JasperReports Server ensures that people can access only the data they are allowed to see. The mechanisms that define users, roles, and repository resources work together to provide complete access control. Security has many facets covered in this guide and other guides:
Authentication | Authentication is the process of restricting access to identified users. Users must log in with their user ID and password so that they have an identity in JasperReports Server. The server stores user definitions, including encrypted passwords, in a private database. Administrators create, modify, and delete user accounts through the administrator pages, as described in Managing Users. |
Password policies | Every company must establish a password policy that weighs its security risks against the convenience of its users. JasperReports Server supports many different password policies such as password expiration, reuse, and strong patterns. This configuration is described in the TIBCO JasperReports Server Security Guide. |
External authentication | External authentication uses centralized identity services such as LDAP (used by Microsoft Active Directory and Novell eDirectory), Central Authentication Service (CAS), or Java Authentication and Authorization Service (JAAS). For more information, see the TIBCO JasperReports Server External Authentication Cookbook. |
Application Security | System admins who install and maintain enterprise software know they must protect their servers against hackers. JasperReports Server protects your data against intruders with many protocols and tools, such as HTTPS, encryption, CSRF prevention, and input validation against cross-site scripting and SQL injection. For these topics and others, see the TIBCO JasperReports Server Security Guide. |
Roles | JasperReports Server also implements roles that can be assigned to any number of users. Roles let administrators create groups or classes of users that are granted similar permissions. A user may belong to any number of roles and receive the privileges from each of them. Administrators create, modify, and delete roles through the administrator pages, as described in Managing Roles. |
Resource permissions | Administrators can define access permissions on every folder and resource in the repository. Permissions are enforced when accessing any resource either directly through the repository interface, indirectly when called from a report, or programmatically through the web services. Permissions can be defined for every role and every user, or they can be left undefined so they are inherited from the parent folder. To restrict access or hide resources such as database connections, the administrator can set no-access or execute-only permission. For more information, see Repository Permissions. |
Administrator privileges | JasperReports Server distinguishes between administrators and users. Administrators are granted access to the UI for permissions, user management, and sensitive resources such as database connections. Administrators also set the UI appearance with themes. Regular users are restricted to the folders, reports, and dashboards that admins allow them to access. Most of the features in this guide are not accessible to regular users. See Delegated Administration. |
Menus and pages | The menus that appear in JasperReports Server depend on the user's roles. For example, only users with the administrator role can see the Manage menu and access the administrator pages. By modifying the server's configuration, you can modify access to menus, menu items, and individual pages. Refer to the JasperReports Server Community Project Source Build Guide and TIBCO JasperReports Server Ultimate Guide for more information. |
Attributes | Attributes are name-value pairs associated with a user, organization, or server. Attributes can be used to restrict or enable a user's access to data in several ways. See Managing Attributes. |
Administrators must keep security in mind at all times when managing user, roles, and resources, because effective security relies on all of them working together.
Recommended Comments
There are no comments to display.