Organization admins have the ability to:
• Create sub-organizations.
• Create, modify, and delete users, including changing their password. However, no administrator can ever view a user’s existing password in clear text.
• Login as any user in the organization for testing system access.
• Create, modify, and delete roles.
• Assign roles to users, including the ROLE_ADMINISTRTOR role that grants organization admin privileges.
• Create, modify, and delete folders and repository objects of all types.
• Set access permissions on repository folders and objects.
System admins have the ability to:
• Perform all organization-level tasks listed above, on any organization in the system.
• Create top-level organizations.
• Create users outside of organizations that can access all organizations.
• Assign the ROLE_SUPERUSER role that grants system admin privileges.
• Set the system-wide configuration parameters.
For delegated administration, an existing administrator may grant these privileges to any user. There are three factors that determine the scope of a user’s administrative privileges:
• ROLE_ADMINISTRATOR – JasperReports Server confers the organization-level privileges listed above to any user with this role. When a user with this role logs in, the server displays the additional controls to access the admin pages.
• The user’s organization – Regardless of roles, an administrator is always limited in scope to the organization in which the user account is created, including any sub-organizations thereof. In no case can a user, even with the ROLE_SUPERUSER, ever view or modify any organization, user, or repository object outside of the organization to which the user belongs.
The default system admin user, named superuser, exists at the system level, outside of any organization. This is what allows the system admin to access any organization and create other system admin users outside of any organization.
• ROLE_SUPERUSER – When a user already has ROLE_ADMINISTRATOR, this additional role grants access to the system configuration functions. In a multi-organization environment, this role should not be given to organization admins, because system configuration includes the Ad Hoc cache shared by all organizations. In the case of a single organization such as in the default installation, giving this role to the organization admins grants access to system settings without granting privileges to create top-level organizations or other system administrators.
In order to delegate system administration, the existing system admin must first create other users at the root level, outside of any organization. The system admin can then assign both ROLE_ADMINISTRATOR and ROLE_SUPERUSER to grant them system admin privileges. For further information about these roles, see section Reports and Dashboards.