topic Re: Hide apps based on app name in a stream in Management & Governance

Hide apps based on app name in a stream

J_Sprengers — Wed, 07 Jun 2023 13:43:37 GMT

Hi,

We have security set on stream level (custom properties) and not on app level. As a result users who have access to a stream can see all apps within that stream. This also means that these users can see, in case of ODAG -- with or without section access -- also the generated apps of all users.

We would like to create a security rule to allow users with access to the stream to see all apps BUT for the ODAG generated ones only the ones created by user itself.

To give an example:

Stream A with following apps:

demo1
demo2
demo_odag
demo_odag_template
demo_odag_template_<domain>-userID1
demo_odag_template_<domain>-userID2

So all users with access to the stream should be able to see:

demo1
demo2
demo_odag
demo_odag_template

UserID1 should additionally also see "demo_odag_template_<domain>-userID1" but not the one from UserID2

UserID2 should additionally also see "demo_odag_template_<domain>-userID2" but not the one from UserID1

UserID3 should not see either "demo_odag_template_<domain>-userID1" nor "demo_odag_template_<domain>-userID2"

Does anyone have a security rule suggestion on this since the ODAG apps are generated at runtime?

Re: Hide apps based on app name in a stream

Or — Wed, 07 Jun 2023 13:46:52 GMT

No suggestion for security rules, but ODAG by default places the generated apps in the user's Work space rather than in a stream. It sounds like that might be what you want to do?

Re: Hide apps based on app name in a stream

J_Sprengers — Wed, 07 Jun 2023 13:53:14 GMT

Hi,

That is indeed correct. I forgot to mention this.

We have a multi node (D/A/P) configuration where the WORK is only available in in the D(evelopment) node, whereas the A(cceptance) & P(ublished) are basically only read-only nodes. For ODAG the generated apps are therefor placed in the stream itself and not in the WORK.

The question for the security also applies on another purpose where we want to hide (technical / data model) apps from end users as well in the P(ublished) node.

Re: Hide apps based on app name in a stream

Or — Wed, 07 Jun 2023 13:59:26 GMT

I'm not entirely sure if this would work, but perhaps you could have the generated apps saved to a separate stream that's specifically intended for this purpose, and for that stream all apps are not shown by default, and a security rule allows access only in cases where the app name is like *username? Security rules with exclusions tend to be tricky, but this approach works around that.

Otherwise, perhaps someone else who is more knowledgeable than I am about security rules can help with getting it done without an extra stream.

Re: Hide apps based on app name in a stream

J_Sprengers — Tue, 27 Jun 2023 10:03:27 GMT

Hi,

We solved the issue by duplicating the default Stream security rule and created a customized one to replace it.

BEFORE:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))
or ((resource.resourcetype = "App.Object" and resource.published ="true"
and resource.objectType != "app_appscript" and resource.objectType != "loadmodel")
and resource.app.stream.HasPrivilege("read"))

AFTER:

(
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))
or ((resource.resourcetype = "App.Object" and resource.published ="true"
and resource.objectType != "app_appscript" and resource.objectType != "loadmodel")
and resource.app.stream.HasPrivilege("read") ))

and (!(resource.name like "*<domain>*")
)