This post is about the issue with Jaspersoft Report permissions, basically what happens is that Advance Reporting - Navigate only does not allow to the users to only see/run the reports. Here are the details:
Issue:CLRT-79026 JasperSoft Content Doesn't import Repository with correct permissions, Advance Reporting - Navigate right does not allow to see/run reports
1. Create an access group (ReportAccess) and give all the following permissions (except Advanced Reporting - Administer):- Advanced Reporting - Ad Hoc Create- Advanced Reporting - Dashboard Create- Advanced Reporting - Data Source Create- Advanced Reporting - Domain Create- Advanced Reporting - Navigate- Advanced Reporting - Report Create
2. Then run the "Create and Update Jaspersoft Users"3. Then login with that user and attempt to run a report via Advanced Reporting -> The end-user will not see any reports to click on.4. Then go back into your Access Group (ReportAccess) and add "Advanced Reporting - Administer" -5 . Re-run the "Create and Update Jaspersoft Users" job.6. The end-user is able to see the report library and run reports.
Expected Result: With the CA Clairty PPM Right of "Advance Reporting - Navigate" - users will be able to see and run reports Actual Result: Until the user is granted "Advanced Reporting - Administer" - they cannot see any reports to run
Status (6th of April 2016): This issue was reviewed by Sustaining and Product Management and set to Working as designed.
The Advanced Reporting - Navigate right is designed only to give access to Advanced Reporting link, but not the OOTB reports. This is made to be consistent with the permissions in PPM. The Navigate rights are not view or edit rights. To get the view / edit access, Jaspersoft Administrator has to assign appropriate CSK role to the user.
Reference to the actual descriptions of the Roles :
Connect to page:
CA PPM Advanced Reporting and Database Schema Index - CA Technologies
Scroll down until you see:
CA PPM 14.3 ------ Advanced Reporting Product GuideChapter 10: The 'Advanced Reporting Roles'Solution:1. Connect to Advanced Reporting with a user with Advanced Reporting - Administer right2. Go to Manage - Users - select the user needed3. In the right pane, click the Edit button4. Now select CSK roles from the Roles available list into Roles Assigned. The roles selected will depend on how you would like to configure the permissions, based on the PDF document above.5. When done, hit Save
Your user should now be able to access the reports you granted the permissions for.
Principal Support Engineer
Thanks for sharing this, Nika
Thanks for sharing Nika.
I am trying to restrict access of certain users to only have access to custom reports. For simplicity, these reports are all sitting a dedicated folder. The folder sits under the Reports folder.
I set-up a new Role and added the relevant users to the role. This role has Read-only access to the folder that contains the custom reports.
I tried various combination of access rights at different levels (cppm, reports, etc), the user either see all reports (out of the box plus custom) or none.
Is there any documentation that you have come across on this topic?
Hi Jimmy :
Will you please check the updated solution? This should take care of your issue as well and allow for Custom Reports folders to be defined separately.
Please let me know how it goes.
When I try to access the PDF, it asks for an FTP username and password. Would you know what that would be or can you please place in a publicly accessible location?
Hi Jimmy :
the credentials will be you credentials for CA Support site. Can you try entering those and see if that works? Please let me know -Nika
I just updated the post with the latest status from Sustaining : this issue was defined as being by design, updated the solution as well.
This is in sync with the current implementation on how the Navigate access right work in other parts of CA PPM application.
For example just by providing 'Projects - Navigate' security access right, user is not able to see any of the projects; what he gets is just the Projects link present under the 'Portfolio Management' menu option. Now by clicking on Projects link user can access the Projects list page but he will not get any project instance to view. Similarly, by providing 'Advanced Reporting - Navigate' access right, user will get 'Advanced Reporting' link present under the Home ->Personal menu and by clicking on this link user will be taken to the embedded reporting UI.
Hope this helps!!
Even if you go to that CLRT, the information will not open. the PDF above say cannot open page.. search by CLRT-79026 and get a list of bugs.. cannot get to any details. Can you please post the information here?
So how are users supposed to quickly grant access to their users? If you have several thousand users, who have the ability to run all jobs, what is the best way to bulk add? This article http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1519137.aspx indicates you have to go to each user to grant a role to run reports (not Ad hoc).. which is not feasible when you have a large number of users. It is also not feasible to have go to each role, and add "all" since new users are added on a regular basis, which causes a lot of overhead.
Are we missing something?
We have the same question. How is it possible to quickly assign specifiv roles to groups of users.
Unfortunately we don't have an automated way to assign rights in jaspersoft like we groups in CA PPM , and needs to be done at user level.
CA is supposed to be helping us get faster, increasing our velocities. This takes us backwards, unless I'm wrong, creating unplanned work.
So, instead of going to one group or role, and adding 'Run' right once, selecting all reports, I must go into every single report and change the permission setting for the one role. What was once a 'change in one place' job is now a 'change in 100 places' job.
Do I have this correct? If not, a link that works, that shows a simpler, faster way of doing this would be appreciated, as the link to the PDF, posted on April 6th, is still not working:
The following URL could not be retrieved: ftp://ftp.ca.com/PMO_Accelerator_Advanced_Reporting_Product_Guide_r14_3.pdf
The proxy server sent the following FTP command:
and then received this reply
550 No such file.
This might be caused by an FTP URL with an absolute path (which does not comply with RFC 1738). If this is the cause, then the file can be found at ftp://ftp.ca.com/%2f/PMO_Accelerator_Advanced_Reporting_Product_Guide_r14_3.pdf.
Our team has found that we can distribute permissions to many Jaspersoft reports, via their folders - modify the permissions at folder level and they cascade to the reports in the folder.
This helps in our instance, where at first we are not yet converted from Crystal to Jaspersoft and we are trying to give a group of core power users access to all reports.
Better than having to edit permissions on every report - thankfully! Hope this helps someone else.
Thank you Dale.
I think it will be worth it to open this as a new idea.
My apologies for the document on the FTP not being accessible, I just corrected the link to include the previous page, this should work.
Hi everyone, interesting thread and usefull for me in this moment. Please, i need and update.
Was it created and/or implemented any function to grant rights on jaspersoft like on CAPPM? using groups.
Yes, in our latest version CA PPM 15.3 with Jaspersoft 6.2.1 it is possible to grant rights from CA PPM using Groups.
Check more on this here:
Release 15.3 Updates (On Premise) - CA PPM - 15.3 - CA Technologies Documentation
Advanced Reporting Changes for Release 15.3
Hope this helps -Nika
Thanks Nika, it helps a lot.
The issue was resolved just on 15.3?; i was checking and my customer environment is on 15.2.
Yes this change was introduced in CA PPM 15.3, which is already released. I'd suggest you work with your customer and see if you can install 15.3 on a Test box and see if it works as you'd like.
Thank you -Nika
Though Nika is correct, please be aware of an issue we found with the new Role Synchronization job. If your group id contains spaces (like some of ours), then the job won't work. Jaspersoft says to use underscores, but CA's job does not recognize this work around.
We have to XOG out our groups, update the id and XOG it back in. However, we can only do this, if we don't have any code that references the group id.
Example if your group id is "Project Managers" the job won't work even if you add the Jaspersoft role of Project_Manager. However, if your group is Project_Managers, or anything without spaces, the job works. The job essentially is adding users to the Jaspersoft role (ie. your group) and then you will need to assign that group to the permissions to the proper folders and/or reports.
Nika, I have an open case on this. Support plans to open a defect. Is CA development aware of this issue? It really needs to be in a patch, as this causes a lot of work (and possibly risk) with customers who have this setup
Thank you Lynn!
It doesn't seem like the defect is open yet, I checked your issue and did not see it. This would mean Engineering is not aware at this point. I'll work with the engineer to get it tested/logged asap.
Yes the engineer scheduled something for next Tuesday saying he needed to meet again in order to log it. I have already walked through it with him and another person. I also went over it with Renee at CA World. She was the one I was advised to tell, as I was going to speak with you or Brian.
In applying this solution, the user would now have visibility to the Admin menu allowing them access to role and user management and the ability to change permissions etc. Is that really the final answer to providing access to reports in Advanced Reporting?
We are on 15.2 (On Prem) and Advanced Reporting was working successfully with the roles of ADHOC_DESIGNER, DASHBOARD_DESIGNER, REPORT_DESIGNER and ROLE_USER, this last week something updated or changed and Resources with those roles can't access reports unless they have the ROLE_ADMINISTRATOR. I don't think it is appropriate for all of our advanced reporting users to have the Administration rights. Am I missing something key in the permissions?
Thanks for your time!
with just navigate rights it won't work. You need to provide Jaspersoft roles based on Folders you would need access. See the technical document
What are the minimum access right(s) required for a CA PPM resource to view jaspersoft Reports?
Thank you for the response. That is helpful. I will have to figure out the Jaspersoft Role Synchronization in 15.3 to see if that can help reduce the administrative tasks for allowing Advanced Reporting access.
Great link Suman