Role Based Access Control With MRS 9.1.0

In the latest release of Microsoft R Server 9.1 we can configure role based access control (RBAC) for users who can publish, modify and delete the web services.

There are three roles in MRS 9.1 and each role has defined set of permissions for what they can do and what they cannot do.

  • Owner: users assigned to this role can manage any service.
  • Contributor: users assigned to this role can publish and manage their services. They cannot manage the services' of others.
  • Reader: a catchall role implicitly given to any authenticated user that is not assigned another role.

These roles are then mapped to one or more security groups in Active Directory where AD administrators can add users into the security groups.

In this document we will assume that you have Active Directory instance setup and running.

For more information on how to setup Active Directory click here

Configure Active Directory

We shall create new security groups and add members to the group, which will be later assigned to Roles in MRS appsettings.json file
To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative Tools , and then double-click Active Directory Users and Computers .

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Launch Active Directory Users and Computers


Create Users in Active Directory

AD administrators will be able to create new users, click here to find detailed document to create users in AD.

When you select the option to create new user, you will see a dialog box as below, where you can enter user details and user logon details.


Create Groups in Active Directory

Groups in Active Directory Domain Services (AD DS) are directory objects that reside in a domain and in organizational unit (OU) container objects.

Click here to Create a New Group in AD



In this example we have created two groups MRSAdmin and DataScientist,

Owner Role will be assigned to MRSAdmin group.

Contributor Role will be assigned to DataScientist group.


Add User to Group

AD and MRS administrators will need to collaborate here to identity which users will be added as part of specific group and which groups will be assigned specific roles.

In this example we are adding azureuser as part of MRSAdmin group which is associate with Owner Role.

Click here to add user to group


Configure Microsoft R Server Operationalization for RBAC

We have by now configured AD and setup group and assigned users to those groups, the next step will be to setup MRS 016N server to authenticate using LDAP and configure Authorization.

Click here to configure LDAP in MRS O16N server

Click here to configure roles in MRS O16N server

Our example web node appsettings.json file look like below, modify your settings files and restart the web node server.

Note: In our example searchFilter (CN) and UniqueUserIdentifierAttributeName (UserPrincipalName) attribute values in LDAP system we both same, UPN didn't have any suffix or domain name values.


For a comprehensive view of all the capabilities in Microsoft R Server 9.1, refer to this blog

Author: Siddharth Choudhary, Rasha Mahmoud

Comments (2)

  1. DRN says:

    I have setup LDAP authentication in the Machine Learning Server v 9.2.1 and have assigned an AD group to “Owners” but the web node does not start when I tested it using the Administration Utility.
    Is there any troubleshooting procedure available please?
    Many thanks.

  2. CarlNan says:

    Hi DRN,

    Were you using the one-box configuration (for single-node) or “enterprise configuration” (for multi-nodes)? Please first ensure you follow the configuration guideline for one-box ( or enterprise (

    If you still encounter issues, please follow the guidance of the Diagnostics and Troubleshooting (


Skip to main content