topic Re: Security Rule to allow users to reload published apps in Management & Governance

Security Rule to allow users to reload published apps

lucienorrin — Wed, 05 Jul 2017 17:49:32 GMT

I am trying to get a reload button working for Sense v3.2, I tried the following:

http://branch.qlik.com/#!/project/56728f52d1e497241ae69836

Create Reload button with Qlik Sense 3.0 - YouTube

Both work great for the app OWNER.

However we have a need to allow users to reload the app on demand.

After configuring the security rules according to the documentation, users still get an access denied error on reload with an incomplete visualization on the sheet.

Has anyone successfully been able to grant users permissions to reload published apps?

Re: Security Rule to allow users to reload published apps

BalaBhaskar_Qlik — Wed, 05 Jul 2017 18:49:48 GMT

Action : Create, Read, Update, Publish

After the app is published, set up a reload Task in the QMC to reload the app on schedule.

Re: Security Rule to allow users to reload published apps

lucienorrin — Wed, 05 Jul 2017 19:00:28 GMT

We know how to schedule reloads.

I specifically asked how to grant users the ability to reload the app on demand, not on a schedule.

Re: Security Rule to allow users to reload published apps

marcos — Tue, 18 Jul 2017 12:53:57 GMT

I was testing the new version of ReloadButton extension too with same problem than you.

I could solve it by making a little change in Security Rule proposed at documentation:

Resource filter:

App_*,App.Object_*

Conditions

(((resource.resourcetype="App" and resource.stream.name="Everyone") or (resource.resourcetype="App.Object" and resource.app.stream.name="Everyone" and resource.objectType = "app_appscript")))

Context

Both in hub and QMC

Actions

Read,Update

See the text remarks at Resource filter, Conditions and Actions.

Re: Security Rule to allow users to reload published apps

axl_raioam — Wed, 19 Jul 2017 21:08:34 GMT

Edit: The issue was that the load script tried to access content that the user didn't have access to. When that was removed, it ran perfectly.

I am unable to let non-owner users reload using this method. My Security Rule parameters are:

Resource filter:

App_*,App.Object_*

Conditions:

((resource.resourcetype="App" and resource.stream.name="Test") or (resource.resourcetype="App.Object" and resource.app.stream.name="Test" and resource.objectType="app_appscript"))

Context:

Both in hub and QMC

Actions:

Read, Update

Re: Security Rule to allow users to reload published apps

lucienorrin — Tue, 01 Aug 2017 18:43:53 GMT

Thanks for the feedback!

Using the rules shown I can get the button to work, but limited to apps within the stream named in the rule.

I need to allow any user to reload any app in any stream they can 'read'.

The following rule doesn't work:

Resource filter:

App*

Conditions:

(resource.stream.HasPrivilege("read"))

Context:

Both in hub and QMC

Actions:

Read, Update

Wouldn't this rule apply to all objects within a stream the user can read?

Thanks!

Re: Security Rule to allow users to reload published apps

marcos — Wed, 02 Aug 2017 07:04:17 GMT

I think the change you need in the rule is something like this:

Resource filter:

App_*,App.Object_*

Conditions

(((resource.resourcetype="App" and resource.stream.HasPrivilege("read")) or

(resource.resourcetype="App.Object" and resource.app.stream.HasPrivilege("read") and resource.objectType = "app_appscript")))

Context

Both in hub and QMC

Actions

Read,Update

Re: Security Rule to allow users to reload published apps

lucienorrin — Wed, 02 Aug 2017 14:20:33 GMT

Marcus,

Thank you! That works perfect.

I went back through my notes and I had tried that combination but had mistakenly added "=" after the second HasPrivilege. I wish I would have caught that a week ago. Oh well, it works now.

Is there a functional difference using "App*" vs "App_*,App.Object_*"?

Re: Security Rule to allow users to reload published apps

marcos — Thu, 03 Aug 2017 08:14:05 GMT

"App*" is wider than the other options.

"App*" is for all resources types beginning with "App".

"App_*" is for all resources of the type "App"

"App.Object_*" is for all resources of the type "App.Object"

See https://help.qlik.com/en-US/sense/June2017/Subsystems/ManagementConsole/Content/rules-resource-filter-advanced-view.htm

In this case, you can use at resource filter section the option "App*" or even only "App_*". "App.Object_*" is not necessary in this case and so, the users could not modify the script.

Re: Security Rule to allow users to reload published apps

nakamurasatc — Mon, 07 Aug 2017 01:11:39 GMT

Hi, Marcos.

Thank you for the solution.

Just to make sure, is it for not Sense Desktop but Sense Desktop?

I mean the Reload extension doesn't work on Desktop June2017.

Thank you,

Satoshi

Re: Security Rule to allow users to reload published apps

Fri, 08 Sep 2017 06:59:33 GMT

Hi Marcos,

What is the solution to make this work on QSense Desktop Version June 2017? Can you please guide us with the steps?

Thanks!

Kanchana

Re: Security Rule to allow users to reload published apps

marcos — Mon, 11 Sep 2017 07:18:12 GMT

Sorry nakamurasatc‌ and kanchanads‌ for the delay to answer you.

This solution doesn't work on desktop versión, because there aren't Security Rules in this.

I didn't test the extension on this versión of Sense Desktop, so i don't know if there is any problem with it

On Sense Desktop, users have full access to all parts of App, so the problem has to be another.

Re: Security Rule to allow users to reload published apps

Thu, 12 Oct 2017 12:01:13 GMT

This works perfectly for me but other users get "reload failed" error. Have you an idea which could cause this? Other users got 'Access denied' error before the change in the security rule that you suggested above. So it seems that the other users have rights to do the reload but something happens.

Other users doesn't have admin rights. Qlik Sense version is 3.2 SR4.

Re: Security Rule to allow users to reload published apps

lucienorrin — Mon, 30 Oct 2017 14:15:15 GMT

Hello all,

I wanted to share my current rule. In hindsight it seems simple, but it took me a while to understand Qlik Sense rules enough to get this working.

Resource filter : App*

Actions : Read, Update

Conditions : ((resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) and (resource.@AppLevelMgmt.empty() or resource.@AppLevelMgmt=user.Group)) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

Context : Only in hub

This rule is based on governed self service (GSS).

We replaced the default stream rule with this and use custom attributes to restrict specific apps to certain (AD) groups.

Checking "update" and removing "resource.objectType != "app_appscript"" from the GSS rule allows users to reload apps.

Re: Security Rule to allow users to reload published apps

sergiio_ot — Wed, 21 Feb 2018 11:49:12 GMT

Thanks for your answer. It has helped us a lot.

Note: Edited by Community Moderator to include English translation as a courtesy.

- - -

Gracias por tu respuesta. Nos ha ayudado mucho.

Re: Security Rule to allow users to reload published apps

sebastianolivar — Mon, 24 Dec 2018 15:15:55 GMT

i need your help...
where i need apply this rule?
i need create a new rule or only modificate a rule existent?

Re: Security Rule to allow users to reload published apps

gerald_lebret — Wed, 06 Mar 2019 13:42:08 GMT

Hello,

I am facing the same issue regarding the access.

I was wondering. Do you set a new rule in the reload button extension rule or do you do that from a specific stream?

Thank you.

Re: Security Rule to allow users to reload published apps

Anonymous — Mon, 01 Apr 2019 13:20:28 GMT

Hi,

I try your rule and it's OK, I use an extension to reload my application.

The problem is that the script is accessible to the user.

Do you know a solution to :

- Allow the reloading and saving of the application

- Hide the script to the user ?

Thanks,

Paul

Re: Security Rule to allow users to reload published apps

Anonymous — Mon, 01 Apr 2019 13:21:39 GMT

Hi,

I try your rule and it's OK, I use an extension to reload my application.

The problem is that the script is accessible to the user.

Do you know a solution to :

1/ Allow the reloading and saving of the application

2/ Hide the script to the user ?

Thanks,

Paul

Re: Security Rule to allow users to reload published apps

drjoffily — Tue, 05 Nov 2019 23:16:08 GMT

Hi Marcos,

I know it's a old post but what rule do I need to modify? Or, is this a new rule that I need to create? If it's a new rule, do I need to disable any of the default rules for the new one to work?

Thanks for your help.