Solved: Re: Qlik Sense security rule problem - Qlik Community

agigliotti · ‎2017-04-06

Hello,

I'm using version 3.2 SR2 and I modified the following security rule:

CreateAppObjectsPublishedApp

adding the below condition :

and (user.group="role_dev" or user.group="role_ext")

---

!resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() and (user.group="role_dev" or user.group="role_ext")

---

However I noted a user not belonging to the "role_dev" or "role_ext" is able to create app objects ex. sheet object.

Is it a BUG ???

Please let me know asap.

Many thanks in advance for your time.

Best Regards

Andrea

agigliotti · ‎2017-04-11

good news for Qlik and for customers of course!

after some try I understand the rule actually it's working as expected, because the user is not able to create app objects even if the button ex. (create new sheet) is shown.

what's happening is the user create a new sheet, but after page refreshed the sheet created disappear in according with the security rule associated.

i think Qlik should improve this behavior hiding the corresponding HTML element.

i hope it's clear.

View solution in original post

MK9885 · ‎2017-04-06

!resource.App.stream.Empty() and

resource.app.@YOURAPPCUSTOMRPOPERTY="YOURCUSTOMAPPVALUE" and

resource.name!="YOURSHEETS" and

(resource.objectType = "userstate" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and (user.group="role_dev" or user.group="role_ext")

and

( user.group!="YOURRESTICTEDGROUP")

Maybe try this one?

Not sure but it worked for me

agigliotti · ‎2017-04-06

actually I need to disable all app objects creation, not only sheet.

MK9885 · ‎2017-04-06

Disable all objects for everyone?

agigliotti · ‎2017-04-06

yes for everyone except for the root admin.

MK9885 · ‎2017-04-06

Disable the default CreateObject rule in your QMC Security Rules Tab. Check above image?

This will disable for all (including Root Admin)

In sometime I'll let you know how to enable for Root admin. Will test it and update it here.

Thanks.

agigliotti · ‎2017-04-06

it's already disabled.

Gysbert_Wassenaar · ‎2017-04-06

Use the Audit page to show which rules are granting which rights to whom on what object. See this video for details: Auditing security - Qlik Sense 2.1 - YouTube

talk is cheap, supply exceeds demand

MK9885 · ‎2017-04-06

I think as you disable the Default CreateObject rule it should disable editing for all users.

If that's not happening then I'm not sure why?

Can you make sure the rule is disabled?

agigliotti · ‎2017-04-07

As you can see below I disabled the rule

but all users are still able to create new objects for the published app!!!???