Authentication is the process of restricting access to identified users. Users must log in with their user ID and password so that they have an identity in JasperReports Server. The server stores user definitions, including encrypted passwords, in a private database. Administrators create, modify, and delete user accounts through the administrator pages, as described in Managing Users.

Every company must establish a password policy that weighs its security risks against the convenience of its users. JasperReports Server supports many different password policies such as password expiration, reuse, and strong patterns. This configuration is described in the JasperReports Server Security Guide.

External authentication uses centralized identity services such as LDAP (used by Microsoft Active Directory and Novell eDirectory), Central Authentication Service (CAS), or Java Authentication and Authorization Service (JAAS). For more information, see the JasperReports Server External Authentication Cookbook.

System admins who install and maintain enterprise software know they must protect their servers against hackers. JasperReports Server protects your data against intruders with many protocols and tools, such as HTTPS, encryption, CSRF prevention, and input validation against cross-site scripting and SQL injection. For these topics and others, see the JasperReports Server Security Guide.

Users belong to organizations and are restricted to seeing resources within their organization. Organizations have their own administrators, but they see only the users, roles, and resources from their organization. When JasperReports Server is configured with multiple organizations, they are effectively isolated from each other, although the system admin can share resources through the Public folder. For more information, see Multiple Organizations in the Repository.

JasperReports Server also implements roles that can be assigned to any number of users. Roles let administrators create groups or classes of users that are granted similar permissions. A user may belong to any number of roles and receive the privileges from each of them. Administrators create, modify, and delete roles through the administrator pages, as described in Managing Roles.

Administrators can define access permissions on every folder and resource in the repository. Permissions are enforced when accessing any resource either directly through the repository interface, indirectly when called from a report, or programmatically through the web services.

Permissions can be defined for every role and every user, or they can be left undefined so they are inherited from the parent folder. To restrict access or hide resources such as database connections, the administrator can set no-access or execute-only permission. For more information, see Repository Permissions.

JasperReports Server distinguishes between administrators and users. Administrators are granted access to the UI for permissions, user management, and sensitive resources such as database connections. Administrators also set the UI appearance with themes and monitor server activity with diagnostics. Regular users are restricted to the folders, reports, and dashboards that admins allow them to access. Most of the features in this guide are not accessible to regular users. See Delegated Administration.

The menus that appear in JasperReports Server depend on the user's roles. For example, only users with the administrator role can see the Manage menu and access the administrator pages. By modifying the server's configuration, you can modify access to menus, menu items, and individual pages. Refer to the JasperReports Server Source Build Guide and JasperReports Server Ultimate Guide for more information.