topic Re: Create App Security Rule in Management & Governance

Create App Security Rule

jpjust — Wed, 29 Jan 2025 16:38:32 GMT

Hi,

I have this createApp security rule in qliksense.

I have users with professional and Analyst license users. Does this rule allows both professional and Analyst users allows to create App?

Thanks

Re: Create App Security Rule

Levi_Turner — Fri, 11 Mar 2022 17:56:42 GMT

With the Professional / Analyzer based model, access control is first enforced by the license type then by security rules. So in your example, the analyzer users would not be able to create an app. The same goes for any other area where analyzer are restricted.

Re: Create App Security Rule

jpjust — Fri, 11 Mar 2022 18:31:23 GMT

Thanks Levi..

We have 5 users are root admin.

Out of that one user should not be able to modify existing connections. That user can create connections and edit connections that user has created.

Is it possible to create an admin with less privilege's than an root admin?

Thanks

Re: Create App Security Rule

Levi_Turner — Fri, 11 Mar 2022 19:51:57 GMT

Sure. The default roles (AuditAdmin, ContentAdmin, DeploymentAdmin, RootAdmin, SecurityAdmin) are just the defaults. You can enter any value in the rule for roles like so:

And now it's an option for a role:

It sounds like you're after a rule which is similar to ContentAdmin but only having read access to data connections.

Re: Create App Security Rule

jpjust — Fri, 11 Mar 2022 20:16:22 GMT

So here is my content admin security rule and resource filter

Stream_*,App*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*

As long as I remove update and delete from the actions from the above content admin security rule and If I assign this content admin role to the admin user (remove root admin role) then that user won't be able to delete the existing connections? Does that work?

Thanks

Re: Create App Security Rule

Levi_Turner — Tue, 15 Mar 2022 12:53:06 GMT

Assuming that you want the users to be able to change / remove / etc all content except for modifying data connections, I would do the following:

Name: ContentAdmin2-Content Filters: Stream_*,App*,ReloadTask_*,ExternalProgramTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_* Actions: Create+Read+Update+Delete+Export+Publish+ChangeOwner+Duplicate+Approve Conditions: ((user.roles="ContentAdmin2")) Context: QMC Name: ContentAdmin2-DataConnections Filters: DataConnection_*, Actions: Create+Read Conditions: ((user.roles="ContentAdmin2")) Context: QMC Name: ContentAdmin2QmcSections Filters: License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_DataConnection,QmcSection_Tag,QmcSection_User,QmcSection_CustomPropertyDefinition,QmcSection_Task,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension,QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary,QmcSection_Audit,QmcSection_AnalyticConnection,QmcSection_SystemNotification,QmcSection_SystemNotificationPolicy,QmcSection_DeploymentSetup Actions: Read Conditions: ((user.roles="ContentAdmin2")) Context: QMC Name: ContentAdmin2RulesAccess Filters: SystemRule_* Actions: Create+Read+Update+Delete Conditions: user.roles = "ContentAdmin2" and (resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}") or (resource.category = "Generic" and resource.subcategory = "SystemNotification")) Context: QMC

Re: Create App Security Rule

jpjust — Wed, 23 Mar 2022 18:18:45 GMT

Thank you Levi so much,

I had default all the security rules except ContentAdmin-DataConnections

So I created that rule as well. Then I tested with some one as content admin and that person is able to edit and save existing connections. Can you please advice what might be wrong here?

Thanks