topic Re: Security rule for creating ReloadTask with a schedule trigger in Management & Governance

Security rule for creating ReloadTask with a schedule trigger

vegard_bakke — Sat, 16 Nov 2024 00:55:32 GMT

Hi!

We have several departments that shall not see each other streams or apps.

Each department has a PowerUser that is allowed to run and create reload tasks for apps in their own stream.

We've got most working. The PowerUser can create the task, and for their own apps only. BUT, when creating the Trigger, I get the error message: 'The operation failed due to insufficient privileges'.

(Failing on: POST https://qlik.company.com/dev/qrs/ReloadTask/update)

The same POST works a litte earlier, but with a different content. 'schemaEvents' is empty, and 'task' has content.

The setup

The developers get publish access to their stream, with a SAML attribute (similar to an AD-group).

One PowerUser get a Qlik Role 'PowerUser'.

What have we done?

In addition to the QMC rule: Resouree: 'QMCSection_App, QMCSection_Task', Condition: ((user.roles="PowerUser"))
We created the security rule:

Resource: ReloadTask_*,SchemaEvent*
Action: Create, Read, Update, Delete
Condition:

   ((user.roles="PowerUser"
   and resource.app.stream.HasPrivilege("publish")
   ))

Context: QMC Only

I think maybe it is the 'resource.app.stream.HasPrivilege("publish")' that breaks the rule, when we are saving the task trigger (the SchemaEvent ? ). Is seems to be working when saving the reload task itself.

But what is inside the 'resource' object, when 'resource.resourcetype' is "SchemaEvent"?

The GitHub - levi-turner/Qonnections2018-Rules is great for existing examples. But I cannot find any resources telling me the hierarchy within the 'resource'.

A very similar rule works very well for letting the PowerUser delete, import, export app, that the normal developers can only publish: Condition: ((user.roles="PowerUser" and resource.stream.HasPrivilege("publish")))

Any nice xmas helpers out there...? 🎅

(PS This is a double post, since I initially posted in the QlikView forum. I've closed that thread.)

Re: Security rule for creating ReloadTask with a schedule trigger

Levi_Turner — Mon, 21 Dec 2020 17:01:48 GMT

I guess I'd have two thoughts about the issue.

1. As far as the relationships, it can be a bit difficult to suss this out without calling the underlying QRS APIs. But if you were to call /qrs/schemaevent/full you would not see the associated app. Compare this to something like /qrs/app/object/full where you have the app (and its stream) exposed. Suffice it to say, triggers have no logical relationship to apps. So inheritance across that demarcation isn't going to be possible.

2. As far as building this rule, I'd honestly break out the read / update / delete rights from the create right. The rationale here is that something cannot fulfill the condition (e.g. the task cannot belong to an app which is in a stream which the user has Publish rights to before it exists).

For (2), are you after only allowing users to create tasks to apps where they have publish rights on the stream?

Re: Security rule for creating ReloadTask with a schedule trigger

vegard_bakke — Tue, 29 Dec 2020 08:49:57 GMT

As far as the relationships, it can be a bit difficult to suss this out without calling the underlying QRS APIs.

I agree. Would be nice if you could drop the Qlik documentation team a hint about this. The examples they provide are good, but only as long as you are doing something similar to the examples. (Then again, having just documentation about the details, without the examples, is equally difficult. So I'll have the cake and eat it too, please... : )

Suffice it to say, triggers have no logical relationship to apps. So inheritance across that demarcation isn't going to be possible.

I was afraid that might be the case.

I'll try playing around with the QRS API. At least that is the basis for what I can use in the security rules conditions. 🙂

As a Plan B, I could consider giving PowerUsers full access to any SchemaEvent. It's a small and limited number of PowerUsers. And as long as the users don't see all schemaevents, only those that belong to the tasks that I have managed the access restrictions. I'm willing to accept that as good-enough, in this scenario.

Schema events and Composite events

Reading Event Triggers I see that I probably need to allow for CompositeEvents as well. Do they behave any differently from Schema Eents (in this context)?

Basically, we would like to allow PowerUsers to create triggers to tasks. (Didn't realize that Qlik treated "event triggers" and "scheduled triggers" as two different object types and separate rules.)

2. As far as building this rule, I'd honestly break out the read / update / delete rights from the create right.

I see your point. I'll do that, and keep that in mind for the future.

Thank you! 🙂

Re: Security rule for creating ReloadTask with a schedule trigger

vegard_bakke — Tue, 29 Dec 2020 10:30:55 GMT

For (2), are you after only allowing users to create tasks to apps where they have publish rights on the stream?

Yes. That is correct.

I opted for plan B, allowing all PowerUsers to see and edit all task triggers. (It is not avaiable through the UI, only through the API directly, and strictly no sensitive information may be revealed. They may cause havoc, but in my case, that is an acceptable risk.)

For anyone in a similar situation. I had to create 4 security rules to

To allow a PowerUser to create a task, from the /qmc/tasks page

Resource: ReloadTask_*
Actions: Create, Read, Update, Delete
Condition: ((user.roles="PowerUser"))

(They can see all apps, but cannot press 'Apply' if user is missing Publish to the selected app .)

Allow a PowerUser to only see and update tasks connected to apps where he/she has Pubilsh rights.

Resource: ReloadTask_*
Actions: Read, Update, Delete
Condition: ((user.roles="PowerUser" and resource.app.stream.HasPrivilege("publish")))

Allow a PowerUser to create and edit ALL task triggers.
(Don't do this yourself before you can verify that this is an acceptable security glitch.)

Resource: SchemaEvent_*,CompositeEvent_*
Actions: Create, Read, Update, Delete
Condition: ((user.roles="PowerUser"))

Allow the PowerUser to refresh the tasks table

Resource: ExecutionResult*,ExecutionSession*
Actions: Read
Condition: ((user.roles="PowerUser"))

PS! I also found an article listing the content of the resource 'app' and 'task':
https://support.qlik.com/articles/000076134

Re: Security rule for creating ReloadTask with a schedule trigger

BuTbka — Wed, 29 Jun 2022 14:37:13 GMT

Hi!
I'm trying to get this rule work:

Resource: SchemaEvent_*,CompositeEvent_*
Actions: Create, Read, Update, Delete
Condition: resource.reloadTask.HasPrivilege("update")

What I'm doing wrong?

Using Qlik-Cli-Windows cmdlet with Get-QlikRelations command I get:

CompositeEvent.externalProgramTask > ExternalProgramTask CompositeEvent.operational > CompositeEventOperational CompositeEvent.reloadTask > ReloadTask CompositeEvent.userSyncTask > UserSyncTask CompositeEvent.Rule.externalProgramTask > ExternalProgramTask CompositeEvent.Rule.operational > CompositeEventRuleOperational CompositeEvent.Rule.reloadTask > ReloadTask CompositeEvent.Rule.userSyncTask > UserSyncTask SchemaEvent.externalProgramTask > ExternalProgramTask SchemaEvent.operational > SchemaEventOperational SchemaEvent.reloadTask > ReloadTask SchemaEvent.userSyncTask > UserSyncTask

With REST API/qrs/schemaevent/full I also see that schemaevent and compositeevent linked to reloadTask.