https://community.qlik.com/t5/Official-Support-Articles/Hierarchical-relationships-in-Security-Rules-for-Qlik-Sense/ta-p/1711781 <P>Inside of Qlik Sense, user access is proscribed by the security rules which are configured in the deployment. When designing a security rule framework, it is important to understand the hierarchical relationships between different resource filters in order to ensure that the rule performs as intended.</P> <P>&nbsp;</P> <P>Streams &gt; Apps &gt; App.Objects</P> <P><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000005Fpr0&amp;oid=00D20000000IGPX&amp;lastMod=1518440224000" border="0" alt="User-added image" /><BR /><BR />As illustrated above. Apps are in Streams. This means that you can use inheritance to cascade the intended action from the action assigned at the Stream level. This is used in this portion of the default&nbsp;<STRONG>Stream</STRONG>&nbsp;security rule:</P> <PRE>(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))</PRE> <P>The meaning of this condition is that the action will be applied to Apps where the user has read rights to the stream.<BR /><BR />The same hierarchy exists in Apps &lt;&gt; App.Objects. App.Objects belong to apps and thus you can inherit rights from the App or Stream level. This is used in this portion of the default&nbsp;<STRONG>Stream</STRONG>&nbsp;security rule:</P> <PRE>((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))</PRE> <P>The meaning of this condition is that the action will be applied to an App's Objects where the object is (a) published and (b) not an app_appscript or loadmodel type of App.Object when the user has read rights on the stream.</P> <P>Apps &gt; Tasks</P> <P><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000005be9Q&amp;oid=00D20000000IGPX&amp;lastMod=1529345596000" border="0" alt="User-added image" /><BR /><BR />As illustrated above, Tasks are applied to Apps.&nbsp;This means that you can use inheritance to cascade the intended action from the action assigned at the App level. For example:</P> <PRE>Filter: ReloadTask* Action: Read, Update, Delete Condition: ((user.name="TaskAdmin"))and (resource.App.HasPrivilege("read"))</PRE> <P>In this rule, the user with the name TaskAdmin is able to read / update / delete all tasks which are associated with Apps which they already have Read rights to.</P> <UL> <LI><STRONG>Note:&nbsp;</STRONG>As of Qlik Sense April 2018, there is no logical relationship between tasks and triggers. So an administrator cannot use inheritance for this resource type.</LI> </UL> Thu, 11 Nov 2021 15:17:06 GMT Andre_Sostizzo 2021-11-11T15:17:06Z https://community.qlik.com/t5/Official-Support-Articles/Hierarchical-relationships-in-Security-Rules-for-Qlik-Sense/ta-p/1711781 <P>Inside of Qlik Sense, user access is proscribed by the security rules which are configured in the deployment. When designing a security rule framework, it is important to understand the hierarchical relationships between different resource filters in order to ensure that the rule performs as intended.</P> <P>&nbsp;</P> <P>Streams &gt; Apps &gt; App.Objects</P> <P><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000005Fpr0&amp;oid=00D20000000IGPX&amp;lastMod=1518440224000" border="0" alt="User-added image" /><BR /><BR />As illustrated above. Apps are in Streams. This means that you can use inheritance to cascade the intended action from the action assigned at the Stream level. This is used in this portion of the default&nbsp;<STRONG>Stream</STRONG>&nbsp;security rule:</P> <PRE>(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))</PRE> <P>The meaning of this condition is that the action will be applied to Apps where the user has read rights to the stream.<BR /><BR />The same hierarchy exists in Apps &lt;&gt; App.Objects. App.Objects belong to apps and thus you can inherit rights from the App or Stream level. This is used in this portion of the default&nbsp;<STRONG>Stream</STRONG>&nbsp;security rule:</P> <PRE>((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))</PRE> <P>The meaning of this condition is that the action will be applied to an App's Objects where the object is (a) published and (b) not an app_appscript or loadmodel type of App.Object when the user has read rights on the stream.</P> <P>Apps &gt; Tasks</P> <P><IMG src="https://qlik.my.salesforce.com/servlet/servlet.ImageServer?id=015D0000005be9Q&amp;oid=00D20000000IGPX&amp;lastMod=1529345596000" border="0" alt="User-added image" /><BR /><BR />As illustrated above, Tasks are applied to Apps.&nbsp;This means that you can use inheritance to cascade the intended action from the action assigned at the App level. For example:</P> <PRE>Filter: ReloadTask* Action: Read, Update, Delete Condition: ((user.name="TaskAdmin"))and (resource.App.HasPrivilege("read"))</PRE> <P>In this rule, the user with the name TaskAdmin is able to read / update / delete all tasks which are associated with Apps which they already have Read rights to.</P> <UL> <LI><STRONG>Note:&nbsp;</STRONG>As of Qlik Sense April 2018, there is no logical relationship between tasks and triggers. So an administrator cannot use inheritance for this resource type.</LI> </UL> Thu, 11 Nov 2021 15:17:06 GMT https://community.qlik.com/t5/Official-Support-Articles/Hierarchical-relationships-in-Security-Rules-for-Qlik-Sense/ta-p/1711781 Andre_Sostizzo 2021-11-11T15:17:06Z