topic Re: Hide sheet for Mobile users / Browser in Management & Governance

Hide sheet for Mobile users / Browser

erichshiino — Sat, 16 Nov 2024 06:06:00 GMT

Hi, I'd like to hide a sheet inside an app when the user is on a mobile browser.

I was able to create a security rule to identify user Operating System (environment.os ) and user device, for instance, when it's an Ipad or iPhone (environment.device)

**I still need to isolate users on Android on Tablets from the ones on smartphones.

Reference:

https://help.qlik.com/en-US/sense/February2019/Subsystems/ManagementConsole/Content/Sense_QMC/rules-conditions-advanced-view.htm

Re: Hide sheet for Mobile users / Browser

Giuseppe_Novello — Wed, 10 Apr 2019 17:53:22 GMT

Check this one, maybe this could help:
https://deviceatlas.com/blog/list-of-user-agent-strings

Gio

Re: Hide sheet for Mobile users / Browser

erichshiino — Wed, 10 Apr 2019 17:56:30 GMT

Hi, I tried to use environment.browser like "*Mobile*" and it didn't work.

Based on the online help, I understand that qlik only returns Browser name and version.

Erich

Re: Hide sheet for Mobile users / Browser

Giuseppe_Novello — Wed, 10 Apr 2019 18:03:15 GMT

Interesting, it should take that, let me go ahead and replicate it, If I do bug it with R&D.

Gio

Re: Hide sheet for Mobile users / Browser

erichshiino — Wed, 10 Apr 2019 23:57:20 GMT

Hi,

Please, Keep me informed of the progress

Best Regards,

ERich

Re: Hide sheet for Mobile users / Browser

Levi_Turner — Thu, 11 Apr 2019 16:45:07 GMT

There is a high degree of difficulty here. From first principles, Qlik Sense was designed to be mobile ready by using responsive design in the front end UI. So it doesn't make much sense to restrict mobile users. That being said, this is confirmed to be working on my Qlik Sense February 2019 Patch 1 deployment.

Initial Configuration:

You will need to enable Extended security environment for any virtual proxy which will be used (QMC > Virtual Proxies > Edit > Advanced):
I would strongly encourage enabling DEBUG level logging for the proxy/proxies you are using for the Audit log level in order to confirm what is being sent by your mobile clients:

Application Configuration:

You will need to add an element to the sheet to signal that you want to exclude it. In this example, I am using descriptions like so:

Security Rule Configuration:

You will need to disable the default rule named Stream
- This rule inherits read rights to all the Apps in a stream as well as the App.Objects (sheets, stories, etc) in an app from read rights from the Stream
Rebuild the Stream rule to exclude the sheets which have the descriptions. Example:
- Filter: App*
- Actions: Read + Publish
- Conditions: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read") and !(resource.description like "*Mobile*"))
- Context: Both Hub and QMC
- Note: the last clause, !(resource.description like "*Mobile*"), will mean that users who can see the objects from inheritance from the stream will not be able to see objects (practically only sheets will fit this restriction) which have a description including Mobile.
Create a new rule to provide access to the "Mobile" sheets based on the environment of the user:
- Filter: App.Object_*
- Actions: Read + Publish
- Conditions: (((resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read") and resource.description like "*Mobile*") and user.environment.os != "Linux")
- Context: Both QMC and Hub
- Note: I am using user.environment.os and scoping it to Linux to capture my Android device. You will want to confirm the elements which you can use in rules in the newly DEBUG Proxy > Trace > Audit log (this will be covered a bit more below)

Result:

Chrome Desktop:

iPhone:

Android:

Debugging notes:

I will say that these rules work for me, but you will need to confirm things precisely in your environment. Copying and pasting the rules may work, but may not. This style of deployment will require you to look into the logs mentioned above to confirm elements.

For example here are the Message column entries for the devices I tested (bolded elements are apt to be used in a rule):

iPhone: Headers that will be injected: [X-Qlik-Security, OS=Mac OS X; Device=iPhone; Browser=Safari 12.1; IP=::ffff:192.168.1.66; ClientOsVersion=Unknown; SecureRequest=false; Context=AppAccess; ] ...

Desktop: Headers that will be injected: [X-Qlik-Security, OS=Windows; Device=Default; Browser=Chrome 73.0.3683.103; IP=::ffff:192.168.1.71; ClientOsVersion=10.0; SecureRequest=false; Context=AppAccess; ]...

Android: Headers that will be injected: [X-Qlik-Security, OS=Linux; Device=Default; Browser=Chrome 73.0.3683.90; IP=::ffff:192.168.1.99; ClientOsVersion=Unknown; SecureRequest=false; Context=AppAccess; ]...

Once you have these details from the devices that you want to show the sheet to, then you can use them to fuel a security rule.

Re: Hide sheet for Mobile users / Browser

Giuseppe_Novello — Fri, 12 Apr 2019 12:00:58 GMT

BTW I ask @Levi_Turner on this one, since is waaaaayy smarter than me on security rules. Thanks Levi!

Gio

Re: Hide sheet for Mobile users / Browser

RenzoH — Thu, 23 Jul 2020 19:30:05 GMT

Hi @Levi_Turner,

Thank you for your explanation, it really is very helpful! Right now I'm using "environment.os!=Windows" to see if the user is using a mobile device, and is working so far because everyone in the organization uses Windows, but if someone starts using a Macbook or a Linux computer then this rule will not work as intended.

I found this article: https://support.qlik.com/articles/000097034 and it says that the user-agent string contains information like QlikSenseMobile for iOS devices or Android, but I cannot find the attribute to match it with. Is there a way to use this information in the security rule?