Overview of Users and Roles

User accounts and role membership provide authentication and authorization settings for access control in JasperReports Server. Users enter an organization name if required, a login name, and a password to access JasperReports Server. Administrators assign named roles to users and then create role-based permissions to further control access to the repository.

In the commercial version of JasperReports Server, users and roles are associated with the organizations in which they are defined. Users and roles defined in an organization can be granted or denied access to any repository folder or object in the organization or its suborganizations. However, a suborganization administrator has no access to the roles and users in the parent organization, even if they are used in access permission within the suborganization.

User names and role names are unique within an organization, but not necessarily among suborganizations or across all organizations in the server. For example, the default organization administrator is called jasperadmin in every organization. Because login credentials include the organization and user name, JasperReports Server can distinguish each user. In some cases such as web services, a user is identified by the unique string username|organization_ID.

The community edition of JasperReports Server has only a single default organization. All user and role names belong to this organization.

Administrators define access to the repository directly on the repository resources. You can define a level of access, such as read-write, read-only or no access, and assign each permission based either a user name or a role.

Administering Users and Roles

Administrators perform the following actions to manage users in their organization:

Create, modify, and delete users.
Set user account properties such as name, email, and setting the password. However, no administrator can ever view a user’s existing password in clear text.
Login as any user in the organization to test permissions.
Create, modify, and delete roles.
Assign roles to users.
Set access permissions on repository folders and resources.

Delegated Administration

JasperReports Server enables three levels of delegated administration:

In a multi-organization implementation administrators in each organization are limited to actions within their organization.
The Administer permissions allow a user to view and set permissions on a folder or resource. This can allow a power-user to manage a section of the repository, but not to create or manage users.
Granting ROLE_ADMINISTRATOR, ROLE_SUPERUSER, or both allows a user to see the management interface and create users and roles. This is true delegated administration, whereby a user other than superuser or jasperadmin has administration abilities.

In the case of true delegated administration, three factors determine the scope of a user’s administrative privileges:

ROLE_ADMINISTRATOR – JasperReports Server confers the organization-level privileges to any user with this role. This includes managing users, roles, and permissions, as well as creating resources in the repository. When a user with this role logs in, the server displays the additional menus to access the admin pages and manage repository resources. Any administrator can assign this role to any other user.
ROLE_SUPERUSER – When a user already has ROLE_ADMINISTRATOR, this additional role grants access to the system configuration functions. Only a system admin can assign this role to another user.

In a multi-organization environment, ROLE_SUPERUSER should not be given to organization admins or organization users, because this allows access to the Ad Hoc cache shared by all organizations. In the case of a single organization such as in the default installation, you may assign this role to the organization admins to grant access to system settings without granting privileges to create top-level organizations or other system administrators.

The user’s organization – Regardless of roles, an administrator is always limited in scope to the organization in which the user account is created, including any suborganizations thereof. In no case can a user, even with the ROLE_SUPERUSER, ever view or modify any organization, user, role, or folder outside of the organization to which that user belongs.

Any administrator can grant ROLE_ADMINISTRATOR to any user. That user then becomes equivalent to an organization admin of the organization in which he belongs. In order to delegate system administration, the existing system admin must first create other users at the root level, outside of any organization. The system admin can then assign both ROLE_ADMINISTRATOR and ROLE_SUPERUSER to grant them system admin privileges. For further information about these roles, see Permissions.