Skip to main content
Skip table of contents

Role-Based Access (RBAC) in Shinydocs Pro Control Center

This feature is in early access. Shinydocs will continue to improve RBAC controls within Shinydocs Pro, adding new features we are sure you will love in upcoming releases.

Role-Based Access Control (RBAC) is used to control access to Shinydocs Pro Control Center. This allows administrators to manage access by assigning roles to users or groups, ensuring that only authorized users can access the Control Center.

Shinydocs Pro Control Center supports the following identity providers to authenticate users and manage roles for access:

image-20250815-184148.png
image-20250815-184218.png

  • None (default)

    • Audit entries in the Control Center Audit will have no context as to which user has performed operations and will show as Anonymous. For auditing with user names, enable Negotiate.

    • No authentication is required. This option allows users to access Shinydocs Pro without verifying their identity. This option is not secure and should only be used for testing and troubleshooting purposes.

  • Negotiate (Active Directory users & groups)

    • Negotiate currently does not offer granular control over access to Shinydocs Control Center. When Negotiate is enabled, users with valid domain credentials will be able to access the Control Center if you have the application open on the network (0.0.0.0).

      • If you wish to prevent this, ensure the application is only binding to localhost (127.0.0.1)

      • Administrators of the application can access it by Remote Desktop.

    • Negotiate is an authentication protocol that lets the server and client negotiate via Kerberos using Windows Integrated Authentication.

  • OpenID Connect (OIDC) (Entra/similar users and roles)

    • OpenID Connect is an identity layer built on OAuth 2.0, allowing clients to verify the user's identity based on authentication by an authorization server (Azure AD/Entra ID).

Using Negotiate

Using Negotiate

image-20250815-184311.png

Important note!

During this setup, if you are creating groups/accounts in your active directory, you will need to restart the Shinydocs Pro machines. Windows requires this restart to cache the newly created groups.

Requirements

  • Shinydocs Pro Control Center is running on a domain-joined server

  • Administrative access to Active Directory with the ability to:

    • Create a new Security Group

    • Add users or groups

    • Access to Shinydocs Pro Control Center

Recommendations

If your server supports snapshots/checkpoint/etc. for quick backups, it is recommended that you take a snapshot before proceeding in case you lock your self out. There are built-in ways to unlock yourself, but restoring from a snapshot is MUCH easier.

Shinydocs recommends you start small and simple, adding complexity only as needed. Unless your organization has specific rules around Active Directory users and groups, you are welcome to use this recommended configuration.

You will want two security groups in Active Directory:

  1. ShinydocsAdministrators

    1. The user you are logged into the Shinydocs server as MUST be in this group or you will be locked out!

  2. ShinydocsUsers

ShinydocsAdministrators should be a member of ShinydocsUsers

Group

Access

Considerations

ShinydocsAdministrators

The user you are logged into the Shinydocs server as MUST be in this group or you will be locked out!

Will be able to access Control Center UI and Search.

This group is for the most privileged users, the technical and business administrators of Shinydocs Pro. Users in this group will have access to all data in Shinydocs Pro.

ShinydocsUsers

ShinydocsAdministrators should be part of this group to give them access to Search as well!

Will be able to access Streamlined Search only.

This group is for your end-users, who will need access to the Search application. Ensure your sources in Shinydocs Pro are configured as Public or Protected to appear in Search. All results in Search are permission-checked in real-time.

Instructions

IMPORTANT!

If you create the users and groups at this point, you MUST restart the Shinydocs Pro server. Windows will cache AD groups on logon, and if these groups are created while the server is on, the groups will not resolve properly.

  1. On a domain-joined Windows server, open Active Directory Users and Computers

    1. Windows Server does not come with this pre-installed. You will need access to a server (e.g. the domain controller) that can manage Active Directory users and groups

  2. Create the administrators security group ← Skip if you already have groups set up

    1. In the left-side pane, find the Organizational Unit (OU) or Users when you want to create the Security Group for Shinydocs Pro Control Center access

    2. Right-click on the desired location (OU or Users) and select New > Group

    3. In the new window, name your group(example: ShinydocsAdministrators)

    4. Set Group Scope as Global

    5. Set the Group Type as Security

    6. Click OK to create the group

      image-20250815-184335.png

  3. Create the users security group ← Skip if you already have groups set up

    1. In the left-side pane, find the Organizational Unit (OU) or Users when you want to create the Security Group for Shinydocs Pro Control Center access

    2. Right-click on the desired location (OU or Users) and select New > Group

    3. In the new window, name your role (example: ShinydocsUsers)

    4. Set Group Scope as Global

    5. Set the Group Type as Security

    6. Click OK to create the group

      image-20250815-184409.png

  4. Add Users/Groups to the administrators security group

    1. Find the group you created (ShinydocsAdministrators)

    2. Right-click the group and select Properties

    3. In the Members tab, click add
      IMPORTANT: Make sure the account you use on the Shinydocs Pro server is also assigned this group, otherwise you will be locked out.

    4. In Enter the object names to select, enter the names of the users/groups you want to give access to Shinydocs Pro Control Center or use the find feature.

    5. Click Check Names to ensure they are valid

    6. Click OK to add them

      image-20250815-184433.png

  5. Add Users/Groups to the users security group

    1. Find the group you created (ShinydocsUsers)

    2. Right-click the group and select Properties

    3. In the Members tab, click add

    4. In Enter the object names to select, enter the names of the users/groups you want to give access to Shinydocs Pro Streamlined Search or use the find feature.

    5. Click Check Names to ensure they are valid

    6. Click OK to add them

      image-20250815-184452.png

  6. Select Negotiate as your provider and assign the Groups in Shinydocs Pro

    1. In Shinydocs Pro Control Center, go to Settings > Access

    2. Click the Configure identity provider button

      image-20250815-185900.png

    3. Select Negotiate

      b5cdc13d-fead-4bde-a5a4-8e4d81c98c05.png

    4. click Save & restart

      image-20250815-190126.png

  7. Wait for the service to restart. When you access the site next, you will be prompted for credentials. You need to enter a local account credentials, for example:
    Username: .\administrator (.\ is short for local system instead of domain)
    Password: the account password
    Note: If your domain account is already a local administrator, you can use that account instead.

  8. Under Control Center groups, configure the group(s) with access to the Control Center

    1. This will be the ShinydocsAdministrators group or another group you have in Active Directory

      image-20250815-184532.png

      1. If your group is not appearing in the autocomplete field, you need to restart the server

    2. Under Search groups, configure the group(s) with access to the Control Center

      1. This will be the ShinydocsUsers group or another group you have in Active Directory

        image-20250815-184606.png

    3. Your configuration should look similar to this

      image-20250815-184635.png

    4. Click Save changes and Shinydocs Pro Control Center will restart.

    5. Test the access by attempting to access the control center from another machine that can access the server. In your browser go to:
      https://localhost:9701

If it is configured correctly, you should be authenticated automatically! If you cannot access the site, please review the steps above. Missing one step or having a typo could result in being locked out of the application. See the Recovery section of this article for recovering from a broken authentication state.

Using OpenID Connect in Entra/Azure

Using OpenID Connect in Entra/Azure

image-20250815-184713.png

There are many ways to perform these actions within your organization. You can perform these actions in your preferred method, for this guide we will focus on using one method.

Requirements

  • Shinydocs Pro Control Center is set up and running

  • Access to Azure/Entra Portal with permissions to:

    • Create a new App Registration

    • Set API permissions and roles

    • Assign users and groups to the app

Instructions

  1. Register an App in Azure

    1. Go to portal.azure.com

    2. Navigate to Azure Active Directory > App registrations

    3. Click New Registration

      1. Name your app (e.g., "Shinydocs Pro Control Center")

      2. Redirect URI: Enter
        https://[ShinydocsProServerName]/api/v1/oidc/signin-callback.
        Replace [ShinydocsProServerName] with your actual server name
        Note: If the Shinydocs Server has an FQDN, use that instead of [ShinydocsProServerName]

      3. Click Register to create the app

  2. Configure OpenID Connect

    1. In the new app registration, go to Authentication

      1. Redirect URI should be set to:
        https://[ShinydocsProServerName]/api/v1/oidc/signin-callback.

      2. Under Implicit grant, check both Access tokens and ID tokens

      3. Click Save

  3. Create a Client Secret

    1. Go to Certificates & Secrets

    2. Click New client secret

      1. Description: Enter a name (e.g., "Shinydocs Pro Secret")

      2. Expires: Set an expiry period following your organizations security practices

    3. Click Add

    4. Copy the secret key (save it securely - you’ll need this later).

  4. Set App Roles

    1. Go to App roles

    2. Click Create app role

      1. Display Name: ShinydocsControlCenter

      2. Allowed member types: Select Users/Groups

      3. Click Save

  5. Configure API Permissions

    1. Go to API permissions

      1. Click Add a permission > Microsoft Graph

      2. Select Delegated permissions, and add:

        1. openid

        2. profile

        3. email

        4. User.Read

        5. offline_access

        6. Directory.Read.All

      3. Click Add permissions

      4. Click Grant admin consent to approve these permissions.

  6. Assign Users and Groups to the App

    1. Go to Azure Active Directory > Enterprise applications

    2. Find and select your Shinydocs Pro Control Center app

    3. Click Users and groups

    4. Click Add user/group

      1. Search for the users or groups to assign to the app

    5. Click Assign to add them.

  7. Configure OpenID in Shinydocs Pro Control Center

    1. In Shinydocs Pro Control Center, go to Settings > Access

    2. Click the Configure identity provider button

      image-20250815-190900.png

    3. Select OIDC and click Next

      image-20250815-185115.png

    4. Fill out the following fields:

      image-20250815-185132.png

      1. Authority:
        The URL will vary depending on your authority (Entra/Azure, OKTA, etc.), please see their documentation for more information on which URL you should use.
        For Entra/Azure:
        https://login.microsoftonline.com/<tenantid>/v2.0
        Replace [Azure Tenant ID] with your Azure tenant ID
        For OKTA
        https://[tenantURL].okta.com/oauth2/default
        Replace [tenantURL] with your Okta tenant

      2. Client ID: The Client ID from your app registration

      3. Client Secret: The secret key you created

    5. Save changes, Shinydocs Pro Control Center will restart automatically

  8. Add a Role in Shinydocs Pro Control Center

    1. Go to Settings > Access > Roles

    2. In Add a role, type ShinydocsControlCenter
      IMPORTANT: Make sure the name matches exactly

    3. Press Enter to add the role.

  9. Save Changes and Test

    1. Save changes and allow Shinydocs Pro Control Center to restart automatically

    2. Test access by logging in with a user assigned to the ShinydocsControlCenter role.

If you use Azure/Entra for OpenID, you will be presented with the Microsoft sign-in page.

Recovery

If you're locked out of Shinydocs Pro Control Center because of a configuration issue, you can use the appsettings.json file to override the settings temporarily. Follow these simple steps to recover access.

Step 1: Locate the appsettings.json File

  1. Go to the install directory for Shinydocs Pro Control Center.

    • The path is:
      [Drive]:\[Install directory]\Shinydocs Professional\ControlCenter

  2. Open the appsettings.json file using a text editor like Notepad.

Step 2: Understand the Overrides

The settings in appsettings.json can override your database configuration. Only use these for recovery purposes.

Each section is commented out with // to prevent it from running. You'll remove the // to activate the section you want to use.

Here’s what each section does:

  • Negotiate Authentication

    CODE 
    ,"IdentityProvider": {
  "Negotiate": {
    "Enabled": true
  }
}

    • Uncomment this section to enable Negotiate authentication.

    • Set "Enabled": false to disable all authentication temporarily, which lets you access the Control Center without any login.

  • OpenID Connect (OIDC) Authentication

    CODE 
    ,"IdentityProvider": {
  "Oidc": {
    "Authority": "",
    "ClientId": "",
    "ClientSecret": ""
  }
}

    • Uncomment and fill in these values to override OIDC settings for Azure/Entra.

      • Authority: Your OpenID Connect authority URL.

      • ClientId: The Client ID from your Azure/Entra app registration.

      • ClientSecret: The Secret Key from the app registration.

  • Access Roles (OpenID)

    CODE 
    ,"Access": {
  "HasControlCenterAccess": []
}

    • Uncomment this section and add roles to override which Active Directory (AD) or OpenID roles can access the Control Center.

    • You can add multiple roles by putting them in the brackets as a list.

Step 3: Save your changes and restart

Once you have saved the file, restart the Shinydocs Control Center service. Once you navigate to the Control Center home page, your new settings will be applied. You may need to clear your browser's cache.

If you are still unauthorized, that means your configuration did not work, please check the Control Center logs for more details. You can set negotiate to false to disable authentication (details below) if you need to investigate the issue further.

Step 4: Fix your configuration

The override is a temporary solution. Shinydocs Pro Control Center will display a warning in the Settings > Access section if you are using the override. You need to properly configure your Negotiate setup or OpenID in the Contol Panel UI (Settings > Access). Before saving your changes, you will need to add the comments back to the settings file and then save your changes in the Control Center UI. Shinydocs Pro Control Center will restart automatically with your new configuration.

JSON 
  // This configuration overrides the database configuration
  // ONLY USE IN RECOVERY SCENARIO ⬇
  
  /*
  ,"IdentityProvider": {
    "Negotiate": {
      "Enabled": true
    }
  }
  */
  
 /* 
  ,"IdentityProvider": {
    "Oidc": {
      "Authority": "",
      "ClientId": "",
      "ClientSecret": ""
    }
  }
  */
  
  /*
  ,"Access": {
    "HasControlCenterAccess": [],
    "HasSearchAccess": []
  }
  */

Example Scenarios

Scenario 1: You want to disable all authentication to access the Control Center directly.

  • Uncomment Negotiate section.

  • Set "Enabled": false.

  • Leave all other sections commented out.

CODE 
,"IdentityProvider": {
  "Negotiate": {
    "Enabled": false
  }
}

Scenario 2: You need to override OpenID Connect (OIDC) settings temporarily.

  • Uncomment OIDC section.

  • Fill in the "Authority", "ClientId", and "ClientSecret" with the correct values.

  • Leave Negotiate and Access sections commented out unless you need to change them as well.

CODE 
,"IdentityProvider": {
  "Oidc": {
    "Authority": "https://login.microsoftonline.com/your-tenant-id",
    "ClientId": "your-client-id",
    "ClientSecret": "your-client-secret"
  }
}

Scenario 3: You want to change which AD/OpenID roles have access to the Control Center.

  • Uncomment Access section.

  • Add roles to the HasControlCenterAccess array (e.g., "HasControlCenterAccess": ["RoleName1", "RoleName2"]).

  • Leave Negotiate and OIDC sections commented out unless you also need to change authentication settings.

CODE 
,"Access": {
  "HasControlCenterAccess": ["ShinydocsAdmin", "ShinydocsUser"]
}

Scenario 4: You need to enable Negotiate (Windows authentication) again after disabling it.

  • Uncomment Negotiate section.

  • Set "Enabled": true.

  • Leave OIDC and Access sections commented out if you don't need to override them.

CODE 
,"IdentityProvider": {
  "Negotiate": {
    "Enabled": true
  }
}

Troubleshooting

401 Unauthorized after disabling negotiate due to being locked out.

This is a browser cache issue. Either close your browser and all windows completely or:

  1. Press the F12 key in Edge or Chrome to bring up Dev Tools

  2. Right-click the browser refresh icon and select Empty cache and hard refresh

    image-20250815-185158.png

My Active Directory groups are not showing in the groups autocomplete field.

Windows will cache AD groups on logon, and if these groups are created while the server is on, the groups will not resolve properly. To fix this, simply restart the Shinydocs Pro server and the groups should appear in the dropdown. You may have to type in the first 3 letters to see it if you have many groups.

All of my settings and configuration are right but I’m still getting 403 unauthorized

  1. First, make sure your current account (type whoami and press enter in CMD to see the account you are currently logged into Windows as. Make sure that account is in the group you assigned to Control Center access.

  2. Verify the server is still trusted by the domain

    1. On the server running Shinydocs Pro, open PowerShell as administrator

    2. Run Test-ComputerSecureChannel, if it responds with True the server is trusted and part of the domain

      image-20250815-185228.png

      1. If it returns False, the server Shinydocs Pro Control Center is installed on is no longer trusted by the domain and will need to be resolved before proceeding

      2. More information on this command and how to repair the connection can be found here: Test-ComputerSecureChannel (Microsoft.PowerShell.Management) - PowerShell | Microsoft Learn

  3. Try restarting the server Shinydocs Pro Control Center is installed on

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close