Role Based Access Control With MRS 9.1.0

In the latest release of Microsoft R Server 9.1 we can configure role based access control (RBAC) for users who can publish, modify and delete the web services.

There are three roles in MRS 9.1 and each role has defined set of permissions for what they can do and what they cannot do.

  • Owner: users assigned to this role can manage any service.
  • Contributor: users assigned to this role can publish and manage their services. They cannot manage the services' of others.
  • Reader: a catchall role implicitly given to any authenticated user that is not assigned another role.

These roles are then mapped to one or more security groups in Active Directory where AD administrators can add users into the security groups.

In this document we will assume that you have Active Directory instance setup and running.

For more information on how to setup Active Directory click here

Configure Active Directory

We shall create new security groups and add members to the group, which will be later assigned to Roles in MRS appsettings.json file
To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative Tools , and then double-click Active Directory Users and Computers .

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Launch Active Directory Users and Computers

ad-user-open

Create Users in Active Directory

AD administrators will be able to create new users, click here to find detailed document to create users in AD.

When you select the option to create new user, you will see a dialog box as below, where you can enter user details and user logon details.

add-create-user

Create Groups in Active Directory

Groups in Active Directory Domain Services (AD DS) are directory objects that reside in a domain and in organizational unit (OU) container objects.

Click here to Create a New Group in AD

ad-new-group ad-new-group1

In this example we have created two groups MRSAdmin and DataScientist,

Owner Role will be assigned to MRSAdmin group.

Contributor Role will be assigned to DataScientist group.

ad-groups

Add User to Group

AD and MRS administrators will need to collaborate here to identity which users will be added as part of specific group and which groups will be assigned specific roles.

In this example we are adding azureuser as part of MRSAdmin group which is associate with Owner Role.

Click here to add user to group

ad-members

Configure Microsoft R Server Operationalization for RBAC

We have by now configured AD and setup group and assigned users to those groups, the next step will be to setup MRS 016N server to authenticate using LDAP and configure Authorization.

Click here to configure LDAP in MRS O16N server

Click here to configure roles in MRS O16N server

Our example web node appsettings.json file look like below, modify your settings files and restart the web node server.

Note: In our example searchFilter (CN) and UniqueUserIdentifierAttributeName (UserPrincipalName) attribute values in LDAP system we both same, UPN didn't have any suffix or domain name values.

 

For a comprehensive view of all the capabilities in Microsoft R Server 9.1, refer to this blog

Author: Siddharth Choudhary, Rasha Mahmoud