Jasper Ideas

Hi Team,

We are requesting for Enhancement request For Patch method or way for partial update in the Permission Object in the jasperserver rest api:

We are currently exploring the possibility of performing partial permission updates through the REST API which is not possible through any method and wanted to understand the design decision behind the current behavior, particularly why PATCH support is not available.

While testing the API and comparing it with the UI behavior, I noticed a difference in how permission updates are handled.

UI Behavior (Partial Update Supported)

In the Jasperserver UI, permission updates are performed using:
POST /flow.html?_eventId=permissionsUpdateThis triggers:
ResourcePermissionsAction.updatePermissions()
→ objectPermissionService.putObjectPermission()In this flow, the system compares the existing permission mask with the new permission mask and updates the permission for the recipient only if the mask changes. The relevant logic looks like:

if(permissionToDisplay.getNewPermission() != permissionToDisplay.getPermission())

Because of this comparison logic, the UI allows updating the permission mask for an existing role multiple times without recreating the permission entry.

REST API Behavior
In the REST API implementation:
jasperserver-jax-rs-rest/src/main/java/com/jaspersoft/jasperserver/jaxrs/permission/RepositoryPermissionsJaxrsService.javaSeems like the API follows strict CRUD semantics:

POST → Create new permission
PUT → Replace the entire permission set for the resource
DELETE → Remove permission

If a permission already exists for a given recipient, a POST request returns HTTP 400, even if the permission mask is different. This is because the permission uniqueness appears to be determined by:
(resource URI + recipient)rather than:
(resource URI + recipient + mask)As a result, modifying the permission mask through REST requires the following workflow:
GET /permissions/{resource}
↓
Modify the permission mask in the response
↓
PUT /permissions/{resource}
(with the full permission list)This becomes inefficient for customers managing resources with a large number of roles. For example, if a folder has 100 role permissions and the customer wants to update the mask for only one role, they must retrieve the full list and submit the entire permission set again to avoid losing existing permissions.

Requesting for Enhancement request For Patch method or way for partial update in the Permission Object in the jasperserver:

From an API usability perspective, a PATCH endpoint supporting partial updates would align much better with the UI behavior. It would allow updating the permission mask for a specific recipient without replacing the entire permission set.