SSP v2.X Report Permissions Adjustment
Instructions to Adjust the Permissions for Reports
Updated: 4/12/2016
Purpose: By default, Reports are granted to the Administrator and Developer roles. Some implementers would like to create a separate role for users to access Reports only. The instructions below describe how to create a custom security group to manage permissions. The group is separate from other roles and will need to be added to users either manually or mapped in PAGsGroupStoreConfig if using ldap. When manually adding, note that existing permissions may have to assigned to the user depending on the level of access desired, it's best to Impersonate the user when finished to make sure everything works properly.
The next 3 steps apply this Reports Role addition only to a single database via the UI. If you wish to hard-code the new Reports Role, and commit it back to your code repository, skip the next 3 steps and see Step 6 at the bottom of this guide.
Create a Custom Security Group (or Optional Step 6)
- As a super user, navigate to Manage Users -> Manage groups
- Click the Groups of People
- Click the "SSP Role" group
- You should see a list of SSP_* groups. Click the green "plus" icon above that list,
- Click the Next button at the bottom
- Click "Create Member Group"
- Name: SSP_REPORTS
- Description: SSP Reports access only
- Click the Next button in the lower right corner
- Click the Save button in the lower left corner
Add Permissions to the Reports Custom Security Group (or Optional Step 6)
- As a super user, navigate to Manage Users
- Choose Manage permissions
- Use Ctrl+F to find the "REPORT_READ" permission. Click it.
- Click "Add an Assignment"
- You'll get an unlabeled input field with instructions to select a target. Type "All permissions".
- Click the "Submit" button
- Click "Choose Principals"
- Click the "SSP Roles" group, then the "SSP_REPORTS" group
- Click the green "plus" icon above that list, next to "SSP_REPORTS". That group should appear in the right hand panel with a green "checkmark" icon.
- Click "Submit"
- You should see the permission granting tree view from d/e, but with the SSP_REPORTS group now present, with a "Inherit (Deny)" grant.
- Change that to "Grant". The change will be applied immediately. There is no form submission button.
- Repeat steps 3-12 for REFERENCE_READ and PERSON_READ permissions
Add Users to the Reports Custom Security Group (or Optional Step 6)
- As a super user, navigate to Manage Users -> Manage groups -> Groups of People
- Click the "SSP Roles" group, then the "SSP_REPORTS" group
- Click the green "plus" icon above that list
- Click the Next button
- Click "Edit Members" link on the far right side of the page
- Search for a user by username to be added to the SSP_REPORTS group
- Choose the user in the results list
- After clicking on the searched-for user, the user name should appear in the right hand panel with a green "checkmark" icon.
- Click "Save"
- The username should appear under the "Members" header.
- Click "Done" or repeat the process starting at #5 to add more users to the group
Changing the Layout for Report Access
This step adds the "Reports" navigation link to the SSP_REPORTS group's layout. It involves modifying source code.
Step 1: In the SSP-Platform checkout edit this file: uportal-war/src/main/data/ssp_entities/patches-SSP-1-2-0/SSP-698/fragment-definition/my-gps-lo.fragment-definition.xml to change the "/fragment-definition/fragment@precedence" attribute to "15". This will ensure the MyGPS portlet navigation link appears after the Reports navigation link so members of SSP_REPORTS aren't always automatically sent to the MyGPS UI.
<dlm:fragment name="MyGPS" ownerID="my-gps-lo" precedence="15">
To run this file from the command line within your checkout (for -Denv=<env>, <env> should be the prefix of the properties file in ./filters/ that defines configuration for this particular environment, e.g. -Denv=test or -Denv=dev). This command assumes *nix. If you're on Windows, you probably just set SSP_CONFIGDIR as a global env var, so it doesn't need to be specified here. Command: %> SSP_CONFIGDIR=/path/to/your/ssp/config/dir ant Dmaven.test.skip=true -Denv=<env> -Dfile=uportal-war/src/main/data/ssp_entities/patchesSSP-1-2-0/SSP-698/fragment-definition/my-gps-lo.fragment-definition.xml data-import
Step 2: In your SSP-Platform checkout edit this file: uportal-war/src/main/data/ssp_entities/portlet-definition/SSP_Reports.portlet-definition.xml to add a new /portlet-definition/group element. This will ensure the portlet will be allowed to render to members of the SSP_REPORTS group. After the file is edited, import the edited file.
<group>SSP_REPORTS</group> So the complete set of <group>s should resemble: <group>SSP_ADMINISTRATOR</group> <group>SSP_COACH</group> <group>SSP_DEVELOPER</group> <group>SSP_MANAGER</group> <group>SSP_SUPPORT_STAFF</group> <group>SSP_REPORTS</group>
To run this file from the command line within your checkout (for -Denv=<env>, <env> should be the prefix of the properties file in ./filters/ that defines configuration for this particular environment, e.g. -Denv=test or -Denv=dev). This command assumes *nix. If you're on Windows, you probably just set SSP_CONFIGDIR as a global env var, so it doesn't need to be specified here. Command: %> SSP_CONFIGDIR=/path/to/your/ssp/config/dir ant -Dmaven.test.skip=true -Denv=<env> -Dfile=uportal-war/src/main/data/ssp_entities/portlet-definition/SSP_Reports.portlet-definition.xml data-import
Step 3: In your SSP-Platform checkout edit this file: uportal-war/src/main/data/ssp_entities/fragment-definition/ssp-reports-lo.fragment-definition.xml to add this line <attribute mode="deepMemberOf" name="SSP_REPORTS"/>. After the file is edited, import the edited file.
<fragment-definition xmlns:dlm="http://org.jasig.portal.layout.dlm.config" script="classpath://org/jasig/portal/io/import-fragment-definition_v3-1.crn"> <dlm:fragment name="SSP-Reports" ownerID="ssp-reports-lo" precedence="20"> <dlm:audience evaluatorFactory="org.jasig.portal.layout.dlm.providers.GroupMembershipEvaluatorFactory"> <paren mode="OR"> <attribute mode="deepMemberOf" name="SSP_ADMINISTRATOR"/> <attribute mode="deepMemberOf" name="SSP_DEVELOPER"/> <attribute mode="deepMemberOf" name="SSP_SUPPORT_STAFF"/> <attribute mode="deepMemberOf" name="SSP_REPORTS"/> </paren> </dlm:audience> </dlm:fragment> </fragment-definition>
To run this file from the command line within your checkout (for -Denv=<env>, <env> should be the prefix of the properties file in ./filters/ that defines configuration for this particular environment, e.g. -Denv=test or -Denv=dev). This command assumes *nix. If you're on Windows, you probably just set SSP_CONFIGDIR as a global env var, so it doesn't need to be specified here. Command: %> SSP_CONFIGDIR=/path/to/your/ssp/config/dir ant -Dmaven.test.skip=true -Denv=<env> -Dfile=uportal-war/src/main/data/ssp_entities/fragment-definition/ssp-reports-lo.fragment-definition.xml data-import
Step 4: Clear caches
- Log in to the application as a super user and expand the flyout menu in the top right and select "Platform Administration"
- Click "Manage Cache instances"
- Click "Empty All Caches"
- Click "Empty All Caches" (again)
(Optional) Step 5: If you use Ldap mapping of SSP Roles, in your SSP-Platform checkout edit this file: uportal-war/src/resources/properties/groups/PAGSGroupStoreConfig.xml and add this line <member-key>SSP_REPORTS</member-key> in the "Roles" section near the top and add a new group farther down. It would look something like this:
<!-- Roles --> <member-key>SSP_ADMINISTRATOR</member-key> <member-key>SSP_COACH</member-key> <member-key>SSP_DEVELOPER</member-key> <member-key>SSP_FACULTY</member-key> <member-key>SSP_MANAGER</member-key> <member-key>SSP_SUPPORT_STAFF</member-key> <member-key>SSP_STUDENT</member-key> <member-key>SSP_MAP_TEMPLATE_ADMIN</member-key> <member-key>SSP_REPORTS</member-key> <!-- Special Permissions -->
and this:
<!--==================== SSP Groups (permissions) ======================= --> <group> <group-key>SSP_ADMINISTRATOR</group-key> <group-name>(is) SSP_ADMINISTRATOR</group-name> <group-description>Users with an appropriate value in their SSP_ROLES attribute.</group-description> <selection-test> <test-group> <test> <attribute-name>SSP_ROLES</attribute-name> <tester-class>org.jasig.portal.groups.pags.testers.StringEqualsTester</tester-class> <test-value>SSP_ADMINISTRATOR</test-value> </test> </test-group> </selection-test> </group> <group> <group-key>SSP_REPORTS</group-key> <group-name>(is) SSP_REPORTS</group-name> <group-description>Users with an appropriate value in their SSP_ROLES attribute.</group-description> <selection-test> <test-group> <test> <attribute-name>SSP_ROLES</attribute-name> <tester-class>org.jasig.portal.groups.pags.testers.StringEqualsTester</tester-class> <test-value>SSP_REPORTS</test-value> </test> </test-group> </selection-test> </group>
Replace the value in between "test-value" tags with the value you wish to match in Ldap.
Finally, shutdown SSP/Tomcat, re-deploy SSP-Platform with the command below and afterwords restart for the change to be complete.
To run this file from the command line within your checkout (for -Denv=<env>, <env> should be the prefix of the properties file in ./filters/ that defines configuration for this particular environment, e.g. -Denv=test or -Denv=dev). This command assumes *nix. If you're on Windows, you probably just set SSP_CONFIGDIR as a global env var, so it doesn't need to be specified here. Command: %> SSP_CONFIGDIR=/path/to/your/ssp/config/dir ant -Dmaven.test.skip=true deploy-ear
(Optional) Step 6:
TODO
END