topic Re: Qlik Sense App Level Security Issue in App Development

Qlik Sense App Level Security Issue

bwisealiahmad — Tue, 30 Oct 2018 17:15:34 GMT

Hi,

I am trying to make some security on app level based on Active Directory groups.

I have followed this dockument and this works fine. The users can now see the apps they are supposed to based on a value from Active Directory.

What is the problem now that I have some developers who should be able to see everything, as if there is no App Level Security.

Can I combine this in some way?

users ABC have security based on active directory

and XYZ have security based on lets say a tag or custom property I give them that lets them see everything?

Thanks for any suggestions.

Best,

Ali A

Re: Qlik Sense App Level Security Issue

Gysbert_Wassenaar — Tue, 30 Oct 2018 17:27:10 GMT

Are the developers members of a Developers AD group? Then modify the exception rule:

((user.group = resource.@AppLevelMgmt) OR (user.group = 'Developers' ))

Re: Qlik Sense App Level Security Issue

bwisealiahmad — Tue, 30 Oct 2018 17:30:00 GMT

No, they are not and I was considering that, but I am trying to do it based on a custom property I set on the users in Qlik.

Is that possible? I found another default rule in Qlik Sense where I could add their names and that seems to make it work, but still trying to understand this.

Best,

Ali A

Re: Qlik Sense App Level Security Issue

Gysbert_Wassenaar — Tue, 30 Oct 2018 17:36:58 GMT

Custom properties will work too, but you'll have to add the custom property manually to each user that's a developer. You could for example create a custom property named UserRole with a value Developer. Assign the developer users that value Developer. Then adapt the exception rule to ((user.group = resource.@AppLevelMgmt) OR (user.@UserRole = 'Developer'))

Re: Qlik Sense App Level Security Issue

bwisealiahmad — Wed, 31 Oct 2018 23:15:54 GMT

Hi,

So I adapted it from:

((user.group=resource.@AppLevelManagement))

((user.group = resource.@AppLevelMgmt) or (user.@UserRole = 'Developer'))

and got this:

Tried to change to this:

((user.group = resource.@AppLevelMgmt) or (user.@UserRole = "Developer"))

Which made it valid, but I still can't see License Monitor or Operation Overview App which I should since I have user specified stream access to this:

Could it be the Custom Stream Rule that is doing this?

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@AppLevelMgmt.empty()) or ((resource.resourcetype = "App.Object" and resource.published ="true") and resource.app.stream.HasPrivilege("read"))

Thanks for helping out!

Best,

Ali A

Re: Qlik Sense App Level Security Issue

Gysbert_Wassenaar — Thu, 01 Nov 2018 11:55:30 GMT

That rule in the screenshot has nothing to do with it. Rules can only grant access, not take access away. Did you create the UserRole custom property and assign the value Developer to your developer users?

Re: Qlik Sense App Level Security Issue

bwisealiahmad — Thu, 01 Nov 2018 12:42:37 GMT

Ok.

Yes I did, but didn't make any difference 😕

Best,

Ali A

Re: Qlik Sense App Level Security Issue

MK9885 — Thu, 01 Nov 2018 17:22:42 GMT

Not an expert in this but...few questions and suggestions.

Is user dev_aah a root admin?

A. Create custom property based on app & User (Just the app custom property would not work)

B. Tag that property to app you like to restrict

C. Disable your default Stream rule

D. Create a new rule

(resource.stream.HasPrivilege("read") and (user.@AppLevelMgmt=resource.@AppLevelMgmt))

I think this should work

E. Check if your root admin has access to Monitoring apps w/o creating a new rule? If he doesn't then create a new rule for Monitoring Stream

((user.roles="RootAdmin")) << if the user is root admin he/she can see that stream.

Test out with resource filter as 'App' only instead of 'App_*'

* would mean all the apps.