User accounts and role assignments provide authentication and authorization mechanisms to implement access control in JasperReports Server. Users enter an organization name, a login name, and a password in order to access JasperReports Server. Administrators assign named roles to users and then create role-based permissions to further restrict access to objects in the repository and to data in Domains.
Both users and roles are associated with the organizations in which they are defined, and they follow the same hierarchical model. Users and roles defined in an organization may be granted or denied access to any repository folder or object in the organization or its sub-organizations. However, the administrator of the sub-organization has no visibility of the roles and users in the parent organization, even if they are used in access permission within the sub-organization.
User names and role names are unique within an organization, but not necessarily among sub-organizations or across all organizations in the server. For example, the default organization administrator is called jasperadmin in every organization. Because the organization must be given when logging in, JasperReports Server can distinguish between every user. In some cases such as web services, a user is identified by the unique string username|organization_ID.
Access to the repository is defined directly on the repository resources. Administrators may define a level of access, such as read-write, read-only or no access, and each permission may be based either on a user name or on a role name.
Administrator privileges are determined by system-level roles named ROLE_SUPERUSER and ROLE_ADMINISTRATOR. This allows several users to be system admins or organization admins for large deployments. Based on the presence of either of these roles, the server presents the appropriate administrator options in menus, tool bars, and on the user’s home page. For more information, see section 12.1, “Scope of Administrative Privileges,” on page 289.