Restrict Menu items by Role in Jasper Server

Restrict Menu items by Role in Jasper Server

We can use role-based customizations to control access to menus. The example here shows how to control access to menu items.

In this example scenario, we wish to hide Create Report, Dashboard, Domain & Data Source from roles other then ROLE_ADMINISTRATOR and ROLE_HRIS. So, these menu items would only be accessible to ROLE_ADMINISTRATOR and ROLE_HRIS.


  • Edit the file <js-webapp>/WEB-INF/actionModel-navigation.xml. The actionModel for Create > Ad Hoc View is near the end of the file.
 <context name="main_create_mutton" test="isProVersion">
  <condition test="!banUserRole">
    <condition test="!isMainFeaturesDisabled">
        <selectAction labelKey="NAV_005_CREATE">
            <condition test="isAvailableProFeature" testArgs="AHD">
                <option labelKey="NAV_051_ADHOC_REPORT" action="primaryNavModule.navigationOption"
                <condition test="checkAuthenticationRoles" testArgs="ROLE_ADMINISTRATOR,ROLE_HRIS|organization_1">
                <option labelKey="NAV_057_REPORT" action="JRS.CreateReport.selectADV"
            <condition test="isSupportedDevice">
                <condition test="isAvailableProFeature" testArgs="DB">
                <condition test="checkAuthenticationRoles" testArgs="ROLE_ADMINISTRATOR,ROLE_HRIS|organization_1">
                    <option labelKey="NAV_050_DASHBOARD" action="primaryNavModule.navigationOption"
                <condition test="isAvailableProFeature" testArgs="AHD">
                    <condition test="checkAuthenticationRoles" testArgs="ROLE_ADMINISTRATOR,ROLE_HRIS|organization_1">
                        <option labelKey="NAV_056_DOMAIN" action="primaryNavModule.navigationOption"
                        <option labelKey="NAV_058_DATA_SOURCE" action="primaryNavModule.navigationOption"

  • Save the file after making changes.
  • Restart Jasper server.
  • Login as user with role other than ROLE_ADMINISTRATOR and ROLE_HRIS. You can see that the menu item to Create Report, Dashboard, Domain & Data Source is removed, and user can only see Create Ad-hoc view as menu item. Log out and log back in as admin or HRIS user. All menu items are visible to administrators and HRIS user.


In commercial editions, you must specify the role’s organization ID when restricting access to roles defined in an organization. There are three ways to specify a role in the commercial edition:

  • ORG_ROLE|orgID – Explicitly specify a role belonging to an organization
  • ORG_ROLE|* – Match the role name in any organization in the user’s scope (parent organizations and root).
  • SYSTEM_ROLE – Explicitly specify a role defined at the root or system level, such as ROLE_ADMINISTRATOR.

Domain Security in a Jasper Reports Server’s Multi-tenant Environment

Domain Security in a Jasper Reports Server’s Multi-tenant Environment

Create two tenants/organizations CA & WA

1. Log on Jasper report’s server as superuser.
2. Navigate to Manage > Organizations.
3. Click on ‘Add Organization’ button.
4. Enter valid organization name and id

  • CA as Organization Name (you can give ‘California’ as Organization Name)
  • CA as Organization ID

Click on Add Organization button.


5. Repeat step 3 to4 to add ‘WA’ as another Organization.

At the end of step 5, two organizations are added to root as shown below:


Create two users CA_Manager & WA_Manager

1. Navigate to Manage > Users
2. Select CA organization from left panel.
3. Click on Add User button.
4. Enter details as shown in the figure below

User name: CA_Manager
User ID: Manager
Password: Manager


5. Click on ‘Add User to CA’ button.The user CA_Manager is now added to CA Organization.


7. Again click on Add User button to add another user.
8. Enter following details

User name: WA_Manager
User ID: Manager
Password: Manager

9. Click on ‘Add User to WA’ button.The user WA_Manager is now added to WA Organization.

We have added two users CA_Manager & WA_Manager to CA & WA organizations respectively. See figure given below:


Implementing row level & column level security in Domain

Initial setup

For demo I’m using Supermart Domain which is already in Jasper Report’s server.

  • Log on jasper report’s server as superuser.
  • Copy ‘Analysis Components’ & ‘Domains’ folders and Paste them in CA &WA organizations.
  • Make sure that in CA, the Supermart Domain in Domains folder should use ‘/organizations/CA/analysis/datasources/FoodmartDataSourceJNDI’ as datasource.
  • Similarly in WA, Supermart Domain in Domains folder should use ‘/organizations/WA/analysis/datasources/FoodmartDataSourceJNDI’ as datasource.
  • Set appropriate permissions for ROLE_SUPERMART_MANAGER in CA & WA organizations so that the user that belongs to CA & WA can access Supermart Domain.

Editing domain security file

  1. Log on jasper report’s server as superuser.
  2. Navigate to ‘/organizations/CA/Domains/supermartDomain’ in repository.
  3. Edit Supermart domain.
  4. Change security file with the updated domain security file. The contentof the file is given below. please, check the comments to understand how row level and column level security are implemented.
<securityDefinition xmlns="" version="1.0" itemGroupDefaultAccess="granted">

<!-- For multi-tenancy demo. 
    Assumes state abbreviations are used for the Organization ID (tenantId).
      Organization Names : CA, WA
      Organization IDs (tenantId) : CA, WA  (tenantId maps to the values held in store_state)

<!-- Row level grants -->
    <resourceAccessGrantList id="sales_join_resource_access_grant" label="aLabel" resourceId="sales_join">
            <resourceAccessGrant id="sales_join_ROLE_SUPERMART_TENANTID_row_grant">
                <principalExpression>authentication.principal.tenantId != null</principalExpression>
                <filterExpression>store1.store_state in (groovy('authentication.principal.tenantId.toUpperCase()'))</filterExpression>

<!-- Column level grants -->

<!--Only ROLE_ADMINISTRATOR & ROLE_HR can access salary field-->

    <itemGroupAccessGrantList id="restrictedHR__salary" label="aLabel" itemGroupId="salary" defaultAccess="denied">
            <itemGroupAccessGrant id="restrictedHR__salary__grant1" access="granted">
                <principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_ADMINISTRATOR','ROLE_HR'] }</principalExpression>

<!--ROLE_SUPERMART_MANAGER can partially access 'Employee Private' item group. That means it can access 'Min Scale' & 'Max Scale' but can not access 'Salary' from the item group. Where as, ROLE_ADMINISTRATOR & ROLE_HR can completely access 'Employee Private' item group
    <itemGroupAccessGrantList id="restrictedHR__employee__employee_private" label="aLabel" itemGroupId="employee__employee_private" defaultAccess="denied">
            <itemGroupAccessGrant id="restrictedHR__employee__employee_private__grant1" access="granted">
                <principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_SUPERMART_MANAGER'] }</principalExpression>
                    <itemAccessGrantList id="restrictedHR__employee__employee_private__grant1__items" defaultAccess="denied">
                            <itemAccessGrant id="restrictedHR__employee__employee_private__grant1__items__grant1" itemId="employee__employee_private__min_scale" access="granted" />
                            <itemAccessGrant id="restrictedHR__employee__employee_private__grant1__items__grant2" itemId="employee__employee_private__max_scale" access="granted" />

            <itemGroupAccessGrant id="restrictedHR__employee_private__grant1" access="granted">
                <principalExpression>authentication.getPrincipal().getRoles().any{ it.getRoleName() in ['ROLE_ADMINISTRATOR','ROLE_HR'] }</principalExpression>





5. Click on submit button to save the changes.


Row Level Security

  • On logging in as a jasperadmin you will be able to data of all states data from Sales dataset(as shown in the figure below) because there is no row level restriction for ROLE_ADMINISTRATOR.
  • Logging in as Manager in CA organization you’ll be only able to access data which belongs to CA State.
  • Logging in as Manager in WA organization you’ll be only able to access data which belongs to WA State.
Ad-hoc Views

Ad-hoc Views

Column Level Security

  • Jasperadmin will be able to access all fields/columns in Employees dataset because there is no column level restriction for ROLE_ADMINISTRATOR.
  • Only jasperadmin can access salary field. CA_Manager & WA_Manager cannot access Salary column.
  • CA_Manager & WA_Manager can partially access ‘Employee Private’ column group. That means they can access ‘Min Scale’ & ‘Max Scale’ columns but cannot access ‘Salary’ column from the group. Whereas, jasperadmin has complete access to ‘Employee Private’ column group.


This is how row level & column level security can be implemented in domain in a multi-tenant environment.


Archana Verma