topic Re: Access to Stream by having an app with access in it in Management & Governance

Access to Stream by having an app with access in it

shaybitton — Sat, 16 Nov 2024 05:55:36 GMT

Hi,

Is it possible to get access to stream by having one ore more apps that the user have access to ?

it tried to implement the following rule, but it didn't work.

resource filter : Stream_*

action: read

condition :

resource.App.HasPrivilege("read")

can't see the different between my example and thwe in the video below for Reload Tasks

https://youtu.be/h5nBdt969XI?t=1577 (already at 26:17)

Thank in advance

Shay

Re: Access to Stream by having an app with access in it

jwjackso — Fri, 03 May 2019 22:05:51 GMT

How have you given read access to the application?

Re: Access to Stream by having an app with access in it

shaybitton — Sat, 04 May 2019 18:46:03 GMT

Iv'e Allocated the same Custom Propery to user and app and created a rule allows that.

Re: Access to Stream by having an app with access in it

jwjackso — Mon, 06 May 2019 18:20:25 GMT

In the tutorial, access to the stream is granted by testing if (user.group = resource.name) or (user.role=resource.name). Security is hierarchical, so I believe resrouce.App.HasPrivilege("read") is based on access to the stream.

If you wanted to grant access to the stream based on an app, you would need something like:

(resource.resourcetype="App" and !resource.@name.empty() and resource.@name = user.group)

basically see if the app custom property matches the user group. You would also need an exception when the apps do not have a resource.name assigned.

Re: Access to Stream by having an app with access in it

shaybitton — Mon, 06 May 2019 18:37:33 GMT

I know the hierarchical principal and that's why I wondered how it was possible.

In the tutorial the access has granted by user role but also an app read privilege, as in the image below.

correct me if i wrong, the resource in the condition refers to the ReloadTask.

Shay

Re: Access to Stream by having an app with access in it

jwjackso — Mon, 06 May 2019 18:56:30 GMT

If you have a stream security rule based on a custom property and the user matches that property, they will have access to the stream. This would grant them access to the applications in the stream unless you also add a custom property to the application and create a security rule to define access to the app. Once those 2 security rules are evaluated, then the reload task security rule can determine if the app has read privilege.

Below is what I have been testing:

SchedulerQMCTasksMenu(only users with scheduler custom property can see the Tasks menu in QMC):

Resource filter: QmcSection_Task,QmcSection_ReloadTask,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent

Actions: Read

Conditions:!user.IsAnonymous() and ((user.@UserType="Scheduler"))

Context: Only in QMC

Stream:

Resource filter: Stream_*

Actions: Read

Conditions:((resource.@ADGroup=user.@Developer))

Context: Only in QMC

ReloadTaskDefault (app does not have custom property assigned):

Resource filter:ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*

Actions: Read,Update,Delete

Conditions:((user.@UserType="Scheduler"))
and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
resource.app.@ADGroup.Empty())
or
(resource.resourcetype = "SchemaEvent"
or resource.resourcetype = "CompositeEvent"
))

Context: Only in QMC

ReloadTaskException (app has a custom property assigned):

Resource filter:ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*

Actions: Read,Update,Delete

Conditons: ((user.@UserType="Scheduler"))
and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
!resource.app.@ADGroup.Empty()
and resource.app.@ADGroup = user.@Developer)
or
(resource.resourcetype = "SchemaEvent"
or resource.resourcetype = "CompositeEvent"
))

Context: Only in QMC

I've only disabled the delivered Stream security rule.

Re: Access to Stream by having an app with access in it

Levi_Turner — Tue, 21 May 2019 12:56:14 GMT

Checking on this. I suspect not. I suspect it's a one-way hierarchy. I am also suspicious that the hierarchies are outlined in this API call (GET /qrs/about/api/relations). Example response from April 2019:

[ "App.owner > User", "App.stream > Stream", "App.tags > Tag", "AppAvailability.app > App", "AppAvailability.appDataSegment > App.DataSegment", "AppAvailability.serverNodeConfiguration > ServerNodeConfiguration", "App.Content.app > App", "App.Content.references > StaticContentReference", "App.Content.whiteList > FileExtensionWhiteList", "App.DataSegment.app > App", "App.DataSegment.file > FileReference", "App.DataSegment.owner > User", "App.Internal.app > App", "App.Internal.file > FileReference", "App.Object.app > App", "App.Object.file > FileReference", "App.Object.owner > User", "App.Object.tags > Tag", "AppSeedInfo.app > App", "AppStatus.app > App", "CompositeEvent.externalProgramTask > ExternalProgramTask", "CompositeEvent.operational > CompositeEventOperational", "CompositeEvent.reloadTask > ReloadTask", "CompositeEvent.userSyncTask > UserSyncTask", "CompositeEvent.Rule.externalProgramTask > ExternalProgramTask", "CompositeEvent.Rule.operational > CompositeEventRuleOperational", "CompositeEvent.Rule.reloadTask > ReloadTask", "CompositeEvent.Rule.userSyncTask > UserSyncTask", "ContentLibrary.owner > User", "ContentLibrary.references > StaticContentReference", "ContentLibrary.tags > Tag", "ContentLibrary.whiteList > FileExtensionWhiteList", "CustomPropertyValue.definition > CustomPropertyDefinition", "DataConnection.owner > User", "DataConnection.tags > Tag", "EngineService.serverNodeConfiguration > ServerNodeConfiguration", "EngineService.tags > Tag", "ExecutionResult.details > ExecutionResult.Detail", "ExecutionSession.app > App", "ExecutionSession.executingNode > SchedulerService", "ExecutionSession.executionResult > ExecutionResult", "ExecutionSession.externalProgramTask > ExternalProgramTask", "ExecutionSession.reloadTask > ReloadTask", "ExecutionSession.userSyncTask > UserSyncTask", "Extension.owner > User", "Extension.references > StaticContentReference", "Extension.tags > Tag", "Extension.whiteList > FileExtensionWhiteList", "ExternalProgramTask.operational > ExternalProgramTaskOperational", "ExternalProgramTask.qlikUser > User", "ExternalProgramTask.tags > Tag", "ExternalProgramTaskOperational.lastExecutionResult > ExecutionResult", "FileExtension.mimeType > MimeType", "FileExtensionWhiteList.fileExtensions > FileExtension", "License.AnalyzerAccessType.user > User", "License.AnalyzerAccessUsage.analyzerAccessType > License.AnalyzerAccessType", "License.AnalyzerTimeAccessUsage.analyzerTimeAccessType > License.AnalyzerTimeAccessType", "License.AnalyzerTimeAccessUsage.user > User", "License.LoginAccessUsage.loginAccessType > License.LoginAccessType", "License.LoginAccessUsage.user > User", "License.ProfessionalAccessType.user > User", "License.ProfessionalAccessUsage.professionalAccessType > License.ProfessionalAccessType", "License.UserAccessType.user > User", "License.UserAccessUsage.userAccessType > License.UserAccessType", "OdagEngineGroup.owner > User", "OdagLink.modelGroups > OdagModelGroup", "OdagLink.owner > User", "OdagLink.templateApp > App", "OdagLinkUsage.link > OdagLink", "OdagLinkUsage.selectionApp > App", "OdagModelGroup.owner > User", "OdagRequest.engineGroup > OdagEngineGroup", "OdagRequest.generatedApp > App", "OdagRequest.link > OdagLink", "OdagRequest.owner > User", "OdagService.Settings.anonymousProxyUser > User", "PrintingService.serverNodeConfiguration > ServerNodeConfiguration", "PrintingService.tags > Tag", "ProxyService.serverNodeConfiguration > ServerNodeConfiguration", "ProxyService.tags > Tag", "ProxyServiceCertificate.proxyService > ProxyService", "ProxyService.Settings.virtualProxies > VirtualProxyConfig", "ReloadTask.app > App", "ReloadTask.operational > ReloadTaskOperational", "ReloadTask.tags > Tag", "ReloadTaskOperational.lastExecutionResult > ExecutionResult", "RepositoryService.serverNodeConfiguration > ServerNodeConfiguration", "RepositoryService.tags > Tag", "SchedulerService.serverNodeConfiguration > ServerNodeConfiguration", "SchedulerService.tags > Tag", "SchemaEvent.externalProgramTask > ExternalProgramTask", "SchemaEvent.operational > SchemaEventOperational", "SchemaEvent.reloadTask > ReloadTask", "SchemaEvent.userSyncTask > UserSyncTask", "ServerNodeConfiguration.roles > ServerNodeRole", "ServerNodeConfiguration.serviceCluster > ServiceCluster", "ServerNodeConfiguration.tags > Tag", "ServerNodeHeartbeat.serverNodeConfiguration > ServerNodeConfiguration", "ServiceStatus.serverNodeConfiguration > ServerNodeConfiguration", "SharedContent.owner > User", "SharedContent.references > StaticContentReference", "SharedContent.tags > Tag", "SharedContent.whiteList > FileExtensionWhiteList", "StaticContentReference.files > FileReference", "Stream.owner > User", "Stream.tags > Tag", "SyncSession.serverNodeConfiguration > ServerNodeConfiguration", "SystemRule.tags > Tag", "TempContent.owner > User", "TermsAcceptance.user > User", "User.tags > Tag", "UserDirectory.tags > Tag", "UserSyncTask.operational > UserSyncTaskOperational", "UserSyncTask.tags > Tag", "UserSyncTask.userDirectory > UserDirectory", "UserSyncTaskOperational.lastExecutionResult > ExecutionResult", "VirtualProxyConfig.loadBalancingServerNodes > ServerNodeConfiguration", "VirtualProxyConfig.tags > Tag", "WebExtensionLibrary.owner > User", "WebExtensionLibrary.tags > Tag", "Widget.extensionType > WebExtensionType", "Widget.library > WebExtensionLibrary", "Widget.owner > User", "Widget.tags > Tag" ]