Index

Security Management

Security Overview

JReport Enterprise Server provides a security system for you to set up and maintain security on the server and protect the resources on the server from inappropriate access by users.

The below diagram illustrates the inherited relationship among User, Group and Role.

To help you accomplish these goals, JReport Enterprise Server offers the following security features:

Realm
Realm is an abstract security concept, which hosts the resources and authentication entities on JReport Enterprise Server. There can be more than one realm on the server and every realm is independent from others.

At runtime, only one realm can be active and only the users and resources in the active realm are accessible. A realm is identified by a unique name, which can contain any characters other than forward slash (/) and backward slash (\).

The authentication entities consist of user accounts, group accounts and role accounts.

User
To use JReport Enterprise Server, you must have a user account, which consists of a unique user name and a password. JReport Enterprise Server verifies your identity when you type your user name and your password and then log on. If your user account has been disabled or deleted, JReport Enterprise Server prevents you from accessing the web services that JReport Enterprise Server provides, in order to ensure that only valid users have access.

JReport Enterprise Server comes with two built-in user accounts, which are admin and guest. The built-in user accounts cannot be deleted. The Admin user account can neither be deleted nor disabled.

Group

The principle group, which represents an organization of user accounts, is available for managing users. Users or groups can be added into a group as its sub-members, and therefore inherit the resource and folder permissions from the group.

Role

Users must have certain user rights and permissions to perform tasks on certain resources. Roles, which represent aggregate of permissions, help you efficiently assign those user rights and permissions to users. Assigning one or more roles to users gives the users all of the user rights and permissions the roles have to perform their jobs with. A role can also be assigned to other groups or roles, and hence the groups or roles will inherit the permissions that the role has.

JReport Enterprise Server comes with two built-in role accounts, which are administrators and everyone. The built-in role accounts cannot be deleted. The administrators role account can neither be deleted nor disabled.

Note: Circles formed by the inheriting lines should be avoided, namely, there shouldn't be any group or role appearing in an inheriting line twice, because a group or role cannot hold its parent member as its sub member.

See the diagram above, group/role A cannot be the sub-group/role of group/role B (or C, D), because group/role A is their progenitor.

Permission
Permissions, associated with resources and folders, are the rules that are granted to users to control their access to resources and folders.

Permissions in JReport Enterprise Server include:

Permission	Description
Visible	Allows or denies viewing object names in the resource tree or version table, such as folders, resources, and archive versions.
Read	Allows or denies viewing object properties, versions, and, if it is a folder, folder content.
Write	Allows or denies deploying folders and resources, changing the properties (not including permission settings) of the objects in the resource tree or version table, such as folders, resources, and archive versions, and modifying version table settings.
Delete	Allows or denies deleting objects in the resource tree or version table, such as folders, resources, and archive versions.
Execute	Allows or denies running resources in normal and advanced mode (Report type resources only).
Schedule	Allows or denies submitting resources to schedules (Report type resources only).
Grant	Allows or denies granting permissions to other users, groups or roles.

Notes:

• Security permissions do not apply to the built-in version folders, My Resource folder, and their contents.
• To complete a task, you may need to have more than one permission, for example, to view the properties of a report, you must have both the Visible and Read permissions.
• Some permissions depend on other permissions to work, such as Write, Execute, and Schedule, allow anyone of them will allow the Read permission.
• Some special permissions, such as Execute and Schedule, only applies to the report type resource.
• Only members in the Admin role can offer the Grant permission to other users or groups or roles. The users or groups or roles that are given the Grant permission can grant only the other six permissions - Visible, Read, Write, Delete, Execute, and Schedule.
• The users that are given the Grant permission can grant other users in the same group.

Managing Realms

To manage realms, you must be a member of the administrators role to access the administration pages.

Create a new realm

To create a new realm,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Realm.
3. Click Create a New Realm.
4. Type a name for the realm.
5. Select an authentication mode as the scheme, and then click OK.
   
   Basic Authentication uses Base64 encode method. The re-conversion is easy. Digest Authentication uses MD5 digest method and its re-conversion is impossible.

When a new realm is created, it will be assigned with the built-in users and groups, default resource tree, and so on. Please remember to activate the correct realm before letting clients visit this realm.

Activate a realm

The realm must be activated before its content, such as resources, users, groups, and roles, can be accessed by the client users. There must be one realm, and should be the only one, that is active at any time.

To activate a realm,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Configuration on the top banner, click Service.
3. Select the realm you want to activate from the Activated Realm drop-down list.
4. Click OK, and then restart JReport Enterprise Server for the changes to take effect.

Manage the users, groups and roles in an inactive realm

The users, groups and roles are available only when the realm they belong to is active. However, the users, groups and roles in the inactive realm still can be managed by the users in the administrators role.

To manage the users, groups and roles in an inactive realm,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Realm.
3. Click Select to select the realm you want to manage.
   
   All the realms on JReport Enterprise Server are in the Realm List table. The State column shows the status of the realms. The Active Realm is marked as Active Realm. The selected realm is marked as Selected Realm. If the realm is both active and selected, it will be marked as Active Realm.
4. Click the User, Group or Role tab to manage the selected realm.

The information of the users, groups and roles that are in the selected realm is listed on the User, Group and Role tab.

Delete a realm

To delete a realm,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Realm.
3. Click Delete to remove the realm you want to delete.

Managing User Accounts

To manage user accounts, you must be a member of the administrators role to access the administration pages.

Create a new user account

To create a new user account,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click User.
3. Click Create a New User.

Modify an existing user account

To modify an existing user account,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click User.
3. Click the name of the user you want to modify.

Add a role to a user

A user can play with more than one role. A user that holds multiple roles have all the privileges that the roles have.

To add a role to a user,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click User.
3. Click the corresponding Edit Role(s) link.

Add a user to a group

A user can play under more than one group. A user that belongs to multiple groups has all the privileges that the groups have.

To add a user to a group,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click User.
3. Click the corresponding Edit Group(s) link.

Audit a specific user

You can audit a user and record user access and management information in the log files.

To audit a user,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click User.
3. Click the corresponding Auditing link.

Change password for a user

To change the password for a user,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click User.
3. Click the corresponding Change Password link.

Delete a user account

To delete a user,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click User.
3. Find the user you want to delete, and then click the corresponding Delete link.

Note:

Built-in user accounts, such as admin and guest, and users that hold the other roles than the everyone role or that belong to any group, cannot be deleted. A user cannot delete himself from the user list.

Managing Groups

To manage groups, you must be a member of the administrators role to access the administration pages.

Create a new Group

To create a new group,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Group.
3. Click Create a New Group.

Edit members of a Group

You can edit members of a group, such as adding a new member, or removing a member from the group.

To edit the members in a group,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Group.
3. Click the corresponding member(s) link.

Notes:

• A group can have more than one sub members and parent members.
• A parent member cannot be added to the current group as its sub member.

Delete a Group

To delete a role,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Group.
3. Find the role you want to delete, and then click the corresponding Delete link.

Note: Groups that are not empty, namely, having sub members or parent members, cannot be deleted.

Managing Roles

To manage roles, you must be a member of the administrators role to access the administration pages.

Create a new role

To create a new role,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Role.
3. Click Create a New Role.

Edit members of a role

You can edit members of a role, such as adding a new user or role, or removing a member from the role.

To edit the members in a role,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Role.
3. Click the corresponding member(s) link.

Notes:

• A role can have more than one sub-groups, sub-roles and parent roles.
• A parent role cannot be added to the current role as its sub-role.
• Some members cannot be removed from the role it belongs to, such as admin in the administrators role, guest in the everyone role. The current user cannot remove himself from the administrators role.

Delete a role

To delete a role,

1. Log on to JReport Enterprise Server using the administration port, which is 8889 by default.
2. Click Security on the top banner, click Role.
3. Find the role you want to delete, and then click the corresponding Delete link.

Note:

Built-in roles, such as administrators and everyone, and roles that are not empty, cannot be deleted.

Assigning Permissions

Permissions, associated with resources and folders, are the rules that are granted to users to control their access to resources and folders.

How inheritance affects resource and folder permissions

After you set permissions on a parent folder, new resources and subfolders created in the folder inherit these permissions. If you do not want them to inherit permissions, enable their user permissions and set their permissions separately. The resources and folders will inherit permission from their parent folder if their user permissions are not enabled.

Change resource and folder permissions

To set, view, change, or remove resource and folder permissions,

1. Log on to JReport Enterprise Server, locate the resource or folder for which you want to set permissions.
2. Click Properties in the Control column, and then check Enable User Permissions, if necessary.
3. Do one of the following:
   
   To set up or change permissions for a user, group, or role, select the user, group, or role from the User , Group , or Role drop-down list. Check or uncheck each permission you want to allow or deny, if necessary.
   
   To remove resource and folder permissions for all the users, groups and roles, uncheck Enable User Permissions.

Index