We are using jasperserver-pro, and have SSO integreted.
By default, all the SSO user login as ROLE_USER, and go to XXX orgranization.
<property name="defaultOrganization" value="XXX" />
When a SSO user login (let's say he is named "Jack"), he only has "ROLE_USER" and under organization "XXX", then we created another role under XXX organization called "DEMO_USER".
Here is the problem, when we assigned "ROLE_ADMINISTRATOR" and "DEMO_USER" to him, at that point of time, he has both role and he is able to manage users.
But when he logout and login, the role "ROLE_ADMINISTRATOR" is gone, "DEMO_USER" is still there.