Managing External Role Definitions
Roles can be mapped from a variety of structures that depend on the external authority: LDAP authentication maps roles dynamically from groups, and CAS authentication extracts roles from an external data source or specifies them statically in the configuration file. Because each external authority may define roles differently, this guide refers to those structures collectively as role definitions.
In practice, you'll find that only a subset of the role definitions in your external authority are applicable to JasperReports Server. Of those, some may also be used by other applications, and others may be created specifically for managing users in JasperReports Server. You should identify the maintenance procedures on your enterprise-wide user authority that impact JasperReports Server and document additional procedures for keeping JasperReports Server in sync.
The following table describes the impact on JasperReports Server when modifying role definitions in the external authority:
Action in External | Impact on JasperReports Server | ||||||
Creating a new role | Role definitions are not directly mapped to JasperReports Server; only roles that are assigned to users who log in are mapped. When you create a new role and assign it to a user who accesses JasperReports Server, determine which case applies:
| ||||||
Modifying role membership | Changes in role membership are reflected the next time a role member starts a new session in JasperReports Server, as described in Synchronization of External Users. Roles that were previously unknown to the server are treated as new roles as described above, and roles that are no longer assigned to a user are deleted as described below. | ||||||
Deleting a role | External users no longer have the role, and it is removed from each external user by synchronization upon the next login. The role remains in the internal database, and permissions that reference the role remain in the repository. The role may still be assigned to external users who have not logged in since the role was removed.
|
Modifying Role Mappings
Once you've set up external authentication with your JasperReports Server instance, you add new role mappings by editing the applicationContext-externalAuth-*.xml file. You need to restart the server for these changes to take effect.
Be careful changing or removing role mappings. When a role mapping is removed or changed, synchronization no longer updates the target role in JasperReports Server. This means users assigned a deleted external role still have that role in JasperReports Server. You can work around this by creating a mapping from a non-existing role definition in the external authority to the target role you want to remove.
When you want to change the target role for an existing role mapping, you should create a dummy mapping that maps a non-existent role definition to the JasperReports Server role you no longer want to use. |
For example, suppose you have Sales Manager as a role in your external authority, and you initially map it to ROLE_ADMINISTRATOR in JasperReports Server.
Sales Manager Mandy logs into JasperReports Server and is assigned ROLE_ADMINISTRATOR.
You then create a new role in JasperReports Server, ROLE_SALES_MANAGER, and modify your role mapping so Sales Manager in the external authority is now mapped to ROLE_SALES_MANAGER in JasperReports Server. You then restart the server.
By default, the next time Mandy logs in, she's assigned ROLE_SALES_MANAGER. But because ROLE_ADMINISTRATOR no longer appears in your application context file, synchronization doesn't check for it and remove it. Mandy now has two roles: ROLE_ADMINISTRATOR and ROLE_SALES_MANAGER.
You can remove ROLE_ADMINISTRATOR from Mandy's account by creating a dummy mapping with ROLE_ADMINISTRATOR as the target. For example, if no one in your external authority has the role definition No Such Role, you can add a mapping in your application context file from No Such Role to ROLE_ADMINISTRATOR then restart the server. The next time Mandy logs in, the synchronizer finds that she doesn't have the No Such Role role definition and removes ROLE_ADMINISTRATOR.
It is possible for a role in JasperReports Server to be the target of more than one role mapping. If multiple role definitions map to the same role in JasperReports Server, users who have any one of the role definitions will receive the role in JasperReports Server. |
Recommended Comments
There are no comments to display.