topic Re: Security on Load Data- Dev and Prod on same cluster in Management & Governance

Security on Load Data- Dev and Prod on same cluster

jpjust — Tue, 25 May 2021 20:23:16 GMT

All,

I have my environment like this and trying n to tighten the security. Please let me know how to achieve this?

I have Dev and Prod on cluster.

Prod Link : https://qlik.url.com/hub/my/work ->I can see few apps under my work. I am also able to edit the script and run the script which hits the Prod node- Ultimately I should not be able to see the "work" folder OR I should not be able to run the script.

Dev Link : https://devqlik.url.com/hub/my/work -> I can see the same set of apps under my work. I am able to edit the script and run the script which hits the Dev node which is fine.

I really want to restrict anyone not to run script when they are in Prod node. How can I achieve this type of security?

Thanks

Re: Security on Load Data- Dev and Prod on same cluster

Bastien_Laugiero — Wed, 26 May 2021 06:32:12 GMT

Hello @jpjust,

This really depend on how your environment looks like but here is a scenario with 3 nodes that would allow you to achieve the described outcome. Hope this will help you applying something similar in your environment.

Environment:

QlikServer1: Central node - Act as a Qlik Sense Proxy

QlikServer2: Rim node - Act as a Qlik Sense Engine and configured as DEV Purpose in the QMC

QlikServer3: Rim node - Act as a Qlik Sense Engine and configured as PROD Purpose in the QMC

Configuration:

VirtualProxy1 with prefix "dev" is configured to load balance to QlikServer2
VirtualProxy2 with prefix "prod" is configured to load balance to QlikServer3
LoadBalancing rule ResourcesOnNonCentralNodes is disabled

Now you will need to created two addition LoadBalancing rule

Load Balancing Rule 1 (for dev):
- Resource filter: App_*
- Conditions: ((node.nodePurpose="Development"))
Load Balancing Rule 2 (for prod)
- Resource filter: App_*
- Conditions: ((node.nodePurpose="Production" and !resource.stream.Empty()))

With this scenario, "My work" will not appear when pointing to the prod virtual proxy and no unpublished application will be available on the prod engine.

Hope this helps!

Re: Security on Load Data- Dev and Prod on same cluster

jpjust — Wed, 26 May 2021 13:29:38 GMT

Thanks Bastien. Really appreciate it. I will try it out.

I have attached my environment here. Based upon my environment, do you suggest any changes from what you have outlined above?

I would like to have this same security implemented for root admin as well.

Thanks

Re: Security on Load Data- Dev and Prod on same cluster

Bastien_Laugiero — Wed, 26 May 2021 14:10:32 GMT

It is difficult to say only based on this screenshot.

The one tip that I can give you is to not use the Central node engine in the Production Virtual Proxy (In the load balancing section)

The central node has the particularity to have access to every app and there is nothing that can be configured to prevent that.

Finally the scenario I have presented will also apply to root admin yes.

Re: Security on Load Data- Dev and Prod on same cluster

jpjust — Wed, 26 May 2021 14:19:13 GMT

Ok Thanks Bastien. I will give it a go.

Re: Security on Load Data- Dev and Prod on same cluster

Bastien_Laugiero — Wed, 26 May 2021 14:22:18 GMT

Let us know how it goes and if you need additional help along the way.

Re: Security on Load Data- Dev and Prod on same cluster

jpjust — Fri, 11 Jun 2021 17:17:20 GMT

Hi Bastien - I implemented that rule. Then all the apps from Dev stream (Logged to dev url ) vanished including tre apps on my work folder.

No change in Prod url, every stream and the apps are visible including my work folder.

If you need any information from my environment, please let me know.