JasperServer Default Role Permissions

[pintebr]

EDIT: go to the end of these posts to check the solution! 

 

After searching the net, this is my "last resort" ;-)

 

I have a JaserServer set up with users that are mapped to the ROLE_USER. The problem I have is that these users may do all sorts of things.

 

**My set up:**

Virtualbox Windows XP SP3 with **JasperServer 4.1** installed on it.

 

They need to be able to do all of things that you can do if you are logged on as an admin user and you right click on a folder and select Add Resource.

 

I can't find a page where you can **alter the default folder permissions for certain roles**. I already looked on the **WEB-INF** folder, but couldn't make out what to change and what to leave alone...

 

This is what I have: http://img441.imageshack.us/img441/1641/screenshotat20120406135.png

This is what I want: http://img804.imageshack.us/img804/617/screenshotat20120406140.png

 

Any help is welcome!

 

Thanks all!

 

Post Edited by pintebr at 04/26/2012 12:41

[mikewoinoski]

Do you want certain users to be able to perform administrative tasks? If so, you can assign an additional role to that user. Login to the Jasper console as superuser, then select Manage > Users. Select the user, click Edit, then add ROLE_ADMINISTRATOR and click Save.

[pintebr]

 Yes, that's what I want to do.

 

The thing is that these users should ONLY be able to add all of the resources. They mustn't be able to add/alter users and everything else an administrator can do.

The users musn't also see all of the folders, but only the folders that are assigned to that user.

That's why I want to alter the permissions on or maybe even creating a completely different role that can be assigned to users which can only add resources. But I have searched and searched but can't find an answer.

I even don't know if it's possible at all.

I'm also using the community version of jasper server and maybe it's a limitation of this community version?

[mikewoinoski]

According to the admin guide, a user with Administer permission on a folder can add resources. And if the user does not have role ROLE_ADMINISTRATOR, they won't be able to manage users, etc. So you can grant Administer permission to the users who need to be able to create resources. (This works in the Pro version; I don't know about CE.)

To set permissions, right-click a folder > Permissions > View by User > select user > Administer

In case you're interested in details, here's a summary of permissions from the admin guide:

Permission	Description
No Access	Users can never see or access the folder or resource either directly in the repository or indirectly when running a report, dashboard, or OLAP view.
Execute Only	Users can never see the folder or resource in the repository, but the reports, dashboard, or OLAP views that they run can access them.
Read Only	View (run) a report, dashboard, or OLAP view; run a report in the background; schedule a report to run later.
Read + Delete	Cut (move) a resource or a folder and all of its contents; delete a resource or a folder and all of its contents.
Read + Write + Delete	Add a subfolder; paste into a folder (copy or cut); save a new Ad Hoc report in a folder; save the output of a scheduled report in a folder; rename a folder or resource and change its description string; open an Ad Hoc report in the Ad Hoc editor; modify and overwrite an existing Ad Hoc report; add a JasperReport resource to the repository (upload a JRXML); edit the definition of a JasperReport resource in the repository (replace the JRXML).
Administer	Set the permissions (by role and by user) on a folder or resource. This effectively delegates certain repository administration tasks.
Administer, ROLE_ADMINISTRATOR	Add (create) a resource in a folder; edit a resource, for example the components of a report unit or a Domain.

[pintebr]

Yes I know this, the user has been granted with read+write+delete. But then you can only add a new jasper report as a resource, not images, files, ...

 

So I'm searching for a way to achieve this, if this is possible at all off course.

[pintebr]

 No one knows the answer? Or does anyone know if this is possible at all?

[elizam]

There also seems to be something called Organizations which you can use to limit the data users can access. Administrators only have power within their Organization.

I wonder if you could do something funky like create an Organization and Domain with the data you want and then create a subOrganization for each user that accesses the exact same data. Then, because they are the only one inside that Organization, they can't administer other users. I guess they might still be able to create a new user, but they can never get outside the walls of their little world.

If this works, then you could change the whole set of access to data by changing the parent Organization - mean you can use the parent Organization to be the real setup of what people can see, and the subOrganizations are this workaround to prevent people from modifying each other.

Post Edited by elizam at 04/19/2012 19:55

[rault]

Take a look at the actionModel-search.xml and applicationContext-search-pro.xml files in the WEB-INF directory. You can see the menu items are broken up by XML by role. I wonder if you could modify that or define your own section based on role. Depends on whether those are hard coded to the built in roles Jasper uses...give it a try and be sure to restart Jasper afte you make changes so they get picked up by the application. We commented out the menu items for the features we aren't using.

 

If you try it and it works, come back and post. I'm curious if it would...

Post Edited by rault at 04/23/2012 20:11

[pintebr]

 Hey Guys, 

Thanks for all the help, but in the end I "hacked" the xml files in the WEB-INF folder.

 

Here's what I did:

 

The Problem

The problem I was confronted with was a huge one. On a project I was working on we were asked if we could alter the JasperServer default role permissions to such an extent that we could tell that certain customers on our JasperServer could add all of the resources that an administrator can. After searching the net endlessly we were at the point of giving up, but then out of blue we were given a hint. This hint was the succesfull one.

check the above post and on stackoverflow

The Solution

The solution is one were the JasperServer XML files need to be altered/changed. I was already in the process of scouring all of the XML files, but to find the right one proved to be a challenge. The XML file you need to alter is located in the WEB-INF folder of the JasperServer installation directory. On my machine it was this one:

C:Program Filesjasperreports-server-cp-4.5.0-2apache-tomcatwebappsjasperserverWEB-INF

The file you need is this one: actionModel-search.xml

WARNING: don’t forget to first make a backup of the original. You don’t want to start all over again if things go wong!

The Explanation

First things first, install the JasperServer. I have tested this only on a community version of JasperServer. So I guess if this works on a community version, it’ll also work on the paying supported version.

After the installation go to your JasperReports homepage and login with the following credentials:

URL: http://localhost:8080/jasperserver
User: jasperadmin
Password: jasperadmin

Note that this is only a test setup on a virtual machine. If you intend to do this on a production server, change the password of the jasperadmin user for security reasons.

As soon as you are logged in go and create a new user.

1.       Click on “Manage”

2.       Click on “Users”

3.       Click on “Add User”

a.       Give a user name

b.      Give a password

4.       Click on “Add User”

Now that the user is made, you can go ahead and make a new role. To do this follow these steps:

1.       Click on “Manage”

2.       Click on “Roles”

3.       Click on “Add Role”

4.       Fill in the Role Name

5.       Click on “Add Role”

Write down the newly created role name, because this is the role we are going to use to “hack” the XML to our needs.

To add users to the role do the following:

1.       Click on the role you just created

2.       Click on “Edit”

3.       Select the users that need the new role.

4.       Click on “Save”.

The next thing you need to do is to give the role read + write + delete permissions on the folder.

1.       Right click on a folder

2.       Click on “Permissions”

3.       Select read + write + delete next to the role that needs this access

Now you’re all set and ready to go “hack” your way into the XML file.

Open up the actionModel-search.xml file. Don’t forget the take a copy of the file first!

At the start of the xml file look for a line of code that looks like the one below.

<condition test="checkAuthenticationRoles" testArgs="ROLE_USER,ROLE_ADMINISTRATOR">

This is the first line you need to alter. Add your role to the testArgs section. Make sure that all of the roles are separated by a comma.

Ex.  <condition test="checkAuthenticationRoles" testArgs="ROLE_USER,ROLE_ADMINISTRATOR, USER_RESOURCES">

On the next condition line make the same change. 

Save the file. For the changes to be made current, you need to restart the JasperServer. On windows systems you can go to

•  To Stop: All Programs => JasperReports Server … => Start Or Stop Services => Stop Service

•  To Start: All Programs => JasperReports Server … => Start Or Stop Services => Start Service

Now login with the user that you created and right click on the folder with the right permissions. Now you can add all of the resources that an administrator can add.

If you want you can play a little around with the XML file to further change the behavior. For example: you have a client that is prohibited to add images the jasper reports. In that case you can alter the XML like the following.

Place a condition test around this code:

<option labelKey="resourceTypes.image" action="invokeCreate" actionArgs="FileResource@@img" className="up"/>

To look like this code:

<condition test=checkAuthenticationRoles” testArgs=”ROLE_ADMINISTRATOR”>
<option labelKey="resourceTypes.image" action="invokeCreate" actionArgs="FileResource@@img" className="up"/></condition>

This way, only an administrator can add images to the folder.

Voila, you are all set to go and play around with your copy of JasperReports Server.

Have Fun! 

Post Edited by pintebr at 04/26/2012 12:43

[rault]

Excellent write up! Thanks for coming back and posting it.

[pintebr]

No problem, that's why forums exist ;-)! Hopes this helps people in the future

 

ps. if you find any spelling mistakes or grammar mistakes feel free to correct them. English isn't my native language so I'm more subject to these kinds of errors ;-)

Post Edited by pintebr at 04/26/2012 13:00

[ernestoo]

Awesome!!! Just a quick tip - if you're using Pro and have multiple organizations and want this to apply to a particular organization, make sure to add something like ROLE_DATA_ADMIN|organization_1 to the testArgs

[pramod3181990]

This was very helpful. I could do what I wanted to very easily after going through this tutorial.Thanks a lot.

[rsuddhala]

Hi,

I need help like I want to add the roles to user by programmatically.Could you please help me out..

 

Thanks,

Raviraj