Configuring Business View Security

This document shows how to configure security on business views in a catalog.

In the Catalog Manager, do any of the following:

Expand the desired data source > Security node, right-click on Business View Security and select Edit Business View Security on the shortcut menu. The Edit Business View Security dialog is displayed.
When creating or editing a business view, click Menu > Tools > Security Configuration. The Edit Business View Security dialog is displayed.
When adding or editing a business view element using dialog, switch to the Security tab.

The following is a sample dialog.

Business View Security dialog

In the Users/Groups/Roles panel, click

and select Import from JReport Server from the drop-down menu, then in the Connect to JReport Server dialog specify the information to connect to a started JReport Server to import users, roles, and groups from the server, on which to set the security policy. Make sure that JReport Server has been started and you are an administrator user of JReport Server in order to perform the importing.

You can also click and select Add User, Add Role or Add Group from the drop-down menu to add principals manually in JReport Designer or import them from an XML file, however if you choose to add users, groups and roles via these two ways, in order to make the business view security take effect on JReport Server, the users, groups and roles should have been created in the JReport Server security system before the reports involving the business view security are published to JReport Server.

You can further edit or remove the principals in the User/Group/Role panel.

To edit a user/role/group, select it and click . In the corresponding edit dialog, edit it as required. Changes to server users, roles, and groups will not take effect on JReport Server.
To delete a user/role/group, select it and click .

Notes:

A user from JReport Server cannot be reassigned to (or removed from) a role from the server. Similarly, a role from the server cannot be re-assigned to (or removed from) a user from the server. So, if both users and roles are obtained from the server, you will not be able to change their parental relationships.
You cannot assign a role from the server to a local user created on JReport Designer, while a user from the server can be assigned to a local role.
During importing, if any existing users, roles or groups that came from the server have the same names as those on the server, their properties will be refreshed with new information from the server, for example, role, or group information and parental relationships. However, their permission settings will be reserved. Specially, if a user from the server has been assigned to any roles defined in Designer, then these roles will be reserved in its member list.

Select one or more users/roles/groups in the principal box. You can use the quick search box to search for the required principals. If you want to select all users, roles or groups at a time, click

and then select the corresponding item from the drop-down menu.

In the Resources box, select one or more view elements. You can also use the quick search box to locate the required ones, or click

and select an item from the drop-down menu to select all the detail objects, group objects, aggregation objects, or categories in business views of the current catalog data source at a time.

In the Security Options box, uncheck the Use Default option so as to customize the data security and resource security for the selected view elements. If you want to use the default security settings of the selected elements, make the option checked.

When only one principal and one view element is selected, after you finish defining the data security and resource security, you can save the current security settings as the element's default security settings by clicking the Set as Default button.

In the Data Security box, specify whether the selected principals can access the values of the selected view elements.

In the Resource Security box, specify whether you want the selected view elements to be visible to the principals.

If only a group object is selected in step 4, you can further specify which members of the group object are allowed and which are denied for the principals in the Data Security box.

Click above the Allowed Set or Denied Set box. The Edit Values dialog appears.
Choose a way of specifying the members: select members from the available list, or compose an expression to retrieve members. Only one can be used.
- To select members, first check the Selected Values radio button.
  If you would like all the possible members of the group object to be selected, select <All>.
  
  If you just want to select some of the members, leave <All> unchecked. Add them one by one by selecting one and then clicking . You can make use of the quick search toolbar to search for the required members.
- To compose an expression, check the Expression radio button, then click . The Edit Conditions dialog appears.
  
  Click the Add Condition button to add a condition line. Choose the operator with which to compose the condition expression from the operator drop-down list. From the value drop-down list, specify the value of how to build the condition. You can also type in the value manually. Click Add Condition to add more condition lines and define the relationship between the condition lines.
  
  To make some conditions grouped, select them and click the Group button, then the selected conditions will be added in one group and work as one line of filter expression. Conditions and groups together can be further grouped. To take any condition or group in a group out, select it and click Ungroup.
  
  To adjust the priority of the conditions, select it and click the Up or Down button.
  
  To delete a condition line, select it and click the Delete button.
Click OK to save the values.
If users are selected, check whether the unspecified members of the group object are available to the users.

See Permission Logic on Group Objects for details about the permission logic between allowed set, denied set and unspecified members.

Repeat steps 3 to 8 to customize other principals' permissions on the view elements.

When finished, click OK in the dialog.

Save the catalog.

When you save the catalog, the permission settings are also saved and they are saved in an authorization file in the same folder as the catalog file. The catalog and authorization files have the same file name but different extensions, for example, if the catalog file is test.cat, the authorization file will be named test.auth. The authorization file is loaded by the view authorization manager of its catalog during runtime.

See also Edit Business View Security dialog for addition information about options in the dialogs.

Note: When a catalog with business view security is published to JReport Server, only the principals on the server which match the principals defined in the business view security will maintain the business view security setting. When a principal is deleted from the server security system, the related business view security setting in all catalogs will be removed.

Importing/exporting security information from/to external XML files

You can import or export your security information from/to external XML files (*.acl.xml). While if you want to use XML security information, you must first purchase a special license. For more information, contact Jinfonet Support (support@jinfonet.com).

To import the security information from an XML file, click

in the User/Group/Role panel and then select Import from File from the drop-down menu. In the Open an xml file dialog, select the XML file that contains the required security information and then click Open.

To export the security information to an XML file, click

in the User/Group/Role panel. In the Save dialog, specify the name of the file and the location where to save it, then click Save.

The security information contained in the XML file is shown as follows:

You can create your own XML format security information files according to the above structure. However, the best way to generate an XML security information file is to use the Security dialog. With this dialog, you can edit the security information, and then export it to an external XML file.

For example, if the simple security policy has been set up as follows:

USER
User Name:	d_d_u1
Belongs to Role:	d_d_r1
Permissions:	(@"Customer ID">=5 AND @"Customer ID"<=10) AND @"YTD Sales"<=65000
ROLE
Role Name:	d_d_r1
Belongs to User:	d_d_u1

USER

User Name:

d_d_u1

Belongs to Role:

d_d_r1

Permissions:

(@"Customer ID">=5 AND @"Customer ID"<=10) AND @"YTD Sales"<=65000

ROLE

Role Name:

d_d_r1

Belongs to User:

d_d_u1

The corresponding XML code would be:

<ACL version="1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

               <ACLEntry>

                   <User>

                      <Roles>d_d_r1</Roles>

                      <UserName>d_d_u1</UserName>

                      <SourceName>UserDefined</SourceName>

                   </User>

                  <Permission>

                      <PermissionType>RLS</PermissionType>

                      <PermissionName>visible</PermissionName>

                      <Policy>

                          <SCGroup>

                              <AndCondition>

                                <logic>AND</logic>

                                <Left>@&quot;Customer ID&quot;</Left>

                                <operator>&gt;=</operator>

                                <Right>5</Right>

                              </AndCondition>

                              <AndCondition>

                                <logic>AND</logic>

                                <Left>@&quot;Customer ID&quot;</Left>

                                <operator>&lt;=</operator>

                                <Right>10</Right>

                              </AndCondition>

                          </SCGroup>

                          <SCGroup>

                              <AndCondition>

                                <logic>End</logic>

                                <Left>@&quot;YTD Sales&quot;</Left>

                                <operator>&lt;=</operator>

                                <Right>65000</Right>

                              </AndCondition>

                          </SCGroup>

                      </Policy>

                  </Permission>

               </ACLEntry>

               <ACLEntry>

                   <Role>

                      <RoleName>d_d_r1</RoleName>

                      <Users>d_d_u1</Users>

                      <SourceName>UserDefined</SourceName>

                   </Role>

                  <Permission>

                      <PermissionType>RLS</PermissionType>

                      <PermissionName>visible</PermissionName>

                      <Policy></Policy>

                  </Permission>

               </ACLEntry>

            </ACL>