topic Re: Engine API GetScript Empty in Integration, Extension & APIs

Engine API GetScript Empty

Necator — Mon, 06 Feb 2023 08:57:07 GMT

Hello,

I recently tried to get some App Scripts via the Engine API. But I noticed, I sometimes get empty scripts as result. After testing a little bit with the engine explorer I found Apps which I own, I can get the script of. Apps I don't own not, besides me being root admin. So my question is, is there any security rule I need to modify to also getScripts of Apps I do not own?

Best

Re: Engine API GetScript Empty

stefanstoichev123 — Mon, 06 Feb 2023 12:04:27 GMT

As far as i know there is only one default security rule that is related to the app scripts. The rule name is "Stream".

( resource.resourcetype = "App" and resource.stream.HasPrivilege("read") ) or ( ( resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel" ) and resource.app.stream.HasPrivilege("read") )

In the second part of the rule there is and resource.objectType != "loadmodel" part. This part governs the script availability.

WARNING: this is a base rule. Modifying it have consequences that affect all users of the system!

Stefan

Re: Engine API GetScript Empty

Necator — Mon, 06 Feb 2023 12:18:34 GMT

Thanks for the info Stefan,

is there any other way to grant rootAdmin access to all scripts? It kinda feels weird, that a role called rootAdmin, doesn't have all privilges per default?

Re: Engine API GetScript Empty

stefanstoichev123 — Mon, 06 Feb 2023 12:29:39 GMT

You can try and add additional rule explicitly "targeting" specific user(s) and the script. Its a bit of a trial and error (imo) with security rules. But in general security rules are "permissive". Which means that if there are 2 security rules applied in the current case and one of them returns "true" and the other one "false" then the result will be "true"

If you check the context of the "RootAdmin" security rule you'll see that it is "QMC". Which means that RootAdmin have meaning only in QMC and such users have full control but only in QMC. In the Hub RootAdmin privileges have no meaning and you'll have to have a rule with Hub context that specifies the script (being a Hub "entity") permissions. (Such as the "Stream" security rule or another).

Stefan

Re: Engine API GetScript Empty

rwunderlich — Tue, 07 Feb 2023 00:13:07 GMT

It may also be possible to utilize the QMC context rule by including the header

X-Qlik-Security: Context=ManagementAccess;

https://help.qlik.com/en-US/sense-developer/November2022/Subsystems/ProxyServiceAPI/Content/Sense_ProxyServiceAPI/ProxyServiceAPI-Injected-Req-Headers-X-Qlik-Security.htm

-Rob

Re: Engine API GetScript Empty

Necator — Tue, 07 Feb 2023 08:23:34 GMT

Hi Rob,

is there a specific QMC Context Security rule or are you talking about something different ?

Best

Re: Engine API GetScript Empty

rwunderlich — Tue, 07 Feb 2023 17:35:04 GMT

What Context=ManagementAccess does is apply the Security Context of "Only in QMC". Same as using the dropdown in QMC Audit.

Or in a Security Rule Def:

-Rob