Member-level security

Member-level security (MLS) enables report designers to limit user access to the specific members of groups in business views. By defining which members of a group are available to which users, groups, or roles, report results are created for each user, role and group. When a user accesses a report, JReport checks the user, group and role of the user and merges the data in the report the user is authorized to see and displays it to the user.

The relationship between a principal (user, role or group) and the members of a group are classified into three groups:

• Allowed Set
  The members of a group visible to a principal, which are directly specified to the principal, excluding those inherited from the parent roles or groups.
• Denied Set
  The members of a group invisible to a principal, which are directly specified to the principal, excluding those inherited from the parent roles or groups.
• Unspecified members
  The members of a group that are not specified in a user's allowed/denied set or in the inherited allowed/denied set from the user's parent roles/groups. Report designer can determine whether the unspecified members are visible to a user.

A principal can have its own allowed/denied set and inherit the allowed/denied sets from its parent roles or groups. The parent allowed/denied sets will be calculated first and it is a recursive process.

See also Member-level security in the JReport Designer User's Guide for more about member-level security and how to set up the policy in JReport Designer.