Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
tomovangel
Partner - Specialist
Partner - Specialist
‎2017-12-13 07:52 AM

Security rules

Hello guys, So basically I have a lot of work into copying my Client's database security rules into qliksense.

So far I have managed to write section access on a Country level, but I also have securities based on certain Measures.


I have made the measures as Objects into the Application.

The name of the app is "Sales Report".

My measure name is Margin.

I thought to make a group in the QMC, which is called MARGIN, and then add all users, which can see this measure.

and After that I have to write a Security rule, which gives access to this measure to the specific users, and the other users must NOT see this measure.

for example something like each user part of the user group MARGIN, can see the measure Margin, which is inside Sales Report.


I have never written security rules, except some basic ones which gives users access to streams.

Any thoughts?  I have 6 different measures,  which has to be restricted to the specific usergroup. Since I can't include this in my section access statement i thought security rules might help me build the full security database into QlikSense.


THANKS !

4,100 Views
1 Solution

Accepted Solutions
tomovangel
Partner - Specialist
Partner - Specialist
‎2017-12-19 08:27 AM
Author

In response to MK9885

Hello guys, this post is for future people who come here !

IF you are reading this, You must have a basic knowledge on Custom Properties, and how to apply them to map users with apps and streams.

After I made Custom properties for my groups of users, and then I applied this properties to the corresponding Streams and Apps, I had to write security rules .

1. Disable default stream rule

2. Write rule that specifies Streams with the custom property of the groups

3. Write rule for App Access with the corresponding groups ( ex. Group1 can see Group1, Group2 can see Group2 etc.)

4. AND last, but not least you must specify rule for App object .

this is my rule

((user.@AppLevelManagement="Sales") and (resource.objectType!="measure" or resource.name="SalesSum" or resource.name="RegionsCount"))

BASICALLY this rule says, that IF   a user is part of the AppLevelManagement - Sales, he CAN'T see resource.objectType!="measures", and after that we specify which measures, this users can see, in our example the users which are part of the Sales group, can see the measures - "SalesSum" and "RegionsCount".

PS: The measures have to be saved  like Master Measures.
PS2: I am using this rule as part of my section access to restrict which users can see which measures.
PS3: If you have questions comment here and I will try to help you

Thanks to arvind654

View solution in original post

3,699 Views
9 Replies
sarahplymale
Creator
Creator
‎2017-12-13 12:37 PM

This document goes step by step through implementing security rules at the app object level:

Sheet or App Object Level Security Qlik Sense

I know that sheets and charts are "app objects".  I don't know if master measures will be considered app objects or not.  Even if the master measure is considered an app object and you can use this method for restricting access, the field would still be in the data model and the user could hypothetically write a measure on that field themselves.  I'm not sure how to restrict access to entire fields (column level security) or if security rules can accomplish this.

Sarah

3,699 Views
MK9885
Master II
Master II
‎2017-12-13 01:54 PM

doesn't disabling the measure disable the chart if it is based on single measure?

Yo may have to save those measure as Master Measures, not sure... but

resource.objectType="measure" or resource.objectType="masterobject"  ???

3,699 Views
tomovangel
Partner - Specialist
Partner - Specialist
‎2017-12-14 06:31 AM
Author

In response to MK9885

I have got some sensitive data, like Margins, Consolidated currency and etc. I am using them in KPI's only, and not in real charts, I am currently reading all the docs based on security rules and trying to get to know the logic behind them better .

And Yes, I have saved those measures as Master Items(Measures)

3,699 Views
0 Likes
alextimofeyev
Partner - Creator II
Partner - Creator II
‎2017-12-14 10:29 AM

tomovangel‌,

why are you saying that you cannot restrict it via section access? Do all users need access to all fields that are used in calculating your measure? If not, just restrict access to at least one underlying field, and the measure will be calculated as <null> for unauthorized users.

3,699 Views
0 Likes
tomovangel
Partner - Specialist
Partner - Specialist
‎2017-12-19 08:27 AM
Author

In response to MK9885

Hello guys, this post is for future people who come here !

IF you are reading this, You must have a basic knowledge on Custom Properties, and how to apply them to map users with apps and streams.

After I made Custom properties for my groups of users, and then I applied this properties to the corresponding Streams and Apps, I had to write security rules .

1. Disable default stream rule

2. Write rule that specifies Streams with the custom property of the groups

3. Write rule for App Access with the corresponding groups ( ex. Group1 can see Group1, Group2 can see Group2 etc.)

4. AND last, but not least you must specify rule for App object .

this is my rule

((user.@AppLevelManagement="Sales") and (resource.objectType!="measure" or resource.name="SalesSum" or resource.name="RegionsCount"))

BASICALLY this rule says, that IF   a user is part of the AppLevelManagement - Sales, he CAN'T see resource.objectType!="measures", and after that we specify which measures, this users can see, in our example the users which are part of the Sales group, can see the measures - "SalesSum" and "RegionsCount".

PS: The measures have to be saved  like Master Measures.
PS2: I am using this rule as part of my section access to restrict which users can see which measures.
PS3: If you have questions comment here and I will try to help you

Thanks to arvind654

3,700 Views
tomovangel
Partner - Specialist
Partner - Specialist
‎2018-01-29 03:20 AM
Author

In response to alextimofeyev

I have to restrict data based on 3 dimensional fields ( Segment, Country, SalesRegion) and furthermore on 5 expression fields.

So I'm strugling to make it work.

Have you written any complex Section Access, where you have 8 fields from which to cut data?

BR, Angel

3,699 Views
0 Likes
alextimofeyev
Partner - Creator II
Partner - Creator II
‎2018-01-29 03:57 AM

In response to tomovangel

Angel,

several fields in the data model - yes. I haven't had a need to restrict access to measures (I guess it's what you mean by "expression fields", right?), but I thought from your previous posts that you have figured that out by using security rules. Did I misunderstand?

Alex

3,699 Views
0 Likes
tomovangel
Partner - Specialist
Partner - Specialist
‎2018-01-29 04:00 AM
Author

In response to alextimofeyev

Yes, I have but it's not tested on  a real environment yet.
I have thought of the OMIT function, but not sure if it will work.

3,699 Views
0 Likes
sujay
Contributor II
Contributor II
‎2020-08-24 03:42 AM

In response to tomovangel

Hi ,

We want to provide access to custom admin role for users adn license so that can assign a role to user and assign license to user using this custom role.

We tried License_*,QmcSection_user_* Task but i'ts not showing for cutorm roles

 

Could you please help us though if we use suggest proper resource filter 

2,573 Views
0 Likes