Sheet or App Object Level Security Qlik Sense

    Hi All,

     

    Qlik Sense comes with lots of security features like Stream, Application level security to user or group of users but when it comes to Sheet level security there is no document on community which will guide you from scratch how to implement security at sheet level which means you can configure the Qlik Sense server as user or user group will see only concern sheet or sheets out of all the sheets in application.

     

     

    Qlik Sense security hierarchy flow: Stream => Application => App Object (Sheet, Charts, filter, dimension and measure)


    Simply, With the help of this document you will satisfy the use case of client as which user or user group will particular stream then application after that which sheet or sheets even then which chart or set of charts.

     

    My goal is to restrict a user to a particular Stream => application => sheet =>Chart or set of charts.

     

    Security to MasterObject or AppObject is the last level of security.

    .

    There are some names I am taking for this exercise:

    User: JARVIS

    Stream: Jarvis to Stream

    Application: Consumer_Sales (Default application comes with installation of Qlik Sense Desktop) which has 5 sheets.

    Sheet: Budget Analysis (This is our sheet which will be visible to our user or set of users)

    AppObject are charts, dimensions, measures, stories etc.

     

    For next step:  =>

     

    Configuration Steps:

     

    1.     1. Install Qlik Sense server on your machine. Enable it with Qlik Sense Enterprise license, you will find two desktop shortcuts which are QMC and HUB. Please use root administrator account for installation. Avoid that account which has administrator rights but not a root administrator because when you provide administrator privileges to any user, it will act like administrator but not become full administrator (some of the property remain pending).

     

    1.     2. Open QMC with administrator (account you have used for installation) credentials and go to User Directory Connector and create a new connector and select Local or if there is AD, select add path of AD (active directory), => remove check sign from sync user data from existing users => click okay and click on SYNC button. You will see all the user will show in USERS tab.

     

    1.     3. Go to Apps tab import your concern application (.qvf file), I am importing Consumer_Sales(which comes by default with installation of Qlik Sense Desktop).


    4.1 Go to security tab and disable default STREAM rule, This stream says if any user or group of user has access to the stream so user will see all the Application and AppObjects so if we try to restrict any user to any particular application it will override the security rule or restriction and user will see all the Apps and AppsObject.

    2.     4.2 Create a new stream with name Stream for Jarvis then click on apply => It will ask you for basic securities then click on cancel for not to apply any security rule or user at this time (it will give you a warning in yellow box, not need to afraid).

     

    1.     5. Go back to Apps tab, make a duplicate of your app(We generally fist make duplicate then publish to any stream because once we publish we can’t do any changes or development on the same application ), Here I am making duplicate of Consumer_Sales app and renaming it to Consumer_Sales to Jarvis and publish it to stream Stream for Jarvis.

    6 Now login with JARVIS (with the concern user), You will see there is no stream with name Stream for Jarvis. So, what is the problem. Problem is, User JARVIS doesn't have relation with Stream for Jarvis. So, we will use custom properties to associate a user to resource or I can say we need to write a security rule which will say JARVIS can see the Stream Stream for Jarvis. For basic knowledge of custom properties https://help.qlik.com/en-US/sense/3.1/Subsystems/ManagementConsole/Content/custom-properties-overview.htm

     

    7. Go to Custom Properties tab, Create new  with name StreamLevelManagment with resource type Stream and User and give any  sample  value like  Assistant to it and assign to concern user(JARVIS)  by going to USERS tab , select JARVIS and on right side you will find custom property option , click on it and  then click on the space bar and you will see that sample value or what I took Assistant is appearing there select it  and do the same exercise for stream(Stream for Jarvis) by going to stream tab.

     

    Custom Property.PNG

    8 Now our task is to map Stream for Jarvis to user JARVIS by creating new security rule (Stream Template) as :

    ((user.@StreamLevelManagement=resource.@StreamLevelManagement))

     

    I am describing security rules in Basic and Advance mode both to be sure you will not confuse how to make rule in both of Modes.

     

    Now login with user JARVIS, you will find Stream for Jarvis.

      stream.PNG

    I am describing security rules in Basic and Advance mode both to be sure you will not confuse how to make rule in both of Modes.

     

    Now login with user JARVIS, you will find Stream for Jarvis.

     

    9. Go back to Administrator, create a new custom property AppLevelManagment with resource type User and Apps and assigned to concern User and Apps which you have been created for this exercise to make JARVIS can see the concern application as

     

    ((user.@AppLevelManagment=resource.@AppLevelManagment))

     

    10. Now you will see Jarvis Can see all only particular application but with all the sheets, but our goal is, to restrict JARVIS to only one sheet, for that create another security rule with App.object template and configure as:

     

    ((user.name="Jarvis" ) and resource.name="Budget Analysis")

     

    Here I am creating a rule as, user JARVIS only see SHEET type object and object is Budget Analysis. Login with JARVIS, you will see Jarvis only see Budget Analysis sheet.

     

    Don't be so happy here, JARVIS is restricted to only one sheet out of all but when you open this sheet JARVIS can't see any chart or object or invalid object error message is coming on the place of charts.

     

    Now you have two ways, first the charts will be visible on that restricted sheet or you want to restrict your user to any chart.

     

    All CHARTS VISIBLE:

    Let’s take about all the objects (chart, filter) should be visible on the Budget Analysis Sheet.

    For this create a new security rule which as:


    ((user.name="Jarvis" or resource.name="*" and resource.objectType!="sheet"))

    Now you will see all the charts are visible. First solution is over here in which you have restricted your user to a sheet and the same sheet’s objects are visible.

    Now, the complex one, what if your client say, I wana my user will restrict to a sheet but he or she can see only one chart on the sheet and rest of the chart will be invisible.


    Important Note: Rather than writing a security rule which is says, JARVIS can see all objects , Its better if you write this rule with AppObject as resource:

    ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.objectType != "sheet" and resource.app.stream.HasPrivilege("read"))


    Above rule says , anyone who has access to stream and published applicationhe can view all the application objects except sheet and for sheet you may use POINT NO 10 instruction. This rule will work for all the users , you just need to tell which user can see which sheet and lets say there are other users who can see all the sheets , then you may write one more rule here :


    ((user.name="User1" and resource.objectType="sheet"))


    By this User1 will see all the sheets on which he has access.


     

    ONLY ONE CHART WILL BE VISIBLE:

    After step, no 10, next step is below one:

    Write security rule which grant access of App Objects of this sheet to JARVIS, Create a new security rule and configure it as JARVIS will see only one chart present in BUDGET ANALYSIS, by writing the code as:

    ((resource.objectType="masterobject" or resource.name="Sales $ by Product Group (sorted by Budget $)" or resource.name="Sales $" or resource.name="Product"))

     

    If you can notice, Now I have taken concern Chart Name, Measure and Dimension which made that concern chart as resource.name.

    Now you can see JARVIS can view only Sales $ by Product Group (sorted by Budget $) chart and rest are coming as Invalid Objects.

     

    Jarvis.PNG

     

    For other users who should see all the sheet kindly consider above Important Note.

     

    Now we have a solution which tells you the deepest level of security as master objects is the last level of resource in Qlik Sense.

     

    After finishing Qlik Sense Enterpise , QAP(Qlik Analytical Platform). You may get all the information step wise on the following document: https://community.qlik.com/docs/DOC-18436

     

    JARVIS stands for Just A Rather Very Intelligent System

     

    Reach to me if there is need of any clarification or need assistance with kumar.rohit1609@gmail.com

     

    Follow me on Qlik Community as https://community.qlik.com/reputation.jspa?username=rohitk1609  for more Qlik or BI related important documents. Following my profile here, help me to initiate the chat option where I can understand your use case better and come with right solution.

     

     

    Please add your Ratings, Suggestions, Compliments and questions which make us know how our document is helping you and by that we can improve the quality of the document.