topic Re: Security while Rest Connection to run tasks in Qlik NPrinting

Security while Rest Connection to run tasks

ali_hijazi — Thu, 10 Jul 2025 07:36:38 GMT

Hello
we have QVF files that use a rest connector to connect to an application and run desired tasks
I'm asked to secure calls to run tasks in a way if the user account that is using the rest connector cannot run a task unless that user account has access to the app of that task

can someone help me?
the useraccount running the nprinting services is NPRINTINGUSER
the useraccount running the Qlik Sense engine is MXUSER
both are administrators

our code looks something like this:

currently in the Nprinting_LOGIN we are using the NPRINTINGUSER which is an administrator
suppose I login with my_user_account for example and I don't have access to Times To Validate app, will the above code run? I'm asking because in Qlik it is always the MXUSER who is running the processes in the background. so if we login with a user account that doesn't access to the app, script will fail but works if we login with a user account that has access to Times To Validate?
is this the correct approach?

Re: Security while Rest Connection to run tasks

Lech_Miszkiewicz — Thu, 10 Jul 2025 09:19:53 GMT

Hi @ali_hijazi

If you want to secure use of REST GET and POST connections from Qlik Sense to NPrinting you need to apply security rules in QMC to restrict visibility/use of those connections only to accounts you want. You can do that by use of groups or custom properties. Obviously that means you may need to look at how security rules for your environment connections are set and whether

It is the same as having configured connection to database with predefined user in it. Everyone who can see such connection can use it.

Those processes are for scheduled reloads only as having them for any other reason does not make sense given that checking users and allowing them to run tasks manually may be avoided simply by allowing them to run task directly from NPrinting where exactly the same approach can be achieved.

Understanding reasons and full workflow of your problem is probably required as at this stage to me this is binary:

you allow use of service accounts to run task (APIs are configured under PREDEFINED accounts) - that is typical to run schedule dependancies based on other tasks.
or you allow individuals to trigger tasks - for that you dont need API and users can use NPrinting console.

cheers

Re: Security while Rest Connection to run tasks

ali_hijazi — Thu, 10 Jul 2025 12:36:18 GMT

hello
I'm not talking about securing rest connections as data connections
I meant currently we use to connect from Rest connector a user named NprintingUser and this user account is administrator the administrator has access to all apps

what I want is use a user in the rest connector that has access to One desired app and thus can run the tasks of that app only

so if I want to run a task for another app using the same user but who doesn't have access to the app in the example above then the script should fail

Re: Security while Rest Connection to run tasks

Lech_Miszkiewicz — Thu, 10 Jul 2025 13:27:13 GMT

So why dont you create another set of Get and Post connections with user who has only access to that app only and use that pair?

I dont think REST connector has SSO for connections so user Id and password are hardcoded and predefined so only workaround I am thinking of would be to have a set of various connections.

Sorry, but I dont think you can manage that in any other way. Maybe other can comment on it.

cheers

Re: Security while Rest Connection to run tasks

ali_hijazi — Thu, 10 Jul 2025 14:00:51 GMT

@Lech_Miszkiewicz
yes this is what I was talking about

create pair of GET / POST rest connections for each app or security role
I use in each pair a user account that is not administrator and has access to teh app that we want to get and run the related reports
so this is a good approache?

Re: Security while Rest Connection to run tasks

Lech_Miszkiewicz — Thu, 10 Jul 2025 22:52:34 GMT

HI @ali_hijazi,

This is not something what would have "best practices" established and your requirement is rather unique so I say just try if it works for you. Is this a good aproach? - I dont know, but it is the only aproach I could come up with when trying to answer your question.

cheers