User accounts and role membership provide authentication and authorization mechanisms to implement access control in JasperReports Server. Users enter an organization name, a login name, and a password in order to access JasperReports Server. Administrators assign named roles to users and then create role-based permissions to further restrict access to objects in the repository and to data in Domains.
Both users and roles are associated with the organizations in which they are defined, and they follow the same hierarchical model. Users and roles defined in an organization may be granted or denied access to any repository folder or object in the organization or its suborganizations. However, the administrator of the suborganization has no visibility of the roles and users in the parent organization, even if they are used in access permission within the suborganization.
User names and role names are unique within an organization, but not necessarily among suborganizations or across all organizations in the server. For example, the default organization administrator is called jasperadmin in every organization. Because the organization must be given when logging in, JasperReports Server can distinguish between every user. In some cases such as web services, a user is identified by the unique string username|organization_ID.
Access to the repository is defined directly on the repository resources. Administrators may define a level of access, such as read-write, read-only or no access, and each permission may be based either on a user name or on a role name.
Administrators perform the following actions to manage users in their organization:
• Create, modify, and delete users.
• Set user account properties such as name, email, and setting the password. However, no administrator can ever view a user’s existing password in clear text.
• Login as any user in the organization to test permissions.
• Create, modify, and delete roles.
• Assign roles to users.
• Set access permissions on repository folders and resources.
JasperReports Server enables three levels of delegated administration:
• The hierarchical structure of organizations means administrators in each organization are limited to actions within their organization. But this only applies to multiple organizations where it makes sense to have subordinate administrators.
• The Administer permissions allows a user to view and set permissions on a folder or resource. This allows a power-user to manage her own section of the repository, but not to create or manage users.
• Granting ROLE_ADMINISTRATOR, ROLE_SUPERUSER, or both allows a user to see the management interface and create users and roles. This is true delegated administration, whereby a user other than superuser or jasperadmin has the same abilities.
In the case of true delegated administration, there are three factors that determine the scope of a user’s administrative privileges:
• ROLE_ADMINISTRATOR – JasperReports Server confers the organization-level privileges to any user with this role. This includes managing users, roles, and permissions in the repository, as well as creating resources in the repository. When a user with this role logs in, the server displays the additional menus to access the admin pages and manage repository resources. Any administrator, who by definition has this role, can assign it to any other user.
• ROLE_SUPERUSER – When a user already has ROLE_ADMINISTRATOR, this additional role grants access to the system configuration functions. Only a system admin can assign this role to another user; organization admins cannot see or assign this role.
In a multi-organization environment, ROLE_SUPERUSER should not be given to organization admins or organization users, because this allows access to the Ad Hoc cache shared by all organizations. In the case of a single organization such as in the default installation, you may assign this role to the organization admins to grant access to system settings without granting privileges to create top-level organizations or other system administrators.
• The user’s organization – Regardless of roles, an administrator is always limited in scope to the organization in which the user account is created, including any suborganizations thereof. In no case can a user, even with the ROLE_SUPERUSER, ever view or modify any organization, user, role, or folder outside of the organization to which the user belongs.
Any administrator can grant ROLE_ADMINISTRATOR to any user. That user then becomes equivalent to an organization admin of the organization in which he belongs. In order to delegate system administration, the existing system admin must first create other users at the root level, outside of any organization. The system admin can then assign both ROLE_ADMINISTRATOR and ROLE_SUPERUSER to grant them system admin privileges. For further information about these roles, see section Permissions.