Show only reports and deny ad-hoc creation based on roles

Hello everybody!

Based on roles, I want that some users can only be able to see reports and other can create ad-hoc view.

Actually I have modified the actionModel-navigaion.xml file by hiding repository browser based on my "read-only" role and users can see only search and library page, but if they click on library and change the filter to show ad-hoc view, they can create them.

I tried to comment out the "filter section" on the result.jsp module but in this way I cannot see anything, it seems that the search filter will be disabled.

Basically I would like to "block" the library filter to show only reports based on a role or to hide the "ad-hoc" filter from the left menu.

Do you know how can I do this, what files i have to modify and how?


Thank you in advance to anyone should help me.



gbdenaro's picture
Joined: Mar 7 2011 - 1:05pm
Last seen: 1 year 1 month ago

2 Answers:

You can give the user  Execute Only permission to all folders containing Ad Hoc Views, Topics, and Domains. To do this, log in as superuser, right click on the folder you want to restrict, and select Permissions.  You can choose the access for each user type.

Execture Only will let users execute reports that are based on these resources, but they will not be able to view or edit any Ad Hoc Views, and without access to a Topic or Domain, they will not be able to create an Ad Hoc View of their own. (I believe the Data Source folder is restricted already, but if not, you should manage that as well) They will still see the link, but it will not be useful to them. This is a more robust solution than just hiding the menu items and links, although that is also useful.

elizam's picture
Joined: Mar 5 2012 - 9:19am
Last seen: 2 years 7 months ago


Thanks for your comment.
this doesn't work for me in my situation because: for the user to be able to login in they need to have one of two user roles - user or admin. if they have user role which is lowest ranking role then i need to modify this role as you have mentioned above i have no doubt this will work. that will however mean that all users using this then can't create ad hoc views. i also need to grant a set of users access to create ad hoc views and in that case i would need to give them admin access which i don't want to do - as they don't understand how to create domains etc...

i have also tried creating a new role and doing the above and assigning it to user with the user role also however the user role access takes precedent and does not restrict on the new role created.

IT seems like its only possible to have 2 sets of users. admins and other (which i can then define as either create ad hoc views or just executing views)

Is this correct?


michael.mccarthy - 8 years 5 months ago

You are correct that the default user role is the lowest common denominator. What you can do is a two step process. First, modify permissions or roles so that ROLE_USER has only the access you want the least of your users to have. Add a new role, ROLE_BETTER_USER, and give that role the additional privileges you want.

elizam - 8 years 5 months ago

Thank you for your reply,

I was looking for an "automatic" solution ( I mean, first installation already working as expected without manual intervention) but your suggestion works as expected: I have modified the rights of the Ad-hoc components and Topics folders to "Execute Only", moved all ad-hoc views into the Topic folder and created a Report folder with read-only rights where I moved all the reports. 

When "read-only" users now login to JasperServer, they can see only "Reports", and even if they modify the filter on the Library page to show "ad-hoc views" they do not see anything.

Meaning that I have to prepare a manual for the "first parameterizazion" for my customers.

Anyway, very good!

Thanks a lot and have a wonderful day.



gbdenaro's picture
Joined: Mar 7 2011 - 1:05pm
Last seen: 1 year 1 month ago

You should be able to create this repository structure and then export it.
Set up your structure the way you want it in a clean/new JRS.
Log in as superuser, go to Manage > Server Settings , select Export on the left, and select export everything
Then in the new JRS, log in as superuser, Manage > Server Settings > Import, and import the file you got as an Update.
So you could make the export file and just tell your users to import it as part of their initial setup.

If you are up for editing configuration files, you could also modify the permissions for the Ad Hoc, Topic, and Domain flows, as outlined in the Ultimate Guide:
Again, if you do this on a clean JRS, you could rebuild the war file with your modifications and give it to your users for their initial install.

elizam - 9 years 3 weeks ago