Role-Based Access (RBAC) in Shinydocs Pro Control Center
This feature is in early access. Shinydocs will continue to improve RBAC controls within Shinydocs Pro, adding new features we are sure you will love in upcoming releases.
Role-Based Access Control (RBAC) is used to control access to Shinydocs Pro Control Center. This allows administrators to manage access by assigning roles to users or groups, ensuring that only authorized users can access the Control Center.
Currently, you can only control web access to Shinydocs Pro Control Center with OIDC. More granular controls will be released as they are available.
Shinydocs Pro Control Center supports the following identity providers to authenticate users and manage roles for access:
None
Audit entries in the Control Center Audit will have no context as to which user has performed operations and will show as Anonymous. For auditing with user names, enable Negotiate.
No authentication is required. This option allows users to access Shinydocs Pro without verifying their identity. This option is not secure and should only be used for testing and troubleshooting purposes.
Negotiate
Negotiate currently does not offer granular control over access to Shinydocs Control Center. When Negotiate is enabled, users with valid domain credentials will be able to access the Control Center if you have the application open on the network (0.0.0.0).
If you wish to prevent this, ensure the application is only binding to localhost (127.0.0.1)
Administrators of the application can access it by Remote Desktop.
Negotiate is an authentication protocol that lets the server and client negotiate via Kerberos using Windows Integrated Authentication.
OpenID Connect (OIDC)
OpenID Connect is an identity layer built on OAuth 2.0, allowing clients to verify the user's identity based on authentication by an authorization server (Azure AD/Entra ID).
Recovery
If you're locked out of Shinydocs Pro Control Center because of a configuration issue, you can use the appsettings.json
file to override the settings temporarily. Follow these simple steps to recover access.
Step 1: Locate the appsettings.json
File
Go to the install directory for Shinydocs Pro Control Center.
The path is:
[Drive]:\[Install directory]\Shinydocs Professional\ControlCenter
Open the
appsettings.json
file using a text editor like Notepad.
Step 2: Understand the Overrides
The settings in appsettings.json
can override your database configuration. Only use these for recovery purposes.
Each section is commented out with //
to prevent it from running. You'll remove the //
to activate the section you want to use.
Here’s what each section does:
Negotiate Authentication
CODE,"IdentityProvider": { "Negotiate": { "Enabled": true } }
Uncomment this section to enable Negotiate authentication.
Set
"Enabled": false
to disable all authentication temporarily, which lets you access the Control Center without any login.
OpenID Connect (OIDC) Authentication
CODE,"IdentityProvider": { "Oidc": { "Authority": "", "ClientId": "", "ClientSecret": "" } }
Uncomment and fill in these values to override OIDC settings for Azure/Entra.
Authority: Your OpenID Connect authority URL.
ClientId: The Client ID from your Azure/Entra app registration.
ClientSecret: The Secret Key from the app registration.
Access Roles (OpenID)
CODE,"Access": { "HasControlCenterAccess": [] }
Uncomment this section and add roles to override which Active Directory (AD) or OpenID roles can access the Control Center.
You can add multiple roles by putting them in the brackets as a list.
Step 3: Save your changes and restart
Once you have saved the file, restart the Shinydocs Control Center service. Once you navigate to the Control Center home page, your new settings will be applied. You may need to clear your browser's cache.
If you are still unauthorized, that means your configuration did not work, please check the Control Center logs for more details. You can set negotiate to false to disable authentication (details below) if you need to investigate the issue further.
Step 4: Fix your configuration
The override is a temporary solution. Shinydocs Pro Control Center will display a warning in the Settings > Access section if you are using the override. You need to properly configure your Negotiate setup or OpenID in the Contol Panel UI (Settings > Access). Before saving your changes, you will need to add the comments back to the settings file and then save your changes in the Control Center UI. Shinydocs Pro Control Center will restart automatically with your new configuration.
// This configuration overrides the database configuration
// ONLY USE IN RECOVERY SCENARIO ⬇
/*
,"IdentityProvider": {
"Negotiate": {
"Enabled": true
}
}
*/
/*
,"IdentityProvider": {
"Oidc": {
"Authority": "",
"ClientId": "",
"ClientSecret": ""
}
}
*/
/*
,"Access": {
"HasControlCenterAccess": [],
"HasSearchAccess": []
}
*/
Example Scenarios
Scenario 1: You want to disable all authentication to access the Control Center directly.
Uncomment Negotiate section.
Set
"Enabled": false
.Leave all other sections commented out.
,"IdentityProvider": {
"Negotiate": {
"Enabled": false
}
}
Scenario 2: You need to override OpenID Connect (OIDC) settings temporarily.
Uncomment OIDC section.
Fill in the
"Authority"
,"ClientId"
, and"ClientSecret"
with the correct values.Leave Negotiate and Access sections commented out unless you need to change them as well.
,"IdentityProvider": {
"Oidc": {
"Authority": "https://login.microsoftonline.com/your-tenant-id",
"ClientId": "your-client-id",
"ClientSecret": "your-client-secret"
}
}
Scenario 3: You want to change which AD/OpenID roles have access to the Control Center.
Uncomment Access section.
Add roles to the
HasControlCenterAccess
array (e.g.,"HasControlCenterAccess": ["RoleName1", "RoleName2"]
).Leave Negotiate and OIDC sections commented out unless you also need to change authentication settings.
,"Access": {
"HasControlCenterAccess": ["ShinydocsAdmin", "ShinydocsUser"]
}
Scenario 4: You need to enable Negotiate (Windows authentication) again after disabling it.
Uncomment Negotiate section.
Set
"Enabled": true
.Leave OIDC and Access sections commented out if you don't need to override them.
,"IdentityProvider": {
"Negotiate": {
"Enabled": true
}
}