topic Re: Qlik Sense security rule problem in App Development

Qlik Sense security rule problem

agigliotti — Thu, 06 Apr 2017 10:11:50 GMT

Hello,

I'm using version 3.2 SR2 and I modified the following security rule:

CreateAppObjectsPublishedApp

adding the below condition :

and (user.group="role_dev" or user.group="role_ext")

---

!resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() and (user.group="role_dev" or user.group="role_ext")

---

However I noted a user not belonging to the "role_dev" or "role_ext" is able to create app objects ex. sheet object.

Is it a BUG ???

Please let me know asap.

Many thanks in advance for your time.

Best Regards

Andrea

Re: Qlik Sense security rule problem

MK9885 — Thu, 06 Apr 2017 15:15:05 GMT

!resource.App.stream.Empty() and

resource.app.@YOURAPPCUSTOMRPOPERTY="YOURCUSTOMAPPVALUE" and

resource.name!="YOURSHEETS" and

(resource.objectType = "userstate" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and (user.group="role_dev" or user.group="role_ext")

and

( user.group!="YOURRESTICTEDGROUP")

Maybe try this one?

Not sure but it worked for me

Re: Qlik Sense security rule problem

agigliotti — Thu, 06 Apr 2017 15:26:10 GMT

actually I need to disable all app objects creation, not only sheet.

Re: Qlik Sense security rule problem

MK9885 — Thu, 06 Apr 2017 15:28:03 GMT

Disable all objects for everyone?

Re: Qlik Sense security rule problem

agigliotti — Thu, 06 Apr 2017 15:34:31 GMT

yes for everyone except for the root admin.

Re: Qlik Sense security rule problem

MK9885 — Thu, 06 Apr 2017 15:37:54 GMT

Disable the default CreateObject rule in your QMC Security Rules Tab. Check above image?

This will disable for all (including Root Admin)

In sometime I'll let you know how to enable for Root admin. Will test it and update it here.

Thanks.

Re: Qlik Sense security rule problem

agigliotti — Thu, 06 Apr 2017 15:44:17 GMT

it's already disabled.

Re: Qlik Sense security rule problem

Gysbert_Wassenaar — Thu, 06 Apr 2017 16:36:03 GMT

Use the Audit page to show which rules are granting which rights to whom on what object. See this video for details: Auditing security - Qlik Sense 2.1 - YouTube

Re: Qlik Sense security rule problem

MK9885 — Thu, 06 Apr 2017 18:27:03 GMT

I think as you disable the Default CreateObject rule it should disable editing for all users.

If that's not happening then I'm not sure why?

Can you make sure the rule is disabled?

Re: Qlik Sense security rule problem

agigliotti — Fri, 07 Apr 2017 07:59:56 GMT

As you can see below I disabled the rule

but all users are still able to create new objects for the published app!!!???

Re: Qlik Sense security rule problem

agigliotti — Fri, 07 Apr 2017 08:03:20 GMT

if you see here I expected to be unable to create (C) objects for this user and app.

or i'm wrong ???

Re: Qlik Sense security rule problem

agigliotti — Mon, 10 Apr 2017 07:21:01 GMT

definitely I'm going to create a new case on support portal to fix this issue.

Re: Qlik Sense security rule problem

agigliotti — Tue, 11 Apr 2017 14:24:13 GMT

good news for Qlik and for customers of course!

after some try I understand the rule actually it's working as expected, because the user is not able to create app objects even if the button ex. (create new sheet) is shown.

what's happening is the user create a new sheet, but after page refreshed the sheet created disappear in according with the security rule associated.

i think Qlik should improve this behavior hiding the corresponding HTML element.

i hope it's clear.

Re: Qlik Sense security rule problem

Anonymous — Wed, 07 Jun 2017 10:44:25 GMT

Hi Andrea,

I have wrote a rule to restrict the duplication of sheets but only after refreshing the page the created sheet disappear.

So I want to disable the edit button when the user using Qlik sense. How to achieve this ?

Re: Qlik Sense security rule problem

agigliotti — Wed, 07 Jun 2017 12:46:02 GMT

Hi Nivetha,

I'm sorry but i can't help you on this topic because nobody asked me to do it.

Please let me know if you find something about this request.

Andrea

Re: Qlik Sense security rule problem

MK9885 — Wed, 07 Jun 2017 13:19:25 GMT

Disable the CreateAppObjectsPublishedApp rule in Security Rules.

this will disable the Edit option for users

Note: this will disable for all users.

If you like to enable for few users then you'd have to write new rule with App Object* as filter in Rules

!resource.App.stream.Empty() and

resource.app.@SecurityApp="YOURAPPNAMEHERE" and

resource.name!="YOURSHEETNAMEHERE" and

and

(user.name!="ADDYOURUSER2HERE")

the above rule is advance level and this will enable EDIT for only 2 users and only for 1 Sheet.

Re: Qlik Sense security rule problem

agigliotti — Fri, 25 Aug 2017 14:47:27 GMT

in version June 2017 Patch 1 the button "create new sheet" is no more visible according to the security rule policy.

the UI improvement finally has been done.

Re: Qlik Sense security rule problem

Fri, 22 Sep 2017 14:28:50 GMT

Hello Andrea,

You condition indicated. Is correct ??

Please help me. Thanks

adding the below condition :

and (user.group="role_dev" or user.group="role_ext")

---

Re: Qlik Sense security rule problem

Anonymous — Mon, 18 Dec 2017 06:07:25 GMT

Hello All

I really need help on this one!!

In my environment, there are 5 users.. who have the same access. But somehow two of them able to create the sheet however others do not have access to create the sheet

The "CreateAppObjectPublished" rule is not disabled.

Please help me in this.. I am really confused in this

Regards

Re: Qlik Sense security rule problem

agigliotti — Mon, 18 Dec 2017 08:37:26 GMT

as gwassenaar‌ said above first check what is going on using Audit.

There you'll find the reason why.