topic Re: Security rule - Sheet in Management & Governance

Security rule - Sheet

wallace0834 — Wed, 29 Jan 2025 17:03:10 GMT

At our company, we have a owner of sheet that is unpublished. He would like to shared this unpublish sheet to four employees. How would I write a security rule to accomplish this task as a Qlik Administrator?

I will provide an example of the security rule that I have already written; however, it provide more access to custom sheet other than just the one sheet.

((resource.id="0b4f3249-1c55-4ecc-959a-e06366939b10" and resource.App.HasPrivilege("read") and resource.objectType="sheet" and resource.published ="false" or user.name="John Doe" or user.name="John Doe2" or user.name="John Doe3"))

Re: Security rule - Sheet

jwjackso — Thu, 22 Apr 2021 19:25:47 GMT

Try this

(((resource.id="0b4f3249-1c55-4ecc-959a-e06366939b10" and resource.App.HasPrivilege("read") and resource.objectType="sheet" and resource.published ="false") and (user.name="John Doe" or user.name="John Doe2" or user.name="John Doe3")))

I thing having or user.name="John Doe" or user.name="John Doe2" or user.name="John Doe3" meant that the the first half had to be true or any of those users had to be true.

Re: Security rule - Sheet

wallace0834 — Fri, 23 Apr 2021 15:38:17 GMT

Thank you. After I wrote this security rule, John Doe, John Doe2 could see more unpublished sheet other than one sheet. Would you have a better idea on how to write this security just to share one unpublisheet for a couple individuals?

Re: Security rule - Sheet

jwjackso — Fri, 23 Apr 2021 18:45:19 GMT

What is the "Resource filter", Actions and Conditions of the security rule?

You can Audit the users to see which rules provide access to the App Objects.

Re: Security rule - Sheet

wallace0834 — Fri, 23 Apr 2021 20:34:59 GMT

Ok. I think I have somewhat figured it out. Our organization uses roles. Everyone who has Consumer role can only see the one unpublish sheet while employee who have a Contributor role see all of the unpublish sheets from the owner of this app. We do not want the Contributor, but to see only one unpublish sheet and not more. Is there way to add to the existing security rule to exclude only them being able to see that one sheet?

You have been extremely helpful.

Re: Security rule - Sheet

jwjackso — Fri, 23 Apr 2021 22:03:48 GMT

You may be experiencing the same thing that we encountered when we implemented Custom Properties. We initially had a property ADGroup that had developer (contributer) and user (consumer). When we tested the security rules we found that if you were a developer for stream1 and were a consumer for stream2, you were able to develop in both streams. The rules appeared to use OR instead of AND when evaluating access to the stream/applications.

We had to create two custom properties, ADGroup that granted access to streams/apps and Developer that identified you as a developer(contributer). This was the only way we could get the rule to perform AND logic.