To help any others - this is how I eventually resolved it (with help from Column). Note that I set the principalExpression to true to allow anyone access and then filter at role level with the nifty inbuilt function testCurrentUserRoles. <securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted"> <resourceAccessGrants> <resourceAccessGrantList id="UserGroup" label="aLabel" resourceId="JoinTree_1"> <resourceAccessGrants> <resourceAccessGrant id="whatever"> <principalExpression>true</principalExpression> <filterExpression>testCurrentUserRoles( concat('ROLE_',dwh_assets_client.client_code) )</filterExpression> </resourceAccessGrant> </resourceAccessGrants> </resourceAccessGrantList> </resourceAccessGrants> </securityDefinition>