System and organization admin privileges are determined by the ROLE_SUPERUSER and ROLE_ADMINISTRATOR system roles at the root level, respectively. Using the organizationRoleMap property, you can assign these system roles to LDAP entries based on custom group membership. This property can be used in addition to the properties that map group names to organization roles.

Whether you map users and roles to a single organization or multiple organizations, you can define this additional mapping between any role name that your mapping creates and any system role. You specify role mapping via the organizationRoleMap property of the mtExternalUserSetupProcessor bean (commercial editions) or externalUserSetupProcessor (community edition).

organizationRoleMap property – A list of key/value pairs that maps external role names to internal ones. The key should be a role name that your mapping creates, after adding the prefix and capitalization as configured in DefaultLdapAuthoritiesPopulator. For commercial JasperReports Server deployments, you need to choose the level at which the role is assigned:
     To map to an internal role at the organization level, append |* to the name of the internal role, for example, ROLE_EXTERNAL_USER|*. Roles mapped at the organization level do not have administrative privileges.
     To map to an internal role at the system (null) level, do not modify the internal role name, for example, ROLE_EXTERNAL_ADMINISTRATOR. Roles at the system level are usually reserved for special users such as the system administrator and allow access to the repository folder of all other organizations.

For example, if your LDAP user belongs to a group named jrsadmin that is mapped to the name ROLE_JRSADMIN, then the following code example would assign that user the ROLE_ADMINISTRATOR system role that makes the user an organization admin. This example shows how to create this system role mapping in a single-organization configuration for commercial editions:

<bean id="mtExternalUserSetupProcessor" class="
        externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor">
  <property name="userAuthorityService">
    <ref bean="${bean.internalUserAuthorityService}"/>
  <property name="defaultInternalRoles">
  <property name="organizationRoleMap">

If the value ROLE_ADMINISTRATOR in the key value pair had ended with |* (ROLE_ADMINISTRATOR|*), the user would have been assigned ROLE_ADMINISTRATOR at the organization level.

Roles that are not mapped to system roles are created and synchronized in the mapped organization, as described in Synchronization of Roles. In particular, if the name ROLE_ADMINISTRATOR or ROLE_SUPERUSER are mapped from the LDAP groups, but not mapped to system roles, they are created as organization roles and assigned to the user. As organization roles, they do not grant any access permissions, which can be very confusing for administrators. Avoid LDAP groups and role mappings that create these names as organization roles.