topic Re: Streams Security rules in Management & Governance

Streams Security rules

dana — Sat, 16 Nov 2024 00:28:06 GMT

Hi People,

I have a couple of questions:

1. How can I limit a user to view in the hub only a specific stream?

2. I created a stream with Update for the user, but he still can't edit an app.

The rule is:

Thanks in advance!

Re: Streams Security rules

Bastien_Laugiero — Wed, 10 Mar 2021 14:06:12 GMT

Hello!

This question depends on how much security rules customization you have already made.

Security rules are only permissive and not forbidding. This means that your security rule can be affected by other permissive security rules set in your environment. So my below explanation will be based on a default environment with no custom security rules:

To limit a user to see only a particular stream you can create a rule like below

Filter: Stream_ID Action: Read Condition: User.name = "Username"

You will also need to disable or modify the default security rule called "StreamEveryone". This rule gives access to the stream "Everyone" to any authenticated user.

Regarding your second question, it depends what you are trying to edit. You are not supposed to edit the script or base sheet of a published application. However you should be able to create/modify personal sheets. By default, if you have read permission in a stream (like above) you have those permissions.

Hope this helps!

Re: Streams Security rules

dana — Wed, 10 Mar 2021 14:21:04 GMT

Hi Bastien,

re the 2nd question:

I realized that the specific user has an Analyzer license which is in a Quarantined status, and allocated a Professional license as well. Could that be the reason that the user cannot duplicate a sheet?

Thank you!

Re: Streams Security rules

Bastien_Laugiero — Wed, 10 Mar 2021 14:34:56 GMT

Hi,

So if the user has Professional license then it should be prioritized so I don't think this is the cause.

Here is a quick test you can perform.

Create a security rule with the following parameters:

Filter: App* Action: Read, Update, Create Condition: User.name = "Username"

Note: This is just for testing purposes to understand if the issue comes from the security rules or the type of license.

Re: Streams Security rules

dana — Wed, 10 Mar 2021 15:40:39 GMT

Hi Bastien,

Now it's working!

Can you explain the reason?

Thank You!

Re: Streams Security rules

dana — Thu, 11 Mar 2021 04:59:16 GMT

Hi Sebastian,

I would appreciate you kind help in defining a permanent solution.

Is the rule you suggested should be implemented as is or should I do something else in order not to impact other users?

Thank you!

Re: Streams Security rules

Bastien_Laugiero — Thu, 11 Mar 2021 07:20:50 GMT

Hi!

Thanks for the test and this confirms that the issue is related to custom security rules.

In a default system, the fact that you would give "Read" permission to a stream will automatically gives you rights to see any application within that stream and create any AppObject (sheet, chart,...)

This is handled by two security rules named: "Stream" and "CreateAppObjectsPublishedApp"

The fact that it does not work in your environment means that at least one of these security rule has been altered or disabled or removed.

Could you check these two rules and see if they have been customized or disabled (Feel free to attach a screenshot)?

By default they look like this:

Name: Stream Filter: App* Action: Read Condition: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")) Context: Both in hub and QMC Name: CreateAppObjectsPublishedApp Filter: App.Object_* Action: Create Condition: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() Context: Only in hub

Re: Streams Security rules

dana — Thu, 11 Mar 2021 08:03:04 GMT

Hi Sebastien,

Thanks for you prompt reply.

Indeed, the Stream rule was modified (marked in red), whereas the CreateAppObjectsPublishedApp rule is the default one.

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")and (resource.objectType != "sheet"))

How does it impact?

Thanks!

Re: Streams Security rules

Bastien_Laugiero — Thu, 11 Mar 2021 08:33:32 GMT

Hi,

Yes one will affect the other. Basically the rule "Stream" exclude the AppObject type "Sheet" and then as a result the security rule "CreateAppObjectsPublishedApp" does not apply specifically on AppObject type "Sheet".

To implement a proper solution, you may want to check internally with the person/team who implemented that change and understand what is the requirement / reason behind that.

Re: Streams Security rules

dana — Thu, 11 Mar 2021 09:03:59 GMT

Hi Sebastien,

I have modified the original rule you suggested, filtering a specific app, and it seems to be ok.

Any "side effects" I'm not aware of?

Thanks!

Re: Streams Security rules

Bastien_Laugiero — Thu, 11 Mar 2021 09:16:19 GMT

Hi,

This rule is very permissive (too permissive) and was just meant to confirm the issue was security rule related.

If you do not wish to restore the original rule "Stream" then I would suggest to at least disable the action "Create" and "Update" from the rule "PM-BI App Permissions". This should work since the rule "CreateAppObjectsPublishedApp" hasn't been changed.

Re: Streams Security rules

dana — Thu, 11 Mar 2021 12:18:15 GMT

Thank you very much, Bastien!