Security rule that allows only setting/removing values for a custom property of users

hewemel1 — Fri, 20 Oct 2023 10:01:35 GMT

We use security rules that give users access to streams and apps based on a custom property 'access_class' on the users, steams, and apps: If, for this property, the values on a resource (stream or app) matches the values on the user (value intersection is not empty), access is granted. Only problem: There are many users, and the root admin is the only one who can set property values for them.

Thus, we would like to define a new admin role UserPropertyAdmin for admins who can only set/remove property values on the users - not the properties on other ressources, not other data of the user, and not defining/changing other existing or new properties (and optimally: setting/removing only values of the specific property 'access_class').

Has somebody a hint for me, how to correctly set the resource filter and resource conditions? Or a hint to some kind of documentation for resources 'around' custom properties that I can target in a security rule?

(I have already re-read the respective sections of the help for qlik sense for administrators, and the page Collection of Specific Rule Scenarios and Customization of Qlik)

Thanks in advance

Re: Security rule that allows only setting/removing values for a custom property of users

Alan_Slaughter — Fri, 11 Oct 2024 16:07:54 GMT

Hi Helmut, maybe this will help:

To define a custom security role with restricted permissions for managing user properties, you can follow these steps:

1. Create a new custom security role, for example "UserPropertyAdmin".
2. Grant this role the specific permissions needed to set and remove values for the "access_class" property on users.
3. Do not grant any additional permissions beyond managing the "access_class" property values for users.
4. Assign this "UserPropertyAdmin" role to the administrators who should have this restricted access.

This approach allows you to create a custom security role with the precise permissions needed, limiting administrators to only set or remove values for the specific "access_class" property on users. They will not have permissions to modify other user data or manage properties on other resources.

topic Security rule that allows only setting/removing values for a custom property of users in Management & Governance

Security rule that allows only setting/removing values for a custom property of users

Re: Security rule that allows only setting/removing values for a custom property of users