Re: QlikSense Security Rule - Update published app... - Qlik Community

marcos_herrera · ‎2018-02-19

Hi Dear Qlik Community

I'm triyong to create a Security Rule to grant access to update published apps to some users (Like to executive users) , i copied the Stream Defaul Security rule to make the new rule but not works

The rule has the following properties

Resorce filter: App*

Actions: read, update

Condition:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and user.@UserGroup = "Admin"

) or ((resource.resourcetype = "App.Object" and resource.published ="true"

and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

Additionally, i cretaed an adtional rule for normal users (Onlye read)

Resorce filter: App*

Actions: read

Condition:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and user.@UserGroup != "Admin"

) or ((resource.resourcetype = "App.Object" and resource.published ="true"

and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

Additional info:

1) The standar Stream Security Rule was disabled

2) I created a Custom Property for user and apps, with values "Admin"

3) The users that need update the published apps has the custom property "Admin"

4) One o the "Admin" user is the owner app

The problem is that all users can update the published apps

YoussefBelloum · ‎2018-02-20

Hi,

I'll try to redo all this and see what's the problem here

Levi_Turner · ‎2018-02-20

I'd break out your selection criteria into logical parts. Example:

Before:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and user.@UserGroup = "Admin" ) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

After:

((resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))) and user.@UserGroup = "Admin"

Or you could just separate out the update functionality to a separate rule. Since rules are additive then it will add on to the previously configured permissions. That's generally easier than managing two different rules.

Why do you want the update right? To expose the DLE? Expose the data model?

marcos_herrera · ‎2018-02-21

Hi ltu

I create one Rule with the following attributes

Name: Stream Admin

Resorce filter: App*

Actions: read, update

Condition:

((resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))) and user.@UserGroup = "Admin"

This rule worked fine for me, but i need an extra rule to the user thah does not have the custom property UserGroup = "Admin" the rule will be used for the "reader" user on published Apps. I tried with this

Name: Stream Reader

Resorce filter: App*

Actions: read

Condition:

((resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@UserGroup.empty()) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")))

But not works, the users that not have custom property UserGroup = "Admin" can edit the Published App

QlikSense Security Rule - Update published apps to some users