Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2015-04-30 07:21 PM

Security Access to Specific App Objects

Hello,

I am currently exploring the security rule section of the QMC, and I am having trouble with App Object Access Rules. I was curious as to

1) Whether it was possible to create a rule allowing access to a specific sheet or bookmark? If so how am I able to identify that specific object in the advanced security rule?

2) How do I create a Security Rule that states only people of a specific group can create Sheets. (essentially the problem I have is how do I refer to all sheets)

Thanks

13,085 Views
1 Solution

Accepted Solutions
Not applicable
‎2015-05-01 09:54 AM
Author

Hi, so I can answer #2.

There are two default rules in the QMC, CreateAppObjectsPublishedApp and CreateAppObjectsUnPublishedApp.  These are your templates for what you want to do.

Make copies of these rules and then you can go through playing around with access.  Basically what you can do is add to the end of this rule to state and user.%attribute% = "something" and it will limit access to creating sheets and other objects to users with that attribute name and value.  If you want to limit to just sheets, take out all of the resource.objectType entries except for the one referencing "sheet".

For example, CreateAppObjectsPublishedApp has conditions set: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()

What this is saying is if the stream is NOT empty AND the resource has read privileges and the user is NOT anonymous and give access to userstate, sheets, stories, bookmarks, snapshots, embedded snapshots, and hiddenbookmarks.

What is missing here is the limitation to a particular user or group of users based on an attribute.  Start by testing removing the !user.IsAnonymous with user.%attribute% = "something" where %attribute% may be group and something may be executives.

Reference to security rules here with samples: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...

Here is another that answers your #2 question: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...

View solution in original post

5,059 Views
12 Replies
Not applicable
‎2015-05-01 09:54 AM
Author

Hi, so I can answer #2.

There are two default rules in the QMC, CreateAppObjectsPublishedApp and CreateAppObjectsUnPublishedApp.  These are your templates for what you want to do.

Make copies of these rules and then you can go through playing around with access.  Basically what you can do is add to the end of this rule to state and user.%attribute% = "something" and it will limit access to creating sheets and other objects to users with that attribute name and value.  If you want to limit to just sheets, take out all of the resource.objectType entries except for the one referencing "sheet".

For example, CreateAppObjectsPublishedApp has conditions set: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()

What this is saying is if the stream is NOT empty AND the resource has read privileges and the user is NOT anonymous and give access to userstate, sheets, stories, bookmarks, snapshots, embedded snapshots, and hiddenbookmarks.

What is missing here is the limitation to a particular user or group of users based on an attribute.  Start by testing removing the !user.IsAnonymous with user.%attribute% = "something" where %attribute% may be group and something may be executives.

Reference to security rules here with samples: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...

Here is another that answers your #2 question: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...

5,060 Views
anilet123
Partner - Contributor III
Partner - Contributor III
‎2015-08-09 10:52 AM

In response to

Hi ,

I have two different apps which have sheets with same name like below, and two users say user1 and user2

App1-->SH1,SH2

App2-->SH1,SH3

Now I want to restrict the user access at sheet level.So, user1 can access SH1 of App1 but not the SH1 of App2.Currently I am using the below 2 rules

Rule1:

Resource Filter: App_App1,App_App2

Condition: ((user.name="user1")) or ((user.name="user2"))

Rule2:

Resource Filter:  App.Object_*

Condition:  ((user.name="user1") and (resource.name !="SH1")) or

((user.name="user2") and (resource.name !="SH2"))

using this condition the SH1 in both the apps are hidden. But I want only the SH1 of App2 be hidden. Kindly help.

5,059 Views
0 Likes
Not applicable
‎2015-08-10 12:19 PM
Author

In response to anilet123

Anilet, I think your issue is that you need to have rule 2 be more specific.  So for the resource you would specify APP_%GUIDforApp2%,App.Object_*.

This sets the resource to only apply to that specifc app and ALL app Objects regardless of APP.  If you want to narrow the resource to a specific sheet then find the guid for that sheet and have App.Object_%GUIDforSH1% that is the guid for sheet1 of app2.

As for your condition, your condition needs to specify the resource type along with the name because resource.name!="SH1" does not indicate to the rules interpretor what type of object to look for that resource name.

Consider this condition (specifically the bold part):

user.roles = "Stream1Admin" and ((resource.resourcetype="Stream" and resource.name="Stream 1") or (resource.resourcetype="App" and resource.stream.name="Stream 1") or (resource.resourcetype="App.Object" and resource.objectType="sheet" and resource.app.stream.name="Stream 1") or (resource.resourcetype="ReloadTask" and resource.app.stream.name="Stream 1"))


I'd use the bold bit with the reference to the sheet name and see if that helps meet your goal.


jg

5,064 Views
0 Likes
anilet123
Partner - Contributor III
Partner - Contributor III
‎2015-08-11 03:51 AM

In response to

Thank you Jeffrey.

For some reason the resource filter App.Object_%GUIDforSH1% isn't working and the rule is highlighted as red. So, I have changed Rule 2 as below and results are coming as expected.

Resource Filter:      App*

Condition:              ((user.name="user1") and ((resource.app.name="App1") and (resource.name !="Sheet1")) or                                                                    (resource.app.name="App2")) or

                             ((user.name="user1") and ((resource.app.name="App1") and (resource.name !="Sheet2")) or                                (resource.app.name="App2")  )

Any other simpler method will be greatly appreciated. And one more question while auditing a resource what does a pink color in a rule mean???


Regards,

Anilet

5,064 Views
tanvi_madan1
Partner - Contributor III
Partner - Contributor III
‎2015-11-03 04:57 AM

In response to anilet123

hi,

I tired with the above rule but i am not getting as excepted. I want to hide the sheet for specific user.

Just want to know these rules are applicable on published or unpublished apps,

Regards,

Tanvi Madan

5,064 Views
0 Likes
Not applicable
‎2016-05-10 04:20 AM
Author

In response to anilet123

Hi All,


I have created a role called USERGROUP and I want to give the access to specific apps based on the department like (finance, sales and etc.. ).


For example :  I have a stream called Dashboard in that I have around 20 applications. I want to provide a access to only 5 Apps (App05,App07,App10,App02,App30) ) for the role which I created (USERGROUP).Please assist me how to create a rules for this scenario.


Simply, I want to manage all the things in Roles Level and I will assign the roles to user based on the department.


Please assist me to achieve this.


Thanks .....!

5,064 Views
0 Likes
shraddha_g
Partner - Master III
Partner - Master III
‎2016-10-19 03:15 AM

In response to anilet123

Hi  anilet123 ,

Did you disable any default rule before creating this rules?

5,064 Views
0 Likes
OmarBenSalem
MVP
MVP
‎2016-11-25 03:14 AM

In response to

Hi Jeffrey,

I have a question, I have a stream in which I have 2 apps.

I have a user who can access that stream; now I want him to just be able to see only one application of the 2 that exist.

I should then create a security rule, but I haven't figured out yet how to create it. This what I've done so far:

Capture.PNG

I should also mention that there is a security rule associated to the stream which permits to this user the full access to the stream (create, update, read etc)
how would Qlik Sense interpret these 2 rules which are "in conflict"?
And is the rule I just made correct or should I change it? if yes, how?
Thanks,

Omar,

5,064 Views
0 Likes
Not applicable
‎2016-11-25 11:38 AM
Author

In response to OmarBenSalem

Hi Omar,

I recommend watching this video: Video Link : 3762

It goes through how to set up an app level visibility rule within a stream.

Cheers,

Jeff G

5,064 Views
0 Likes