JasperServer Admin Guide

JASPERSERVER ADMINISTRATOR GUIDERELEASE 3.7

http://www.jaspersoft.com

JasperServer Administrator Guide 2010 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft logo, JasperAnalysis, JasperServer, JasperETL, JasperReports, JasperStudio, iReport, and Jasper4 products are trademarks and/or registered trademarks of Jaspersoft Corporation in the United States and in jurisdictions throughout the world. All other company and product names are or may be trade names or trademarks of their respective owners. This is version 0110-JSP37-7 of the JasperServer Administrator Guide.

2

Table of Contents

TABLE OF CONTENTS1 Introduction to JasperServer Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.1 Overview of Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.1.1 1.1.2 1.1.3 1.2 1.2.1 1.2.2 1.2.3 1.3 1.4 Single Default Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Multiple Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Folder Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Sample Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Overview of the Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Overview of Users and Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.4.1 1.4.2 1.4.3 Single Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Multiple Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 JasperServer Heartbeat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.5

Administrator Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2

Organization, User, and Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.1 2.2 2.3 2.4 Scope of Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Managing Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3

Repository Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.1 Managing Folders and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 Creating a New Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Adding Resources to the Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Renaming a Folder or Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Viewing a Report or Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Modifying an Ad Hoc Report or Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Editing a Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3

JasperServer Administrator Guide 3.1.7 3.1.8 3.1.9 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.3 3.3.1 3.3.2 3.3.3 Copying Folders or Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Moving Folders or Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Deleting Folders or Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Authorization Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Assigning Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Testing User Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Referencing Resources in the Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Multiple Organizations in the Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4

Import/Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414.1 4.2 4.3 Importing Repository Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Exporting Repository Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Encrypting the Repository Database Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5

System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455.1 Configuring Password Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.1.1 5.1.2 5.2 5.3 Enabling Password Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Allowing Users to Change their Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Changing the Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Ad Hoc Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5.3.1 5.3.2 5.3.3 Ad Hoc Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Managing the Ad Hoc Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Configuring Dataset Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

5.4 5.5

Disabling the Domain Validation Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Configuring JasperReports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 5.5.1 5.5.2 5.5.3 Extending JasperReports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Changing the Crosstab Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Setting a Global Chart Theme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.6 5.7 5.8

Configuring the Heartbeat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Removing Report Scheduling Interval Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Special Domain Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 5.8.1 5.8.2 5.8.3 Enabling Oracle Synonyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Enabling CLOB Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Enabling Proprietary Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Data Sources in JasperServer and JasperReports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 JasperServer Data Sources and Query Executors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Overview of the Example Custom Data Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Prerequisites and Installation of the Example Custom Data Sources . . . . . . . . . . . . . . . . . 57 Creating a Custom Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.9

Custom Data Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 5.9.1 5.9.2 5.9.3 5.9.4 5.9.5

4

Table of Contents 5.9.6 5.9.7 Installing a Custom Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Using a Custom Data Source in Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

5.10 Configuring the Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 5.11 Configuring Search Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6

Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636.1 6.2 Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Configuring Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 6.2.1 6.2.2 6.2.3 6.3 6.3.1 6.3.2 6.4 Enabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Archive Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Events and Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Domain Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Sample Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Using the Audit Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Importing and Exporting Audit Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

7

Integrating JasperServer and Talend Integration Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697.1 7.2 Configuring ETL Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Testing Integration with TIS EE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

8

Integrating JasperServer and Liferay Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 Changing Liferays Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Configuring JasperServer to Accept Web Services Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuring Liferay to Access JasperServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Testing Liferay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Deploying the JasperServer Portlet WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Configuring a Default Report to Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Testing the JasperServer Portlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 JasperServer Portlet Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 8.8.1 8.8.2 8.9 Portlet Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Example Server and Browser Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Setting up JasperReports Hyperlinks for Use in a Portlet Environment . . . . . . . . . . . . . . . . . . . . . . . . 77

9

Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799.1 UTF-8 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 9.1.1 9.1.2 9.1.3 9.1.4 9.2 9.2.1 9.2.2 9.2.3 9.3 9.3.1 Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 JBoss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 About Properties Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Creating a Resource Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Changing Format Masks and Date Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Specifying Additional Locales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Creating a Locale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring JasperServer to Offer a Locale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5

JasperServer Administrator Guide 9.3.2 9.3.3 9.4 9.4.1 9.4.2 9.5 Specifying Additional Time Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Setting a Default Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Changing Character Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Working with Fonts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Character Encoding and Fonts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

JasperBabylon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

6

Introduction to JasperServer Administration

1

INTRODUCTION TO JASPERSERVER ADMINISTRATION

JasperServer builds on JasperReports as a comprehensive family of Business Intelligence (BI) products, providing robust static and interactive reporting, report server, and data analysis capabilities. These capabilities are available as either standalone products, or as part of an integrated end-to-end BI suite utilizing common metadata and providing shared services, such as security, a repository, and scheduling. JasperServer exposes comprehensive public interfaces enabling seamless integration with other applications and the capability to easily add custom functionality. The heart of the Jaspersoft BI Suite is JasperServer, which provides the ability to: Easily create new reports using an intuitive web-based drag and drop Ad Hoc reporting interface. Efficiently and securely manage many reports. Interact with reports, including entering parameters and drilling on data. Arrange reports and web content to create appealing, data-rich dashboards that quickly convey business trends. For creating analysis views and OLAP client connections, Jaspersoft offers JasperAnalysis, which runs on JasperServer. This optional component is described in the separate JasperAnalysis User Guide. The core of the JasperServer architecture is the repository that stores the reports, dashboards, analysis views, and all the resources these depend upon. Users have a password protected user account, and once logged in, they run report, dashboards, and analysis views from the repository. The repository has role-based permissions to control access to resources. When users create reports and dashboards of their own in the designer tools, they save them in a writable folder of the repository. This guide covers how to administer the users, roles, resources, and settings in JasperServer to ensure security and performance. This guide also covers how to manage organizations and perform auditing of JasperServer, a new feature of this release. If you want to extend your knowledge of Jaspersoft BI software, our Ultimate Guides document advanced features and configuration. They also include best practice recommendations and numerous examples. The guides are available as downloadable PDFs. Community project users can purchase individual guides or bundled documentation packs from the Jaspersoft online store. Professional and Enterprise customers can download them freely from the support portal.This administrator guide describes features that are only available to users who have the administrator roles. Many of the configuration procedures also assume you have unlimited access to the JasperServer host computer.

This chapter contains the following sections: Overview of Organizations Overview of the Repository Overview of Users and Roles Logging In Administrator Pages

7

JasperServer Administrator Guide

1.1

Overview of Organizations

The architecture of JasperServer supports organizations, logical entities within JasperServer that have their own users, roles, and branch of the repository. Organizations may have sub-organizations to mimic any business structure or hierarchy. The structure of the repository is determined by the organizations in your deployment. In the default installation, there is a single organization that mimics the simple structure in older versions of JasperServer. If you want to deploy multiple organizations, there are many design considerations you must be aware of.

1.1.1

Single Default Organization

After a default installation, JasperServer contains a single organization into which you can deploy your reports. For example, if you install the sample data, you see a single organization that holds all sample resources, users, and roles. Single organizations are designed to handle most business cases and are straightforward to administer. Even in a single organization, there is a system admin and an organization admin that share administrative duties. If your business needs call for more organizations, you will have to manage several levels of administrators and possibly create shared resources in the repository. The following sections provide use cases and explain the multiple levels of administrators. Unless otherwise stated, the rest of this guide documents the single organization architecture that is the default installation with JasperServer.

1.1.2

Multiple Organizations

There are many usage scenarios for organizations within JasperServer: An application provider, such as a software-as-a-service company or a computer department, has a hosted application being offered to many customers and integrates JasperServer to offer dashboards, reports, and analysis. There are a number of common reports and data sources that are useful across customers, but there are customer specific reports as well. Machines and databases are shared by customers, according to the providers own architecture, but within the functionality provided by JasperServer, each customer is a separate organization. Customers can manage their own users in the hosted application, and JasperServer maps the applications authentication scheme to the correct organization. The organization mechanism provides the full power of JasperServer to each of the providers customers, while ensuring that their data and reports are secure. A company has many departments but wants to consolidate the BI environment so that all departments are sharing a common BI infrastructure. Corporate IT only needs to deploy and maintain a single instance of JasperServer, and each department is represented by an organization that manages its own users. For security and simplicity, the departments do not share databases, except in the case of sub-departments, such as Accounts Payable being a sub-department of Finance. Users access JasperServer directly, logging in with their department name and user name. Within a department, organization administrators have defined the data sources and Domains specific to the needs of their departments users. The design of the organization feature is flexible enough to accommodate any combination of these and many other usage scenarios. In all cases, administrators can configure secure environments for any number of organizations, and end-users experience a powerful BI platform that is tailored to their needs. Each organization or hierarchy of organizations co-exists independently within the same instance of JasperServer. JasperServer isolates neighboring organizations from each other but allows parent organizations to have full control over their sub-organizations. Users may only access data and resources within their organization or a sub-organization, and administrators may define roles and set permissions to further restrict access.

1.1.3

Delegated Administration

Each organization has an administrator who can manage users, roles, and repository permissions within the organization. The administration of organizations is hierarchical, meaning that the administrator can also manage all users and roles within suborganizations of any level. When there are sub-organizations, the administrator of the parent organization can either manage their users and roles, or delegate those tasks to an administrator within each sub-organization. The administrator of a sub-organization is limited to accessing resources and managing users and roles within the sub-organization, thereby maintaining the security of the parent organization and any of the parents other sub-organizations.

8

Introduction to JasperServer Administration There are essentially three levels of administration: The system administrator Also called system admin. The system admin is the superuser login, outside of all organizations, that manages the JasperServer installation, creates top-level organizations, and manages server-wide settings. The system admin can create, modify, and delete users, roles, and repository objects of any organization. The administrator of a top-level organization Also called organization admin. The organization admin manages all users, roles, and repository objects within an entire organization, including any sub-organizations. The default login name of the organization admin is jasperadmin. The administrator of a sub-organization Functionally equivalent to an organization admin, but due to the hierarchy of organizations, manages a limited set of user, roles, and repository objects and may be overridden by a top-level organization admin.

1.2

Overview of the Repository

The repository is a hierarchical structure of folders where JasperServer, administrators, and users store resources for creating reports and doing analysis. In its appearance and function, the repository resembles a file system with a hierarchical structure of folders that contain resources. Internally, the repository is implemented as a database that is private to the JasperServer instance.

1.2.1

Folder Structure

The root of the repository tree structure is accessible only to the system admin. It contains the folders for each organization and folders for certain configuration settings.

Figure 1-1

Root of the Repository Showing Top-Level Organization Folders

Within the repository, each organization has its own branch, contained in a folder named after the organization. JasperServer automatically restricts users view and access to the branch of the repository in their organizations folder. Organization admins can create any folder structure needed within the organization. To mimic the hierarchical structure of organizations, each organization also contains a folder called Organizations where suborganizations are created, as shown in section Figure 1-2 on page 10.

1.2.2

Resources

Resources are stored in the repository and used as input for creating reports and performing analysis. Certain resources such as images, fonts, or JRXML created in iReport are uploaded from files. Others such as data sources and Domains are created within JasperServer. Of course, reports can also be saved in the repository to be run as often as needed, and output such as PDF or HTML can be saved in the repository as well. Each resource has a unique short name, a display name, and an optional description. As in a file system, the names of folders containing the resource give the path to the object. Users locate resources in the repository by browsing through folders, searching for keywords, or by filtering resources by type, date, etc. The repository displays the descriptions in listings or in tooltips to help users understand the contents or purpose of a resource.

9

JasperServer Administrator Guide Resources are stored in an internal format that is not accessible to users or administrators, although certain objects can be downloaded to your file system in an output format such as XML. Any repository object may be exported to a file with the jsexport utility, but the resulting files are for backup or transfer to another JasperServer instance and cannot be modified. JasperServer restricts access to folders and resources based on organizations, user names, and roles. The system admin and organization admin can define permissions as explained in section 1.3, Overview of Users and Roles, on page 11.

1.2.3

Sample Data

When you install the sample data in Jasper Server, the default organization has folders and objects showing typical content in the repository. As shown in the following figure, the default organization is named Organization. The sample data includes dashboards, reports, Domains, data sources, and many components used in these, such as input types, content files, and image files. Each type of content is stored in a separate folder, making it easy to locate. The Supermart Demo folder contains a complete example of inter-related dashboards, reports, and resources for various business scenarios within a fictional grocery store company.System admin view: Organization admin view:

Figure 1-2

System Admin and Organization Admin Views of the Same Sample Data

Every level of the organization hierarchy, including the system or root level, has a folder named Organizations to contain suborganizations. The left-hand view in Figure 1-2 shows the root of the Repository, as seen by the system admin. The Organizations folder at the root contains the main folder for top-level organizations. In the sample data, there is only the default organization named Organization. The right-hand view in the figure shows the Organization folder, as seen by the organization admin who has no visibility outside of the Organization folder. The Organizations folder always contains a folder named Folder Template. When a new organization is created, the entire contents of Folder Template is copied to a new folder under Organizations and given the name of the new organization. In the sample data, there is a Folder Template for top-level organizations, and one inside the default organization, for use in creating sub-organizations. By default, both of these Folder Templates, contain the minimal folder structure required for new organizations, namely a Topics folder under Ad Hoc Components and a Temp folder. The admin can add any folders or resources to the Folder Template that will be used in subsequently created organizations. The Public folder at the root is a special folder shared with all organizations. It is visible to every organization so that the system admin can share certain resources in common, such as a data source, a company logo image, or a report template.

10


1.3

Overview of Users and Roles

User accounts and role assignments provide authentication and authorization mechanisms to implement access control in JasperServer. Users enter an organization name, a login name, and a password in order to access JasperServer. Administrators assign named roles to users and then create role-based permissions to further restrict access to objects in the repository and to data in Domains. Both users and roles are associated with the organizations in which they are defined, and they follow the same hierarchical model. Users and roles defined in an organization may be granted or denied access to any repository folder or object within the organization or its sub-organizations. However, the administrator of the sub-organization has no visibility of the roles and users in the parent organization, even if they are used in access permission within the sub-organization. User names and role names are unique within an organization, but not necessarily among sub-organizations or across all organizations in JasperServer. For example, the default organization administrator is called jasperadmin in every organization. Because the organization must be given when logging in, JasperServer can distinguish between every user. In some cases such as web services, a user is identified by the unique string username|organization_ID. Access to the repository is defined directly on the repository resources. Administrators may define a level of access, such as read-write, read-only or no access, and each permission may be based either on a user name or on a role name. Administrator privileges are determined by system-level roles named ROLE_SUPERUSER and ROLE_ADMINISTRATOR. This allows several users to be system admins or organization admins for large deployments. Based on the presence of either of these roles, JasperServer presents the appropriate administrator options in menus, tool bars, and on the users home page. For more information, see section 2.1, Scope of Administrative Privileges, on page 15.

1.4

Logging In

The existence of multiple organizations changes how users log in on the welcome page.

1.4.1

Single Organization

In the default or minimal installation, there is a single organization and logging in is exactly the same as in previous versions of JasperServer. Users must specify a user ID and a password, but they do not need to be aware of the organization structure.

Figure 1-3

Default Login Screen

11

JasperServer Administrator Guide Administrators log in with this screen as well, using the following default passwords: Username superuser and password superuser for the system admin. Username jasperadmin and password jasperadmin for the organization admin.For security reasons, always log in and change both administrator passwords immediately after installing JasperServer. For instructions, see section 2.3, Managing Users, on page 19.

1.4.2

Multiple Organizations

When more than one organization exists within JasperServer, even as a sub-organization of a single organization, users must specify their organization when logging in. To ensure uniqueness, users must enter the ID or alias of the organization, not its display name. For example, the default organization has the display name Organization, and its ID is organization_1, as shown on the left of Figure 1-4.http://:8080/jasperserver-pro/login.html http://:8080/jasperserver-pro/login.html? orgId=organization_1

Figure 1-4

Alternate Login Screens for Multiple Organizations

To simplify the login for users who are always in the same organization, the organization ID may be specified in the URL of the login page. When the organization ID is specified in the URL, JasperServer displays the simpler login dialog, as shown on the right of Figure 1-4. Users can bookmark this URL to avoid entering the organization ID each time. The system admin, superuser by default, must leave the organization name blank. When logging in as the system admin, you must clear the Organization name from the login screen or from the login URL. To summarize, administrators log in with the following credentials: System admin Organization field or URL blank, username superuser, and password superuser. Organization admin (default organization) Organization field or URL organization_1, username jasperadmin, and password jasperadmin. If you have created other organizations, log in with their organization ID or alias, not their display name.For security reasons, always log in and change both administrator passwords immediately after installing JasperServer. For instructions, see section 2.3, Managing Users, on page 19.

1.4.3

JasperServer Heartbeat

When you login to JasperServer for the first time after installation, you may be prompted to opt into JasperServers Heartbeat program. The heartbeat reports specific information to Jaspersoft about your implementation: the operating system, JVM, application server, RDBMS (type and version), and JasperServer edition and version number. By tracking this information, Jaspersoft can build better products that function optimally in your environment. No personal information is collected; for more information see http://www.jaspersoft.com/heartbeat. To opt into the program, click OK. To opt out, clear the check box and click OK.

12


1.5

Administrator Pages

After logging in, administrators see a Getting Started page that has more controls than a standard users Getting Started page. To return to this Getting Started page at any time, click Home on the main menu bar.

Figure 1-5

Getting Started Page for Administrators

Figure 1-5 shows the About JasperServer link in the page footer. This link is available on every page to both users and administrators and displays the product version number, as shown in the following figure:

Figure 1-6

About JasperServer Dialog

The About JasperServer dialog also shows the software build, your license type, and its expiration. Please have this information available if you need to contact Jaspersoft for support. Administrator controls are accessible by clicking manage the app to open the Manage page or directly through the Manage menu in the main menu bar.

13


Figure 1-7

Admin Home Page for System Admins

All possible administrator controls are available to the system admin. They include managing organizations, users, and roles, as well as configuration options for analysis and the Ad Hoc Editor. For more information about the Ad Hoc settings, see section 5.3, Ad Hoc Configuration, on page 47.

Figure 1-8

Admin Home Page for Organization Admins

The organization admin is limited to managing the organizations, users, and roles of her organization and cannot access any system configuration.As shown in the figures above, certain administrator controls are available only through the Manage menu, notably Manage > Organizations.

14

Organization, User, and Role Management

2

ORGANIZATION, USER, AND ROLE MANAGEMENT

Administrators use the management interface to create the organizations in their deployment, if any, populate them with users, and assign roles that they can later use to enforce access permissions to the repository. In the default, single organization deployment, the administrator only needs to create users and roles. In a deployment with multiple organizations, there can be administrators at every level of the hierarchy, as described in section 1.1.3, Delegated Administration, on page 8. Part of any large deployment is to designate which administrators are responsible for each specific task. For example, system administrators might set up the top-level organizations and default roles, but each organizations admin would then create and manage the users of that particular organization. The interface in JasperServer for managing organizations, users, and roles accommodates all levels of administrators and makes it easy for them to find hundreds of users and roles, whether in a single organization or spread across many. The interface also enforces the scope of administrative privileges, for example so that an administrator can never see a role or user from a parent organization. This chapter contains the following sections: Scope of Administrative Privileges Managing Organizations Managing Users Managing Roles

2.1

Scope of Administrative Privileges

Organization admins have the ability to: Create sub-organizations. Create, modify, and delete users, including changing their password. However, no administrator can ever view a users existing password in clear text. Login as any user in the organization for testing system access. Create, modify, and delete roles. Assign roles to users, including the ROLE_ADMINISTRTOR role that grants organization admin privileges. Create, modify, and delete folders and repository objects of all types. Set access permissions on repository folders and objects. System admins have the ability to: Perform all organization-level tasks listed above, on any organization within the system. Create top-level organizations.

15

JasperServer Administrator Guide Create users outside of organizations that can access all organizations. Assign the ROLE_SUPERUSER role that grants system admin privileges. Set the system-wide configuration parameters. For delegated administration, an existing administrator may grant these privileges to any user. There are three factors that determine the scope of a users administrative privileges:ROLE_ADMINISTRATOR JasperServer confers the organization-level privileges listed above to any user with this role. When a user with this role logs in, JasperServer displays the additional controls to access the admin pages. The users organization Regardless of roles, an administrator is always limited in scope to the organization in which the user account is created, including any sub-organizations thereof. In no case can a user, even with the ROLE_SUPERUSER, ever view or modify any organization, user, or repository object outside of the organization to which the user belongs.

The default system admin user, named superuser, exists at the system level, outside of any organization. This is what allows the system admin to access any organization and create other system admin users outside of any organization.ROLE_SUPERUSER When a user already has ROLE_ADMINISTRATOR, this additional role grants access to the system

configuration functions. In a multi-organization environment, this role should not be given to organization admins, because system configuration includes the Ad Hoc cache shared by all organizations. In the case of a single organization such as in the default installation, giving this role to the organization admins grants access to system settings without granting privileges to create top-level organizations or other system administrators. In order to delegate system administration, the existing system admin must first create other users at the root level, outside of any organization. The system admin can then assign both ROLE_ADMINISTRATOR and ROLE_SUPERUSER to grant them system admin privileges. For further information about these roles, see section 3.2, Access Control, on page 33.

2.2

Managing Organizations

System admins and organization admins use the same interfaces for managing organizations, the only difference is that system admins can manage top-level organizations, whereas organization admins are limited to sub-organizations.Administrators of deployments with a default single organization can generally skip this section. However, this procedure can be used to change the display name of the default organization. To create, modify, or delete organizations:

1. 2.

Log in as a user with administrative privileges. Select Manage > Organizations and select the organization you want to manage. The Details frame on the right shows the display name, organization ID and description of the organization selected in the tree. It also shows the number of users and roles defined in the selected organization and all of its sub-organizations.

Figure 2-1

Manage Organizations Interface Seen by System Admins

16

Organization, User, and Role Management This interface includes all the controls for adding, editing, or deleting organizations. For convenience, there are also links to the interfaces for managing users and roles. All controls operate on the organization that is currently selected in the hierarchy of organizations. Figure 2-1 above shows that the system admin can manage any organization or sub-organization in JasperServer. The tree view on the left shows the hierarchy of organizations starting with the one to which your user belongs. The system admin does not belong to any organization, and the container for all top-level organizations is called root.

Figure 2-2

Manage Organizations Interface Seen by Organization Admins

Figure 2-2 shows how an organization admin is limited to managing his own organization hierarchy. In this case, the admin of the Finance organization cannot access the HR or Operations organizations. Also, the Delete Organization button is inactive when the admins own organization is selected. 3. To create a new organization, select the intended parent organization in the hierarchy, then click Add Organization.... The Add Organization dialog appears.

Figure 2-3

Add Organization Dialog

4.

Enter the following information for the new organization:

17

JasperServer Administrator Guide The organization name is the display name of the organization. This name appears in the administration dialogs and on the organizations folder in the Repository. The organization ID must be unique across all organizations. The dialog suggests an ID based on the organization name you enter, but you may enter any unique value. The ID cannot be changed after the organization is created. The organization ID appears in the login URL for users of this organization, as described in section 1.4, Logging In, on page 11. The organization alias is the name of organization that users can enter when logging in. It must also be unique among all organizations, but it can be modified at any time. The description is a short text describing the organization. The description is displayed to admins on the Manage Organizations interface. The text under each field explains any character restrictions within each value. 5. Click Create to create the organization. The organization appears in the hierarchy on the left and can be further modified if necessary. New organizations contain: No roles The ROLE_ADMINISTRATOR and ROLE_USER are inherited from the system. jasperadmin and joeuser Two default users with default passwords.For security reasons, always change both passwords immediately after creating new organizations. For instructions, see section 2.3, Managing Users, on page 19.

A folder under the parents Organizations folder in the repository The new folder has the organizations display name and contains a copy of the parent organizations Folder Template folder. 6. To edit an organizations information, select the organization in the hierarchy, then click Edit. In the details frame on the right, the organization name and description become editable, with explanation text under each. Changing the organization name changes the name of the main organization folder, the one that all organization users see at the root of their view of the repository. The organization ID cannot be modified, it always has the value defined when the organization is created. You can change the organization alias if you want to change the value that users enter when they log in.

Figure 2-4

Edit Organization Dialog

7. 8.

Click Save to keep any changes or Cancel to quit without saving your changes. To delete an entire sub-organization, select the organization in the hierarchy, then click Delete Organization. You cannot delete the organization to which your admin user belongs. When you confirm the deletion, all users, roles, folders of the organization and any sub-organization it contains are removed from JasperServer.

18


2.3

Managing Users

As with organizations, all admins use the same interface to manage users in their respective organizations. The only difference is that system admins can manage all users in all organizations, as well as create users outside of organizations, as described in 2.1, Scope of Administrative Privileges, on page 15. The default installation of JasperServer contains the following users: User Namesuperuser anonymousUser jasperadmin joeuser demo CaliforniaUser

Default Passwordsuperuser anonymoususer jasperadmin joeuser demo CaliforniaUser

Organization Namenone none Organization Organization Organization Organization

DescriptionDefault system admin Allows anonymous login, which is disabled by default Default organization admin in every organization Default end user in every organization Included for use with sample data Included for use with sample data

Passwords are case sensitive. You should exercise the necessary security precautions, including changing your password regularly. To configure password policies, refer to section 5.1, Configuring Password Options, on page 46.To create, modify, or delete users:

1. 2.

Log in as an administrator for the organization to which the users belong. Select Manage > Users or click users on the administrators Manage page. As shown in the following figure, the Manage Users interface displays the users in the organizations over which you have administrative privileges. The organization to which your user belongs is selected at the root of the organizations hierarchy, and the list of users shows all user names in all sub-organizations.

Figure 2-5

Manage Users Interface

If there are many users, the list of users has a scroll bar and paging controls at the bottom. Scroll and click Next and Previous when necessary to see the entire list of users.

19

JasperServer Administrator Guide Users are listed alphabetically, and multiple users with the same username may appear. In the figure above, several organization have been created, and each has a jasperadmin user. A tooltip shows each users full name and organization. To distinguish between organizations, the tooltip shows the hierarchy of organization names relative to your organization, for example Organization.Finance.Audit in the figure. 3. To narrow the list of users or find a specific user, click on an organization, enter a search string, or both. This list of users shows all users within the selected organization or any of its sub-organizations and whose username contains the search string. Scroll and page through the new list, or refine your search. 4. Click on a username in the list of users at any time to see information about the user. The details frame shows the username, display name, email address and roles if any. Profile attributes are special user attributes that may only be added through the database and not through the Manage Users interface. The frame also shows the status of the user, either enabled or disabled. Disabled users also appear in gray in the list of users.As the admin of a given organization, you only see the roles defined in your organization or any sub-organization. Except for certain special system-wide roles, any roles of parent organizations are not visible on a user. For more information, see section 2.4, Managing Roles, on page 22.

This frame includes all the controls for editing, logging in as, or deleting the selected user. For convenience, there are also links to manage each role. 5. To create a new user, select the desired organization in the hierarchy, then click Add User in the top-right corner. Admins can create a user within their own organization or any sub-organization. The Add User dialog appears.

Figure 2-6

Add User Dialog

6.

Enter the following information for the new user: The user ID is the username or login name. This name is used throughout JasperServer to identify the user. User IDs must be unique within an organization, but not necessarily among its sub-organizations or any other organization. The dialog warns you if the user ID you enter is not unique within the chosen organization. The text under this field explains the character restrictions within the user ID. The full name of the person. This optional name can be in any format or convention. JasperServer displays this name in the top right-hand corner of the screen for each user. The email address of the person. The email is optional but the address must be in a valid format. Password and confirmation. Enter the users default password in each field. Select the checkbox to enable the user right away. If a user account is not enabled, the person cannot log in with this username. For example, you may not want to enable the user account until you have assigned its roles.

7. 20

Click Submit to create the user.

Organization, User, and Role Management The new user is selected in the list of users unless you have entered a search term that does not include the new user. Review the details of the user you just created. JasperServer automatically assigns the ROLE_USER to every new user. 8. To edit a user, find the user by searching or selecting an organization, click on the username in the list of users, then clickEdit in the details frame on the right.

In the details frame, the user details become editable, except for the user ID and the profile attributes. The user ID cannot be modified, it always has the value defined when the user is created. The profile attributes can only be modified in the database, not through the Manage Users dialog.

Figure 2-7

Edit User Dialog

9.

To change the roles that are assigned to the user, click edit roles. The Edit Roles dialog appears for the user that you are editing.

Figure 2-8

Edit Roles Dialog

The list on the right displays the roles currently assigned to the user. To remove roles, select one or more roles in the righthand list and click the left arrow button. The list on the left displays all other roles that may be assigned to the user. To assign roles, select one or more roles in the left-hand list and click the right arrow button. The available roles include any role in the organization of the user, any role in a parent organization of the user up to and including the organization of the current administrator, and the special system-wide roles. When finished assigning roles, click Done. 10. When done modifying any user fields or roles, you must click Save to keep any changes. 11. Click Log in as User to test the users permissions, as explained in 3.2.5, Testing User Permissions, on page 38.

21

JasperServer Administrator Guide Another reason to log in as another uses is when creating and maintaining resources that use absolute references in the repository. The system admin creates absolute references that are not accessible to users within organizations. The system admin must log in as the admin of the organization that want to use the resource so that it is created with an absolute reference that is valid in the context of the organization. For more information, see section 3.3.2, Referencing Resources in the Repository, on page 39. 12. To delete a user, locate and select the user, then click Delete User. When you confirm the deletion, the user is removed from JasperServer.

2.4

Managing Roles

Roles define sets of users who are all granted similar permissions. Roles are created by administrators, assigned to users, and then assigned permissions in the repository. By default, JasperServer includes the following roles; some are needed for system operation, some are included as part of the sample data: RoleROLE_SUPERUSER

DescriptionThis role determines system admin privileges, as explained in section 2.1, Scope of Administrative Privileges, on page 15. It is a system-level role, however the system admin may assign it to organization admins in single-organization deployments. This role determines organization admin privileges, as explained in section 2.1, Scope of Administrative Privileges, on page 15. JasperServer automatically assigns this role to the default jasperadmin user in every new organization. It is a special system-level role that is visible in every organization and which organization admins may assign to other users. Every user that logs into JasperServer must have this role. JasperServer automatically assigns this role to every user that is created, and it cannot be removed. It is a special system-level role that is visible in every organization. When anonymous access is enabled, JasperServer automatically assigns this role to any agent accessing JasperServer without logging in. This role is also assigned to the default anonymous user. By default, anonymous access is disabled and this role isnt used. It is a special system-level role that is visible in every organization. JasperServer assigns this role to users that are created automatically when a portal such as Liferay requests authentication for a connection. If the specified user name does not exist in JasperServer, it is created, assigned the password of the user in the portal, and assigned the ROLE_PORTLET and ROLE_USER roles. This role grants access to the SuperMart demo Home page, reports, and if you implement JasperAnalysis, analysis views. This role is assigned to the demo user in the default organization. These objects are available only if you installed the sample data when you installed JasperServer. It is a special system-level role that is visible in every organization. This role is used to assign permissions relative to the sample data. It is a special system-level role that is visible in every organization. It demonstrates data security features available in JasperAnalysis. See the JasperAnalysis Ultimate Guide for more information. This role no longer governs any JasperServer permissions or functionality, unless it has been customized in your installation. Typically, it can be deleted safely.

ROLE_ADMINISTRATOR

ROLE_USER

ROLE_ANONYMOUS

ROLE_PORTLET

ROLE_DEMO

ROLE_SUPERMART_MANAGER

ROLE_ETL_ADMIN

Except for the five special system-level roles visible in every organization, roles are defined in organizations. As with users, the same role ID can be defined in separate organizations, as long as it is unique within any given organization. Similarly, roles are visible only within the organizations that define them. Admins may see all roles within their organization and suborganizations, but never any roles from a parent or sibling organization. Even if the admin of the parent organization has

22

Organization, User, and Role Management assigned the role to a user in a sub-organization, the admin of the sub-organization sees the user without the parent role. The interface for managing roles enforces this scoping, so that only valid roles may be assigned to any given user. The interface for managing roles lets you create roles and assign each role to many users. If you want to assign several existing roles to a single user, see section 2.3, Managing Users, on page 19.To create, modify, delete, or assign a role to users:

1. 2.

Log in as an administrator. Select Manage > Roles or click roles on the administrators Manage page. As shown in the following figure, the Manage Roles interface displays the roles in the organizations over which you have administrative privileges. The organization to which your user belongs is selected at the root of the organizations hierarchy, and by default, the list of roles shows all roles in all sub-organizations. The five special system-level roles are also listed in every organization.

Figure 2-9

Manage Roles Interface

If there are many roles, the list of roles has a scroll bar and possibly paging controls at the bottom. Scroll and click Next and Previous when necessary to see the entire list of roles. Roles are listed alphabetically, and multiple roles with the same name may appear. A tooltip shows the organization in which each role is defined, relative to your organization. 3. To narrow the list of roles or find a specific role, click on an organization, enter a search string, or both. This list of roles shows all roles within the selected organization or any of its sub-organizations and whose name contains the search string. Scroll and page through the new list, or refine your search. 4. Click on a role name in the roles list at any time to see information about the role. The details frame shows the role name, the organization where it is defined, and the list of users to whom the role has been assigned. Tooltips on the usernames help you distinguish among users with the same name. This frame includes the controls for editing or deleting the selected role. For convenience, there are also links to manage each organization or user that is referenced.Unless you are logged in as the system admin, you cannot edit or delete the five special system-level roles. Furthermore, when you view the details of the special system-level roles, you only see the users defined in your organization or any sub-organization to which this role has been assigned. For more information, see the table at the beginning of section 2.4, Managing Roles, on page 22.

5.

To create a new role, select the desired organization in the hierarchy, then click Add Role in the top-right corner. Admins can create a role within their own organization or any sub-organization. The Add Role dialog appears.

23


Figure 2-10

Add Role Dialog

6. 7. 8.

Enter a name for the new role. The text under the field explains the character restrictions in role names. The dialog warns you if the name you enter is not unique within the chosen organization. Roles have no other properties or settings. Click Submit to create the role. The new role is selected in the list of roles unless you have entered a search term that does not include the new role name. To edit a role name or assign the role to users, find the user by searching or selecting an organization, click on its name in the list of roles, then click Edit in the details frame on the right.

Figure 2-11

Edit Role Dialog

In the details frame, the role name becomes editable. Changing the name of an existing role affects all users to which the role is assigned. The role name associated with permissions in the repository is also updated automatically.However, changing a role name may compromise permissions defined in security files for Domains and analysis. For more information, see the JasperServer User Guide.

9.

To change the list of users to which the role is assigned, click change.... The Assign Users dialog appears for the role that you are editing.

24


Figure 2-12

Assign Users Dialog

The list on the right displays the users to which the role is currently assigned. To remove users, select one or more user names in the right-hand list and click the left arrow button. To assign the role to these users, select one or more users in the left-hand list and click the right arrow button. The list on the left displays all other users to which the role may be assigned. The eligible users that are displayed include any user in the organization where the role is defined or its sub-organizations. This list may be quite long and include duplicate names, as shown for a different example in Figure 2-13. Use the search field to find specific user names, and use the tool tips to differentiate between users.

Figure 2-13

Searching on the Assign Users Dialog

When finished assigning the role to users, click Done. 10. When done modifying the role, you must click Save to keep any changes. 11. To delete a role, locate and select the role, then click Delete Role. When you confirm the deletion, the role is removed from JasperServer.

25


26

Repository Administration

3

REPOSITORY ADMINISTRATION

The repository stores content files, data sources, datatypes, images, saved reports, and any other resource in JasperServer. The repository is structured as a hierarchy of folders that is based on the hierarchy of organizations. For more information, see sections 1.2.1, Folder Structure, on page 9 and 1.2.3, Sample Data, on page 10. Administering the JasperServer repository includes the following tasks: Creating folders and organizing repository objects. Controlling access to objects in the repository using roles, users, and object-level permissions. Managing references to data sources, images, fonts, and other resources upon which reports rely. This chapter contains the following sections: Managing Folders and Resources Access Control Multiple Organizations in the Repository

3.1

Managing Folders and Resources

Administrators and users with the proper permissions can create, modify, move, and delete folders and resources within the repository. The specific roles and permissions of the user determine what actions are available. The following sections explain what permissions are necessary to perform each action. When an action creates a resource, the section also gives the initial permissions assigned to the resource. For the definition of the permissions on folders and resources, see section 3.2.3, Permissions, on page 35. Within the repository and search results view, all actions on folders and resources are accessible through their context menu. Right-click on the folder or resource name to see the context menu for that object. Use any combination of search, folder browsing, or filters to display the resources you want to operate on.

3.1.1

Creating a New Folder

Any user with write permission on a folder can create new folders within it. By default, a new folder and its future contents inherit all permissions from the parent folder. 1. 2. Log on as a user who has write permission to the parent folder. Click View > Repository and locate the folder in which you want to create the new folder.

27

JasperServer Administrator Guide 3. Right-click the parent folder and select Add Folder from the context menu .

4.

Enter a folder name and an optional description in the dialog that appears, then click Add. The folder is created in the repository.

3.1.2

Adding Resources to the Repository

Only administrators can add resources to the repository. Regular users, even those with write permission on a folder, cannot create resources. By default, a new resource inherits all permissions from its parent folder. 1. 2. 3. Log on as an administrator. Click View > Repository and locate the folder in which you want to create the new resource. Right-click the parent folder and select Add Resource from the context menu. Then select the type of resource to add. The most common object types, such as reports and images, appear on the Add Resource menu. Less common object types are listed on the Other menu at the bottom of the Add Resource menu.

Figure 3-1

Add Resource > Other Menu

4.

Enter the information in the resource creation wizard specific to the resource you chose. Some resources are based on uploaded files, others on information you enter in the dialog. All wizards include fields to specify an object name, display name, and description in the repository. The object name is a unique name within the folder. The display name and description appear to users in the repository. If you are creating a data source, click Test Connection to have JasperServer validate it. If the test fails, review the values that you specified in the other fields and test the data source again.

5.

After you enter all the requested information, click Save. The resource is created and added to the repository.

For more specific procedures to create reports, domains, and data sources, refer to the JasperServer User Guide. For information about creating analysis views and OLAP client connections, refer to the JasperAnalysis User Guide.

3.1.3

Renaming a Folder or Resource

Any user with write permission on a folder or resource can change its display name or description.

28

Repository AdministrationYou cannot change the name of an organizations main folder through the repository. The name of the main folder is always the display name of the organization. To change the name of the main folder, change the display name of the organization, as described in section 2.2, Managing Organizations, on page 16.

1. 2. 3. 4.

Log on as a user who has write permission to the folder or resource. Click View > Repository and locate the folder or resource you want to change. Right-click the folder or the resource you want to change and select Properties... from the context menu. In the dialog that appears, enter a new display name or description:

Figure 3-2

Resource Properties Dialog for a Writable Resource

Users cannot modify the resource type or the resource ID; these are internal fields displayed for information only. Users with administer permissions can change the user access settings as described in section 3.2.4, Assigning Permissions, on page 36. 5. Click OK to make the change.

3.1.4

Viewing a Report or Dashboard

Only reports and dashboards support a viewing mode, which is equivalent to running the report or dashboard with current data. The report can be either a JRXML report uploaded by an administrator or an Ad Hoc report saved in the repository. Any user with read permission can view (run) a report or dashboard. 1. 2. 3. Log on as a user who has read permission to the report or dashboard. Click View > Repository and browse or search for the report or dashboard you want to view. Click the name of report or dashboard to run it. Alternatively, right-click the report or dashboard and select View from the context menu. The report or dashboard begins to run, and an activity monitor appears until the report or dashboard contents are displayed. The longer or more complex the report or dashboard is, the more time it takes to display. 4. 5. If you selected a long report by accident and it takes too long to display, click Cancel in the activity monitor. To return to the repository or search results page: From a report, click the back icon or click View > Repository. From a dashboard, click View > Repository or click your browsers back button. For detailed procedures about running reports and dashboards, refer to the JasperServer User Guide.

3.1.5

Modifying an Ad Hoc Report or Dashboard

Users with write permissions can open Ad Hoc reports and dashboards in the Ad Hoc Editor or dashboard designer, respectively. They can then modify the report or dashboard, overwrite the original, or save it as a new one. Ad Hoc reports and dashboards are the only resources whose content can be modified by end-users. All other resources such as JRXML reports and Domains can only be modified by administrators, as described in section 3.1.6, Editing a Resource, on page 30. 29

JasperServer Administrator Guide 1. 2. 3. Log on as a user who has write permission to the report or dashboard. Click View > Repository and browse or search for the report or dashboard you want to modify. Right-click the Ad Hoc report or dashboard and select Open in Designer... from the context menu .

Ad Hoc reports open in the Ad Hoc Editor and dashboards open in the dashboard designer. For detailed procedures about working in the Ad Hoc Editor and the dashboard designer, refer to the JasperServer User Guide. 4. 5. When you save your Ad Hoc report or dashboard, it overwrites the original one. In the Ad Hoc Editor, choose Save As to save a new report and preserve the original. To return to the repository or search results page after saving your work: From the Ad Hoc editor, click View > Repository or click your browsers back button. From the dashboard designer, click Cancel or click View > Repository.

3.1.6

Editing a Resource

Editing a resource invokes the same wizard used to define the resource when it was created. When editing the definition of a resource, you can reload a file, for example, or change a setting. Editing a resource can also be useful to view its settings, even if you dont want to modify them. Resources that have been created through the Add Resource menu can only be edited by administrators. For example, only an administrator can edit a JRXML report that he, or another administrator, previously uploaded to the repository. Administrators can also edit the report unit of an Ad Hoc report. Regular users, even those with write permission on a resource, cannot edit the definition of repository resources. 1. 2. 3. Log on as an administrator. Click View > Repository and search or browse for the resource you want to edit. Right-click the resource, then select Edit from the context menu .

4. 5.

Use the dialog specific to the resource to view or modify its definition or properties. To return to the repository without changing the resource, click Cancel in the wizard. When modifying a resource, click OK or Save to make the changes permanent.

3.1.7

Copying Folders or Resources

Any user with read permission can copy folders and resources in the repository, as long as the user has write permission on the target folder where the copy is made. When copying a folder, all the resources and folders it contains are copied recursively as well.When copying a folder or resource, permissions are not preserved and the new copy inherits all permissions from its parent folder. Administrators must explicitly set permissions again after making copies of folders or resources.

30

Repository Administration Copying is available through drag-and-drop as well as from context menus using the copy-paste model. Folders must be copied individually, but resources can be copied in bulk.To copy folders or resources by drag-and-drop:

1. 2. 3.

Log on as a user who has read permission to the folder or resource. Click View > Repository and locate the folder or resources you want to copy. Select the folder or resource so that it is highlighted. For resources such as reports whose names are active links, check the box beside the name or click anywhere in the row to select it. To copy more than one resource at a time, select all the ones you want to copy with Control-click or check the box beside each resource.

4.

Press Control while you drag the highlighted folder or resources and drop them on a folder for which you have write permission. While dragging, the mouse pointer changes to show you are copying a folder, a resource, or multiple resources. It also changes to show that certain folders such as the top organization folder are not valid targets. The mouse pointer does not indicate whether you have write permission on the target folder. If you drop the objects on a folder for which you do not have write permission, the objects are not copied. To cancel the copy operation, drop the object in a blank area of the repository.

5.

If you have write permission to the target folder, the folder or resources are copied, and the repository display updates to reflect the new contents, according to your current search and filter settings.

To copy folders or resources using context menus

1. 2. 3.

Log on as a user who has read permission to the folder or resource. Click View > Repository and locate the folder or resources you want to copy. Right-click the folder or resource and select Copy from the context menu .

To copy more than one resource at a time, select all the ones you want to copy with Control-click or check the box beside each resource name, then click Copy above the list of resources. In both cases, the mouse pointer changes to indicate you have initiated a copy operation. 4. Right-click the destination folder and select Paste from the context menu .

If Paste does not appear in the context menu of a folder, you do not have write permission there. To cancel the copy operation, right-click any folder and select Cancel. 5. After selecting Paste, the folder or resources are copied, and the repository display updates to reflect the new contents, according to your current search and filter settings.

3.1.8

Moving Folders or Resources

Users with write permission can move folders and resources in the repository, as long as they have write permission on the target folder as well. When moving a folder, all the resources and folders it contains are moved as well.Moving a folder or resource preserves any permissions that were explicitly defined. Any permissions that were inherited from its parent folder are inherited from the new parent after the move, and thus can potentially change.

31

JasperServer Administrator Guide Moving is available through drag-and-drop, as well as from context menus using the cut-and-paste model. Folders must be moved individually, but resources can be moved in bulk operations.To move folders or resources by drag-and-drop:

1. 2. 3.

Log on as a user who has write permission to the folder or resource. Click View > Repository and locate the folder or resources you want to move. Select the folder or resource you want to move so that it is highlighted. For resources such as reports whose names are active links, check the box beside the name or click anywhere in the row to select it. To move more than one resource at a time, select all the ones you want to move with Control-click or check the box beside each resource.

4.

Drag the highlighted folder or resources and drop them on a folder for which you have write permission. While dragging, the mouse pointer changes to show you are moving a folder, a resource, or multiple resources. It also changes to show that certain folders such as the top organization folder are never valid targets. The mouse pointer does not indicate whether you have write permission on the target folder. If you drop the objects on a folder for which you do not have write permission, the objects are not moved. To cancel the move operation, drop the object in a blank area of the repository.

5.

If you have write permission to the target folder, the folder or resources are moved, and the repository display updates to reflect the new location, according to your current search and filter settings.

To move folders or resources using context menus

1. 2. 3.

Log on as a user who has write permission to the folder or resource. Click View > Repository and locate the folder or resources you want to move. Right-click the folder or a single resource, and select Cut from the context menu .

To move more than one resource at a time, select all the ones you want to move with Control-click or check the box beside each resource name, then click Cut above the list of resources. In both cases, the mouse pointer changes to indicate you have initiated a move operation. 4. Right-click the destination folder and select Paste from the context menu .

If Paste does not appear in the context menu of a folder, you do not have write permission there. To cancel the move operation, right-click any folder and select Cancel. The selected folder or resources will not be cut. 5. After selecting Paste, the folder or resources are moved, and the repository display updates to reflect the new location, according to your current search and filter settings.

3.1.9

Deleting Folders or Resources

Users with delete permission on a folder or resource can delete those objects from the repository. In order to delete a folder, the user must have delete permission on all the resources and folders it contains, recursively.

32

Repository AdministrationThe repository keeps track of which resources are referenced by other resources, and does not allow you to delete them while they are still being referenced. For example an input type that is used by a report or a properties file that is used by a Domain cannot be deleted as long as the report or Domain still reference them. To find the resources that reference the one you want to delete, you need to look at each report, Ad Hoc topic, or Domain that you suspect of referencing it. When you edit a JRXML report or open a Domain in the Domain designer, you can see the resources it references. Then you can either remove the reference from the resource or delete the entire resource containing the reference.

Folders must be deleted individually, but resources can be deleted in bulk: 1. 2. 3. Log on as a user who has delete permission to the folder or resource. Click View > Repository and locate the folder or resources you want to delete. Right-click the folder or a single resource, and select Delete from the context menu .

To delete more than one resource at a time, select all the ones you want to delete with Control-click or check the box beside each resource name, then click Delete above the list of resources. 4. Confirm that you want to delete the folder or resource.There is no undo.

3.2

Access Control

Access control ensures that people using JasperServer can only access the data they are allowed to see. JasperServer provides access control through an integrated security framework that includes: Authentication Restricts access to identified users and protects that access with passwords. Defines roles for grouping users and assigning permissions. For more information, see section 3.2.1, Authentication Overview, on page 33. Authorization Controls access to repository objects, pages, and menus based on users and roles. Described in section 3.2.2, Authorization Overview, on page 34 and subsequent sections. Data level security Defines row and column level permissions to access your data. Row and column level permissions can be defined and enforced in Domains. For more information, refer to the JasperServer User Guide. If you implement JasperAnalysis, you can use roles to secure your data at any level of an analysis schemas hierarchy. For more information, refer to the JasperAnalysis User Guide.

3.2.1

Authentication Overview

The first part of security is to define user accounts and secure them with passwords. Users must log in with their user ID and password so that they have an identity within JasperServer. JasperServer stores user definitions, including encrypted passwords, in a private database. Administrators create, modify, and delete user accounts through the administrator pages, as described in section 2.3, Managing Users, on page 19. JasperServer also implements roles that can be assigned to any number of users. Roles let administrators create groups or classes of users that are granted certain permissions. For example, administrator privileges are granted by the role named ROLE_ADMINISTRATOR. A user may belong to any number of roles and receive the privileges from each of them. JasperServer stores role definition in its private database, and administrators create, modify, and delete roles through the administrator pages, as described in section 2.4, Managing Roles, on page 22. JasperServer relies on the open source Acegi security framework; it has many configurable options for:

33

JasperServer Administrator Guide External authentication services such as LDAP (used by Microsoft Active Directory and Novell eDirectory) Single sign-on using JA-SIG's Central Authentication Service (CAS) Java Authentication and Authorization Service (JAAS) Container security (Tomcat, Jetty) SiteMinder Anonymous user access (disabled by default) JasperServer also supports these encryption and authentication standards: HTTPS, including requiring HTTPS HTTP Basic HTTP Digest X509 The Acegi framework is readily extensible to integrate with custom and commercial authentication services and transports. Authentication occurs by default through the web user interface, forcing login, and/or through HTTP Basic authentication for web services, such as iReport and for XML/A traffic. JasperServer can automatically synchronize with an external authentication service. The external users dont need to be created manually in JasperServer first. Both users and roles are created automatically in JasperServer from their definitions in an external authentication service. For an overview of the authentication system and details about external authentication, see the External Authentication Cookbook.

3.2.2

Authorization Overview

With a users identity and roles established, JasperServer controls the users access in several ways: Menu Options and PagesThe menus that appear in JasperServer depend on the users roles. For example, only users with the administrator role can see the Manage menu and access the administrator pages. By modifying JasperServers configuration, you can modify access to menus, menu items, and individual pages. Refer to the JasperServer Source Build Guide and JasperServer Ultimate Guide for more information. Users belong to organizations and are restricted to seeing resources within their organization. Organizations have their own administrators, but they see only the users, roles, and resources from their organization. When JasperServer is configured with multiple organizations, they are effectively isolated from each other. For more information, see section 3.3, Multiple Organizations in the Repository, on page 38. Administrators can define access permissions on every folder and resource in the repository. Permissions are defined for every role and every user, or they can be left undefined so they are inherited from the parent folder. For example, user may have readwrite access to a folder where they create reports, but the administrator can also create standard reports in the same folder that are set to read-only. Permissions are enforced when accessing any resource either directly through the repository interface, indirectly when called from a report, or programmatically through the web services. Permission levels are explained in section 3.2.3, Permissions, on page 35. JasperServer distinguishes between reading or writing a resource in the repository and viewing or editing the internal definition of a resource. For security purposes, granting a user read or write permission on a resource does not allow viewing or editing the resource definition. For example, users need read permission on a data source to run reports that use it, but they cannot view the data sources definition which includes a database password. Only administrators can create, view, or edit the definition of a resource and its internal components. Data-level security defines what data can be retrieved and viewed in a report, based on the username and roles of the user who runs the report. For example, a management report could allow any user to see the management hierarchy, managers would see the salary information for their direct employees, and only human resource managers would see all salary information. Data-level security in Domains is explained in the JasperServer User Guide. Data-level security through analysis views is covered in the JasperAnalysis User Guide.

Organization Scope

Resource Permissions

Administrator privileges

Data-level security

34

Repository Administration

3.2.3

Permissions

Permissions on folders and resources determine what users see in the repository and what actions they are allowed to perform. In the following table, the actions granted for each permission include all of the actions granted for permissions above it, except for the No Access permission. The actions granted for each permission strictly exclude all of the actions granted for permissions below it. Permission No Access Read Only Actions Granted on Repository Folders and ResourcesUsers can never see or access the folder or resource either directly or indirectly. See the folder or resource in any JasperServer dialog See the properties of a folder or a resource Copy a folder and all of its readable contents Copy resources individually or in bulk View (run) a report or dashboard Run a report in the background Schedule a report to run later

Read + Delete

Cut (move) a folder and all of its contents Delete a folder and all of its contents Cut (move) resources individually or in bulk Delete resources individually or in bulk

Read + Write + Delete

Add a subfolder Paste into a folder (copy or cut) Save a new Ad Hoc report or dashboard in a folder Save the output of a scheduled report in a folder Rename a folder or resource and change its description string Open an Ad Hoc report in the Ad Hoc editor or a dashboard in the designer Modify and overwrite an existing Ad Hoc report or dashboard

Administer Administer and ROLE _ADMINISTRATOR

Set the permissions (by role and by user) of a folder or resource Add (create) a resource in a folder Edit a resource (for example, the components of a report unit or a Domain)

Permissions apply to access when browsing or searching the repository, as well as any dialog that accesses the repository, such as when browsing folders to save a report. Note that: Copying does not preserve the permissions on an object.

JasperServer Admin Guide

Documents