topic Re: How to handle access to data model viewer for published apps? in Management & Governance

How to handle access to data model viewer for published apps?

Vegar — Mon, 23 Jan 2023 13:20:27 GMT

I have a group of users with proffesional access allocation on a Qlik Sense on Windows environment.

When designing their own sheets and objects in a published application they would benifit from having read access to the data model viewer, but I am having problem granting them this access without granting them access to make edits in the published app. I have been looking at this support page Security Rule Example: How to show data model viewer for published apps by @Andre_Sostizzo , but need to get an deeper understaning on how to pinpoint just the data model viewer.

Do you guys know how to scoping down a security rule to just handle data model "object" of a Qlik Sense application?

This is how narrow I have managed to go. (I get the impression that the Data Model is considered a sheet):

Read Create and Update

using filter

(
(resource.resourcetype="App")
or
(resource.resourcetype="App.Object" and resource.objectType like "sheet")
)

Re: How to handle access to data model viewer for published apps?

NadiaB — Tue, 24 Jan 2023 15:13:11 GMT

Hi @Vegar

By any chance have you seen this already ?

https://community.qlik.com/t5/Official-Support-Articles/Security-Rule-Example-How-to-show-data-model-viewer-for/ta-p/1715232

Kind Regards.

Re: How to handle access to data model viewer for published apps?

Vegar — Tue, 24 Jan 2023 20:22:59 GMT

@NadiaB

I was linking to that post in my orignal post. As you see in the comments section of that article the solutions grants the users edit rights to parts of the published app such as the application name, description and the apps custom properties. That is a big no-no in my case.

With my posting I was hoping for help on narrowing down the scope of my security rule to the data model section only or at least eliminate the possibility for the users to make edits to the app/app properties. Do you have any security rules experts in your support team that help us with this? I assume this is an interresting problem to get solved for more than me.

Re: How to handle access to data model viewer for published apps?

NadiaB — Tue, 24 Jan 2023 20:29:40 GMT

Hi @Vegar

The documentation about resources and conditions available are in our site:

https://help.qlik.com/en-US/sense-admin/November2022/Subsystems/DeployAdministerQSE/Content/Sense_DeployAdminister/QSEoW/Administer_QSEoW/Managing_QSEoW/available-resource-filters.htm

https://help.qlik.com/en-US/sense-admin/November2022/Subsystems/DeployAdministerQSE/Content/Sense_DeployAdminister/QSEoW/Administer_QSEoW/Managing_QSEoW/available-resource-conditions.htm

It is suggested to look at objectype "loadmodel" described in the resources condition and and remove privileges as needed, I believe there are other posts around this topic, is just each one might be looking for something specific on a rule so the best way to go probably would be design from scratch.

Hope it helps.

Re: How to handle access to data model viewer for published apps?

QFabian — Tue, 24 Jan 2023 20:43:37 GMT

@Vegar , since that data model does not change often, i just would take a screenshot and put it as an library image, then show it in a text box, with some fields descriptions and relations

Re: How to handle access to data model viewer for published apps?

Vegar — Tue, 24 Jan 2023 20:58:47 GMT

@QFabian Thanks for the suggestion. I actually found my self giving the same advice to another user in a couple of years old community post.

If there is no other way to do it then I might do this for the most important self service applications, but shere is more to the datamodel page than just the relationship diagrams. So I would prefere to find a solution.

---------

@NadiaB

I am not sure about the objectype "loadmodel", I get the impression that it is referring to the load script and not the data model. As support for this I find this article Security Rule Example: Allow access toData Load Editor on an app that is using "loadmodel". However, if you can confirm that the datamodel is in fact reffered to as objecttype="loadmodel" I will pursue that path and investigate further.

Re: How to handle access to data model viewer for published apps?

QFabian — Tue, 24 Jan 2023 21:09:15 GMT

@Vegar hope that that security rule works!

Re: How to handle access to data model viewer for published apps?

ThijsDeBruijnEscuLine — Tue, 08 Aug 2023 13:49:47 GMT

@Vegar did you get this to work in the end?

Re: How to handle access to data model viewer for published apps?

Vegar — Tue, 08 Aug 2023 20:22:34 GMT

@ThijsDeBruijnEscuLine unfortunately no. WE Where not able to pinpoint just this feature without opening up for more privileges than was acceptable.

Re: How to handle access to data model viewer for published apps?

mbespartochnyy — Thu, 10 Aug 2023 20:56:23 GMT

I ran into the same issue. I did bunch of tests and confirmed that the object type "LoadModel" is not a data model.

In fact, the data model is not part of App.Object_* resource at all. It is part of App_* resource. (I believe App_* and App.Object_* resources are different but I'm not 100% sure on that.)

Furthermore, visibility into data model is not controlled by Read action but instead by Update action.

I did a simple test to confirm this.

1. Give a user with Professional license (Mikhail in this example) access to specific app.

2. Publish app to stream Everyone.
3. Disable any rule that gives access to app objects, namely the Stream rule.
4. Ensure that app owner is not the user (not Mikhail) that has been given access to the app.
5. Have the user (Mikhail) that has been given access to the app open the app and try accessing the data model.

With only Read and Update access to App_dcd544f3-e330-4c71-af52-eeeb1988914b resource, the user (Mikhail) was able to see the data model:

As expected, the user was not able to see any of the sheets, bookmarks, or stories within the app:

Updating the security rule to only give read permission to the app:

Resulted in loss of user's ability see the data model:

Summary

Data model is part of App_* resource and not App.Object_* resource.
In order for a user to view data model in a published app that user needs to be given Update permissions to an App resource.
If the default Stream security rule was meant to prevent users from seeing the data model in a published app, then that rule is broken as it doesn't actually prevent users from seeing data model in a published app when a user is given update permissions to a published app.
1. I've confirmed this by enabling Stream security rule and giving user update permission to a published app. The user was still able to see the data model.

This feels like a bug. It makes sense for data model to be part of App.Object_* resource of object type LoadModel, but evidently it is not.

Test Environment

This test was done on a brand new install of Qlik Sense Enterprise on Windows environment with no security rules other than the built-in Default and Read-Only security rules and the one custom rule that was created (step 1 above) to give user access to the app.