iReport row level security

[rjback]

Re: row level security in iReport

I have seen an example of how to take the email address of the logged in user as a hidden parameter and pass it to the query, to achieve row level security on the report.

However, what if we have another parameter to the report, e.g. a drop down list of items, which is also to be filtered by the logged in user? Please can someone give me an example of how to achieve this, or let me know if it is possible?

Thanks,

Rich

[Steve Park]

Hi Rich!

Normally, only the LoggedInUsername parameter is available when using Single Select or Multi-Select Query input controls.  However, you can add additional parameters by writing a class that implements the com.jaspersoft.jasperserver.api.engine.common.service.IQueryManipulator interface.  Let's suppose you have a user with a sales_region profile attribute and your report has a state_province parameter and you only want to display states or provinces within that user's region in the input control.  You can use the following class:

import java.util.Map;
import org.acegisecurity.context.SecurityContextHolder;
import com.jaspersoft.jasperserver.api.engine.common.service.IQueryManipulator;
import com.jaspersoft.jasperserver.api.metadata.user.domain.ProfileAttribute;
import com.jaspersoft.jasperserver.api.metadata.user.domain.impl.client.MetadataUserDetails;

public class SimpleQueryManipulator implements IQueryManipulator {

    public final static String REGION = "$P{sales_region}";

    public String updateQuery(String query, Map parameters) {
        MetadataUserDetails mud = (MetadataUserDetails) SecurityContextHolder
                .getContext().getAuthentication().getPrincipal();
        ProfileAttribute regionAttr = (ProfileAttribute) mud.getAttributes().get(0);   // this assumes only one profile attribute set
        String region = regionAttr.getAttrValue();
        query = query.replace(REGION, region);
        return query;
    }
}

You would need to add this class to your classpath and add a spring bean definition for it in the WEB-INF/applictionContext.xml file.  You would need to inject this bean into the queryManipulator property of the engineService bean.  Then in the SIngle Select Query input control for the parameter, you could use the following query:

select state_province from states where region = $P{sales_region}

I hope that helps.

 

[rjback]

Thanks- that is very useful. Not sure we'd go down that path though. I think we'd probably make the users log in with their email address, to make it readily available.

A supplementary question then- we will be using a mix of iReports and Domain reporting. We'd like to make the domain reporting use the same security model as the iReports. With iReports, we'd use the logged in user name/email address as a hidden parameter to control the rows that came back.

Would this be possible in the row-level security model of Domains? I have seen how to do row level security in domains based on the user's role or a profile property.

For example, if the user's address is joe.bloggs, I want my filter to join through a couple of tables to find out what objects the user is allowed to see, and make sure the filter only brings back those.

[swood]

The user's email address is on the User object that is available for domain security, so you can filter on that.

 

You can create domain based reports in the version of iReport that comes with JasperServer Professional/Enterprise. You can't run them in iReport, though - you have to deploy these domain based JRXMLs to the server.

 

Sherman

Jaspersoft

[Steve Park]

In case anyone else comes across this, the answers on this thread are out of date.  We added new LoggedInUser parameters.  They are documented in section 4.4.2 of the Admin Guide, but I'll include them here as well.  NOTE: you will need to create the desired parameters in the JRXML template, but once the report is deployed to JasperReports Server, the parameter will be automatically populated with the logged in user information when the report is executed.

Parameter Name	Type	Notes
LoggedInUser	User	The user that is currently logged in. This parameter isn’t available in query input controls, but is used as a parameter to the report.
LoggedInUsername	String	The user name of the current user.
LoggedInUserFullName	String	The full name of the current user.
LoggedInUserEmail Address	String	The email address of the current user.
LoggedInUserEnabled	Boolean	Indicates whether the current user is enabled.
LoggedInUserExternally Defined	Boolean	Indicates whether the current user is authenticated externally.
LoggedInUserTenantId	String	In the commercial editions, the name of the organization of the current user.
LoggedInUserRoles	Collection	The roles assigned to the current user. This is helpful for parameters that use $X.
LoggedInUserAttributes	Map,>	The profile attributes of the logged-in user. This parameter isn’t usable in query input control, but it is used as parameter to the report. If the user has no attributes, the parameter is an empty map.
LoggedInUserAttribute Names	Collection	The names of the profile attributes of the logged-in user.  This is helpful for parameters that use $X. If the user has no attributes, the parameter is an empty map.
LoggedInUserAttribute Values	Collection	The values of the profile attributes of the logged-in user.  This is helpful for parameters that use $X. If the user has no attributes, the parameter is an empty map.
LoggedInUserAttribute_	String	For the logged-in user, the value of the attribute matching the name passed as (like att1). If there is no match, the parameter is empty.  This parameter is only available if it is defined in a query or as a report parameter.