Skip to main content
Skip table of contents

Role-Based Access (RBAC) in Shinydocs Pro Control Center

This feature is in early access. Shinydocs will continue to improve RBAC controls within Shinydocs Pro, adding new features we are sure you will love in upcoming releases.

Role-Based Access Control (RBAC) is used to control access to Shinydocs Pro Control Center. This allows administrators to manage access by assigning roles to users or groups, ensuring that only authorized users can access the Control Center.

Currently, you can only control web access to Shinydocs Pro Control Center with OIDC. More granular controls will be released as they are available.

Shinydocs Pro Control Center supports the following identity providers to authenticate users and manage roles for access:

  • None

    • Audit entries in the Control Center Audit will have no context as to which user has performed operations and will show as Anonymous. For auditing with user names, enable Negotiate.

    • No authentication is required. This option allows users to access Shinydocs Pro without verifying their identity. This option is not secure and should only be used for testing and troubleshooting purposes.

      image-20240925-181252.png
  • Negotiate

    • Negotiate currently does not offer granular control over access to Shinydocs Control Center. When Negotiate is enabled, users with valid domain credentials will be able to access the Control Center if you have the application open on the network (0.0.0.0).

      • If you wish to prevent this, ensure the application is only binding to localhost (127.0.0.1)

      • Administrators of the application can access it by Remote Desktop.

    • Negotiate is an authentication protocol that lets the server and client negotiate via Kerberos using Windows Integrated Authentication.

      image-20240925-181354.png
  • OpenID Connect (OIDC)

    • OpenID Connect is an identity layer built on OAuth 2.0, allowing clients to verify the user's identity based on authentication by an authorization server (Azure AD/Entra ID).

      image-20240925-181458.png

Using OpenID Connect in Entra/Azure

Using OpenID Connect in Entra/Azure

Shinydocs Pro Control Center Access Diagrams - OpenID.png

Shinydocs Pro Control Center with Azure OpenID Authentication

There are many ways to perform these actions within your organization. You can perform these actions in your preferred method, for this guide we will focus on using one method.

Requirements:

  • Shinydocs Pro Control Center is set up and running

  • Access to Azure/Entra Portal with permissions to:

    • Create a new App Registration

    • Set API permissions and roles

    • Assign users and groups to the app

Instructions

  1. Register an App in Azure

    1. Go to portal.azure.com

    2. Navigate to Azure Active Directory > App registrations

    3. Click New Registration

      1. Name your app (e.g., "Shinydocs Pro Control Center")

      2. Redirect URI: Enter
        https://[ShinydocsProServerName]/api/v1/oidc/signin-callback.
        Replace [ShinydocsProServerName] with your actual server name
        Note: If the Shinydocs Server has an FQDN, use that instead of [ShinydocsProServerName]

      3. Click Register to create the app

  2. Configure OpenID Connect

    1. In the new app registration, go to Authentication

      1. Redirect URI should be set to:
        https://[ShinydocsProServerName]/api/v1/oidc/signin-callback.

      2. Under Implicit grant, check both Access tokens and ID tokens

      3. Click Save

  3. Create a Client Secret

    1. Go to Certificates & Secrets

    2. Click New client secret

      1. Description: Enter a name (e.g., "Shinydocs Pro Secret")

      2. Expires: Set an expiry period following your organizations security practices

    3. Click Add

    4. Copy the secret key (save it securely - you’ll need this later).

  4. Set App Roles

    1. Go to App roles

    2. Click Create app role

      1. Display Name: ShinydocsControlCenter

      2. Allowed member types: Select Users/Groups

      3. Click Save

  5. Configure API Permissions

    1. Go to API permissions

      1. Click Add a permission > Microsoft Graph

      2. Select Delegated permissions, and add:

        1. openid

        2. profile

        3. email

        4. User.Read

        5. offline_access

        6. Directory.Read.All

      3. Click Add permissions

      4. Click Grant admin consent to approve these permissions.

  6. Assign Users and Groups to the App

    1. Go to Azure Active Directory > Enterprise applications

    2. Find and select your Shinydocs Pro Control Center app

    3. Click Users and groups

    4. Click Add user/group

      1. Search for the users or groups to assign to the app

    5. Click Assign to add them.

  7. Configure OpenID in Shinydocs Pro Control Center

    1. In Shinydocs Pro Control Center, go to Settings > Access

    2. Set Identity Provider Type to OpenID

    3. Fill out the following fields:

      1. Authorization:
        https://login.microsoftonline.com/[Azure Tenant ID]
        Replace [Azure Tenant ID] with your Azure tenant ID
        Client ID: The Client ID from your app registration
        Client Secret: The secret key you created

    4. Save changes, Shinydocs Pro Control Center will restart automatically

  8. Add a Role in Shinydocs Pro Control Center

    1. Go to Settings > Access > Roles

    2. In Add a role, type ShinydocsControlCenter
      IMPORTANT: Make sure the name matches exactly

    3. Press Enter to add the role.

  9. Save Changes and Test

    1. Save changes and allow Shinydocs Pro Control Center to restart automatically

    2. Test access by logging in with a user assigned to the ShinydocsControlCenter role.

If you use Azure/Entra for OpenID, you will be presented with the Microsoft sign-in page.

Recovery

If you're locked out of Shinydocs Pro Control Center because of a configuration issue, you can use the appsettings.json file to override the settings temporarily. Follow these simple steps to recover access.

Step 1: Locate the appsettings.json File

  1. Go to the install directory for Shinydocs Pro Control Center.

    • The path is:
      [Drive]:\[Install directory]\Shinydocs Professional\ControlCenter

  2. Open the appsettings.json file using a text editor like Notepad.

Step 2: Understand the Overrides

The settings in appsettings.json can override your database configuration. Only use these for recovery purposes.

Each section is commented out with // to prevent it from running. You'll remove the // to activate the section you want to use.

Here’s what each section does:

  • Negotiate Authentication

    CODE
    ,"IdentityProvider": {
      "Negotiate": {
        "Enabled": true
      }
    }
    • Uncomment this section to enable Negotiate authentication.

    • Set "Enabled": false to disable all authentication temporarily, which lets you access the Control Center without any login.

  • OpenID Connect (OIDC) Authentication

    CODE
    ,"IdentityProvider": {
      "Oidc": {
        "Authority": "",
        "ClientId": "",
        "ClientSecret": ""
      }
    }
    • Uncomment and fill in these values to override OIDC settings for Azure/Entra.

      • Authority: Your OpenID Connect authority URL.

      • ClientId: The Client ID from your Azure/Entra app registration.

      • ClientSecret: The Secret Key from the app registration.

  • Access Roles (OpenID)

    CODE
    ,"Access": {
      "HasControlCenterAccess": []
    }
    • Uncomment this section and add roles to override which Active Directory (AD) or OpenID roles can access the Control Center.

    • You can add multiple roles by putting them in the brackets as a list.

Step 3: Save your changes and restart

Once you have saved the file, restart the Shinydocs Control Center service. Once you navigate to the Control Center home page, your new settings will be applied. You may need to clear your browser's cache.

If you are still unauthorized, that means your configuration did not work, please check the Control Center logs for more details. You can set negotiate to false to disable authentication (details below) if you need to investigate the issue further.

Step 4: Fix your configuration

The override is a temporary solution. Shinydocs Pro Control Center will display a warning in the Settings > Access section if you are using the override. You need to properly configure your Negotiate setup or OpenID in the Contol Panel UI (Settings > Access). Before saving your changes, you will need to add the comments back to the settings file and then save your changes in the Control Center UI. Shinydocs Pro Control Center will restart automatically with your new configuration.

JSON
  // This configuration overrides the database configuration
  // ONLY USE IN RECOVERY SCENARIO ⬇
  
  /*
  ,"IdentityProvider": {
    "Negotiate": {
      "Enabled": true
    }
  }
  */
  
 /* 
  ,"IdentityProvider": {
    "Oidc": {
      "Authority": "",
      "ClientId": "",
      "ClientSecret": ""
    }
  }
  */
  
  /*
  ,"Access": {
    "HasControlCenterAccess": [],
    "HasSearchAccess": []
  }
  */

Example Scenarios

Scenario 1: You want to disable all authentication to access the Control Center directly.

  • Uncomment Negotiate section.

  • Set "Enabled": false.

  • Leave all other sections commented out.

CODE
,"IdentityProvider": {
  "Negotiate": {
    "Enabled": false
  }
}

Scenario 2: You need to override OpenID Connect (OIDC) settings temporarily.

  • Uncomment OIDC section.

  • Fill in the "Authority", "ClientId", and "ClientSecret" with the correct values.

  • Leave Negotiate and Access sections commented out unless you need to change them as well.

CODE
,"IdentityProvider": {
  "Oidc": {
    "Authority": "https://login.microsoftonline.com/your-tenant-id",
    "ClientId": "your-client-id",
    "ClientSecret": "your-client-secret"
  }
}

Scenario 3: You want to change which AD/OpenID roles have access to the Control Center.

  • Uncomment Access section.

  • Add roles to the HasControlCenterAccess array (e.g., "HasControlCenterAccess": ["RoleName1", "RoleName2"]).

  • Leave Negotiate and OIDC sections commented out unless you also need to change authentication settings.

CODE
,"Access": {
  "HasControlCenterAccess": ["ShinydocsAdmin", "ShinydocsUser"]
}

Scenario 4: You need to enable Negotiate (Windows authentication) again after disabling it.

  • Uncomment Negotiate section.

  • Set "Enabled": true.

  • Leave OIDC and Access sections commented out if you don't need to override them.

CODE
,"IdentityProvider": {
  "Negotiate": {
    "Enabled": true
  }
}

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.