QlikSense Sheet Level Security - QMC Security Rules

    When utilizing QlikSense, Sheet Level Security can be achieved through Security Rules via the QMC.

     

    Background:

     

    My suggested approach to implementing Sheet Level Security is to create four new Security Rules after disabling the default rules.  It involves a User Directory with properties for the Company, Application, and Sheets.  Custom properties in the QMC will need to be created to contain the same User Directory property values.

     

    Custom properties are created, in the QMC, and assigned to the individual Applications and Streams.  This allows for a general approach to handling an expanding list of Companies and their various Applications.  As the number of Applications and Companies grow, the User Directory Properties and Custom Properties will both need to be updated to grant access to the new applications and the application's sheets.

     

     

    **Note** Please disable the default rules, please do not delete them.

     

    Security Rule to Disable is the Stream rule...

    Rule Name = Stream

    Resource Filter = App*

     

    In the example below, I am utilizing a user directory that has user properties.  It identifies an individual directory to apply the security rules to.  If you have multiple user directories, you will need to include them in the rule or create seperate rules for them.

     

    Create four new rules for Streams, Applications, Sheets, and Non-Sheet Application Objects.

     

    1) Rule for Streams

      1. Filter = Stream_*
      2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the stream.
        1. Users must below in an identified User Directory
        2. Users must have the user property of Company that matches the Custom Property (Company) assigned to the stream

    ((

    user.userDirectory="Specific User Group"

    and user.company=resource.@Company

    ))

     

    2) Rule for Applications

      1. Filter = App_*
      2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the applications.
        1. Users must have the user property of Company that matches the Custom Property (Company) assigned to the application.
        2. Users must have the user property of applications that matches the Custom Property (Applications) assigned to the application
        3. User must have Read Permission to the stream the application is in

     

    ((

    resource.resourcetype = "App"

    and user.userDirectory="Specific User Group"

    and user.company=resource.@Company

    and user.applications=resource.@Applications

    and resource.stream.HasPrivilege("read")

    ))

     

    3) Rule for Sheets

      1. Filter = App.Object_*
      2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the sheets.
        1. The Object must be a sheet
        2. The Users must have the user property of sheets that matches the Sheet Name

    ((

    user.userDirectory="Specific User Group"

    and resource.objectType="sheet"

    and user.sheets=resource.name

    ))


    4) Rule for Non-Sheet Application Objects

      1. Filter = App.Object_*
      2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the other application objects.
        1. The Object Must not be a sheet (Explicitly exclude sheet to ensure Rule above will work)
        2. The Objects you want the user to access must be included in the 'or' section
        3. Excluding an Object Type will exclude access
        4. Using the 'resource.objectType!=' will also exclude Application Object

    ((

    user.userDirectory="Specific User Group"

    and resource.objectType!="sheet"

    and resource.objectType="bookmark"

    or resource.objectType="appprops"

    or resource.objectType="bookmark"

    or resource.objectType="dimension"

    or resource.objectType="embeddedsnapshot"

    or resource.objectType="GenericVariableEntry"

    or resource.objectType="listbox"

    or resource.objectType="masterobject"

    or resource.objectType="measure"

    or resource.objectType="snapshot"

    or resource.objectType="story"

    ))