Working with Hierarchical Attributes
In JasperReports Server 6.0, we added support for hierarchical attributes, which extend attribute functionality. Now a user can inherit attributes from their organization or the server in addition to any attributes assigned to the user directly. When providing an attribute, you can either specify the category (user, organization, or server) in which the server should look for its value, or allow the server to locate the value hierarchically. The CZS example uses pre-6.0 syntax, which only evaluates attributes defined at the user level. This section describes how to support hierarchical attributes in a security file.
All access grants take a principalExpression that gets the user's roles and evaluates them for the role specified in the access grant. In JasperReports Server 6.0, we added a new service that supports hierarchical attributes in principal expression:
attributesService.getAttribute('AttrName',Level[, condition]))
getAttribute() takes the following arguments:
• | AttrName – String that specifies the attribute to check. Can be any available attribute, including predefined attributes such as Role and customer-defined attributes such as Cities. |
• | Level – Category that specifies the level in the hierarchy to check for attributes. One of: null, 'SERVER', 'TENANT', or 'USER'. To use all available attributes from all levels, use null. |
• | required (optional) –Boolean that specifies whether or not the attribute is required. When set to true, an error message is displayed in the UI if the attribute is not present. When set to false (default), no such error is displayed; instead, the filterExpression fails silently and information which the user is not authorized to view is not displayed. |
For example, the following expression tests whether the user has the Manager role anywhere in the hierarchy:
<principalExpression>attributesService.getAttribute('Role',null)?.getAttrValue() in ['Manager']
</principalExpression>
The following expression tests for the Manager role at the server level, and displays an error message if the attribute is not found:
<principalExpression>attributesService.getAttribute('Role','SERVER', true)?.getAttrValue() in ['Manager']
</principalExpression>
The following example shows how to use getAttribute() in a Domain security file:
<resourceAccessGrants> <resourceAccessGrantList id="sales_join_resource_access_grant" label="aLabel" resourceId="sales_join"> <resourceAccessGrants> <resourceAccessGrant id="custom_grant_2"> <principalExpression>attributesService.getAttribute('Role', null)?.getAttrValue() in ['Manager']</principalExpression> <filterExpression>testProfileAttribute(region11.sales_city,'Cities') </filterExpression> </resourceAccessGrant> </resourceAccessGrants> </resourceAccessGrantList></resourceAccessGrants>[/code] |
To update an existing Domain security file to support hierarchical attributes, update principal expressions to use attributesService. For example, suppose you have the following resource access grant, which does not support hierarchical attributes:
<resourceAccessGrant id="custom_grant_2"> <principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['Manager'] }</principalExpression> <filterExpression>testProfileAttribute(region11.sales_city,'Cities')</filterExpression></resourceAccessGrant>[/code] |
You can update the principal expression as shown below:
<resourceAccessGrant id="custom_grant_2"> <principalExpression>attributesService.getAttribute('Role', null)?.getAttrValue() in ['Manager']</principalExpression> <filterExpression>testProfileAttribute(region11.sales_city,'Cities')</filterExpression></resourceAccessGrant>[/code] |
attributesService is implemented in Groovy. For more information about Groovy, see www.groovy-lang.org. |
Recommended Comments
There are no comments to display.