JasperReports Server includes an additional mapping of roles to system roles so that users can grant administrator privileges to their external users.
Using this feature, LDAP entries belonging to custom groups can be granted system or organization admin roles in JasperReports Server.
One way of doing this, as discussed in the JasperReports Server Authentication Cookbook, section 3.8 Mapping Roles to System Roles, is to have a site superuser or an organization administrator (jasperadmin) log in to JasperReports Server via the login screen (<host:port>/jasperserverpro/login.html) and assign internal JasperReports Server administrator roles to external users manually.
This approach worked in previous versions of JasperReports Server product. However, it no longer works in JasperReports Server v5.2. The manually mapped internal roles get deleted after user logging in through SSO.
Due to some code changes in JasperReports Server v5.2 version for role synchronization to meet a specific requirement, all roles assigned to an external user must be configured with organizationRoleMap to map between external and internal roles.
Any unmapped roles for the external user found in the repository DB (jiuser – jiuserrole – jirole) are dereferenced (deleted) through synchronization when user logs in.
We already have a report filed to address this problem and to fix it in the upcoming release of JasperReports Server.
As of 8/30/2013, there’s no ETA on the actual fix date to resolve this issue.
By disabling additional mapping to ROLE_ADMINISTRATOR system role, as discussed in section "3.8.1 organizationRoleMap", we can prevent role synchronization from occuring. Thus leaving internally mapped roles alone in the jiuserrole table. The achieve this, the user can comment out the "organizationRoleMap" property in applicationContext-externalAuth-LDAP-mt file (under WEB-INF directory) "mtExternalUserSetupProcessor" bean from:
<property name="organizationRoleMap"> <map> <!-- Example of mapping customer roles to JRS roles --> <entry> <key> <value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value> </key> <!-- JRS role that the <key> external role is mapped to--> <value>ROLE_ADMINISTRATOR</value> </entry> </map> </property>
<!-- <property name="organizationRoleMap"> <map> <!-- Example of mapping customer roles to JRS roles -- <entry> <key> <value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value> </key> <!-- JRS role that the <key> external role is mapped to-- <value>ROLE_ADMINISTRATOR</value> </entry> </map> </property> -->
This should disable the external role to internal mapping thus work around the problem as discussed.