topic Re: Security rule for reloading app without edit rights in Management & Governance

Security rule for reloading app without edit rights

cpfefferkorn — Wed, 29 Jan 2025 16:31:11 GMT

Hello community,

I am struggeling right now to define a correct security rule for my costumers.
They should be allowed to reload an app without the permission to edit/delete it.

For testing purpose I created a new security rule and tried it with the ready only rights.
The User is allowed to see: App, App Objects, Stream, Tasks and Users. I have created the following security rule:

Security rules overview

Resource Filter : QmcSection_App, QmcSection_ReloadTask, QmcSection_Task, QmcSection_App.Object,QmcSection_Stream,QmcSection_User,App_*, ReloadTask_*,App.Object_*,Stream_*,User_*

My problem is now, the user can see the tasks from QMC, but can't reload it. As soon as the user starts the reload task the following error message appears:

error occurred

I tried to modify the security rule: If I enable the function "Update" in Actions, the task is starting but now the user can also edit it.

How can I set the security rule that the user can only start the tasks but without having the edit option for it?

Re: Security rule for reloading app without edit rights

Or — Mon, 05 Dec 2022 13:39:58 GMT

Your user needs to have a Professional license for this (or no license at all, but it can't be an Analyzer license).

I'm not entirely sure, but I think you will need to grant read access to the tasks (ReloadTask_*) and tasks section (QmcSection_Task), and update to the app itself (QMC only, so the user can't actually do any harm since they don't have access to the Apps section in QMC). I'm not entirely sure about the last part but I do think it's necessary.

Re: Security rule for reloading app without edit rights

cpfefferkorn — Mon, 12 Dec 2022 08:41:53 GMT

Hello Or,

thanks for your advice.
As far as I know it is not important to give the user a license. At least it tested it without any license and it did not change my results.

I tried several options and made some additional testing.
In my opinion the best option is to do it as you adviced. I also wanted to give the user the right to view some additional sections like user, stream and app objects (only in QMC):

Create a security rule to Read/Update all Apps (App_*)
Create another security rules for only Reading the QmcSections (QmcSection_Task,ReloadTask_*,QmcSection_App.Object,QmcSection_Stream,QmcSection_User,ExecutionResult*,ExecutionSession*,App.Object_*,Stream_*,User_*)

Re: Security rule for reloading app without edit rights

RadovanOresky — Mon, 12 Dec 2022 09:17:34 GMT

Hi, you could use Inphinity Flow (or Forms) extension, that allows also Analyzer users to trigger a reload task.

https://youtu.be/ajkAGj8OvoY?t=108

Re: Security rule for reloading app without edit rights

Or — Mon, 12 Dec 2022 10:48:28 GMT

As per my original post, the user needs either a professional license, or no license. You just can't use this on someone with an Analyzer license. Quirky, but that was the case last time I checked, anyway.

Insofar as giving users more sections in QMC, just keep in mind that you need to avoid giving them anything where those update permissions on the app might result in the ability to edit things you didn't plan for.