3. API call to assign user admin rights

API call to assign user admin rights

  • P

    Hi there,

    There is a question regarding the user management API.
    We have application where Keycloak used as authorization server to provide access to JSreport server using SSO.

    We would like to allow administrators of our system also manage the user access to JS report servers used to generate documents.

    Everything is working fine (creating and aasignment readAll/editAll permissisons) but assignments of IsAdmin alwais returned 401 Error (Unauthorized Access)

    Also in JSReport Studio regular SSO user can't find Admin check box in groups properties.

    Latest 4.11.0 JSreport servers used in on-premise environment.

    Here i've found 4-years old mention that assignment of administrative right allowed only to admin login wich is impossible in SSO scheme.

    *It seems the default admin user (configured through extensions.authentication.admin) is the only user who can add and delete users. Since we work in a team it would mean having to share this admin user's credentials across the team, which is considered a bad security practice. Is there a way to define multiple admin users?
    I'm pretty sure this last one is not possible but decided to write it down anyways, so it can maybe be considered as a feature request

    you are right, this is not possible, the admin user is still considered a special entity that has master privileges for things like user management. I am opening an issue also for this so we can discuss it and plan it.*

    [https://forum.jsreport.net/topic/2275/several-questions-for-setting-up-sso-with-authorization-server/4](link url)

    Is still this approach true?

    Or have I play with group mapping between Keycloak and JSreport?
    Is there more clear description of group mapping?

    Thanks in advance.

    0
  • administrators

    hi!!

    verything is working fine (creating and aasignment readAll/editAll permissisons) but assignments of IsAdmin alwais returned 401 Error (Unauthorized Access)

    yes, this is expected, only the superadmin (the admin configured through extensions.authentication.admin) is allowed to modify the isAdmin flag of other users.

    Also in JSReport Studio regular SSO user can't find Admin check box in groups properties.

    this is expected too, as the explanation from above.

    Is still this approach true?

    no, since we added the support of having other admin users in https://github.com/jsreport/jsreport/issues/860 user management right now can be handled with these admin users. the only thing that is not possible to tweak from these users is adding or removing the status of admin users, this action is only allowed right now for the superadmin.

    We would like to allow administrators of our system also manage the user access to JS report servers used to generate documents.

    this makes sense, and it is possible right now either with user groups, or using admin users, however, why you need to be able to change isAdmin too? if you just want to control the access to jsreport server, all of that can be done right now. but i dont understand why you need to also have the chance to add or remove admin users in this workflow.

    0
  • P

    Hello,

    I see, thanks for explanation.

    Actually, there is no special intention to change the isAdmin outside the JSReport Studio.
    I just was long fight to understand the issue with 401 Error during user patch API call.

    After removing the keys one by one i have found the root of issue - isAdmin flag.
    Looks like this limitation didn't described in documentation, isn't it?

    0
  • administrators

    @proxisua yes, it is not described in documentation. i have added a small description of this in the authentication docs.

    thanks

    0
Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.