obtain session metrics, configure session timeouts, and kill sessions
Go to: 3. User Environments