topic On-Demand App Generation(ODAG) QlikSense possible security issue in App Development https://community.qlik.com/t5/App-Development/On-Demand-App-Generation-ODAG-QlikSense-possible-security-issue/m-p/1989303#M81764 <P>Hi All!</P> <P>I think we found a security problem using ODAG.</P> <P>We have a lot of corporative data connections, including to databases, with access controlled by security rules.</P> <P>But recently we found out an user that using ODAG can access a data connection wich he doesn't have permission, but as ODAG apps are generated through user service permissions (sa_api), he can execute queries against this data connection.</P> <P>The user from a business area, with professional license, generated an ODAG app originally created by the IT team that uses a database connection.&nbsp; The user can't&nbsp; access de connection directly, but through Script Editor he found the data connection name, created his ODAG apps and now he can use the "forbidden" database.</P> <P>&nbsp;</P> <P><SPAN>I haven't found a way to avoid this, other than disabling</SPAN> the On-Demand App Services in QMC.</P> <P>Are we missing something?</P> <P>Appreciate any help!</P> <P>&nbsp;</P> <P>Caiut</P> <P>&nbsp;</P> <P>ps: Qlik Enterprise, version november-2021</P> Wed, 12 Oct 2022 00:39:06 GMT Caiut 2022-10-12T00:39:06Z On-Demand App Generation(ODAG) QlikSense possible security issue https://community.qlik.com/t5/App-Development/On-Demand-App-Generation-ODAG-QlikSense-possible-security-issue/m-p/1989303#M81764 <P>Hi All!</P> <P>I think we found a security problem using ODAG.</P> <P>We have a lot of corporative data connections, including to databases, with access controlled by security rules.</P> <P>But recently we found out an user that using ODAG can access a data connection wich he doesn't have permission, but as ODAG apps are generated through user service permissions (sa_api), he can execute queries against this data connection.</P> <P>The user from a business area, with professional license, generated an ODAG app originally created by the IT team that uses a database connection.&nbsp; The user can't&nbsp; access de connection directly, but through Script Editor he found the data connection name, created his ODAG apps and now he can use the "forbidden" database.</P> <P>&nbsp;</P> <P><SPAN>I haven't found a way to avoid this, other than disabling</SPAN> the On-Demand App Services in QMC.</P> <P>Are we missing something?</P> <P>Appreciate any help!</P> <P>&nbsp;</P> <P>Caiut</P> <P>&nbsp;</P> <P>ps: Qlik Enterprise, version november-2021</P> Wed, 12 Oct 2022 00:39:06 GMT https://community.qlik.com/t5/App-Development/On-Demand-App-Generation-ODAG-QlikSense-possible-security-issue/m-p/1989303#M81764 Caiut 2022-10-12T00:39:06Z