article Security Rule Example: Allow access to Data Load Editor on an app in Official Support Articles

Security Rule Example: Allow access to Data Load Editor on an app

Andre_Sostizzo — Thu, 11 Nov 2021 14:48:43 GMT

We in Qlik Support have virtually no scope when it comes to debugging or writing custom security rules for customers. That level of implementation advice needs to be handled by the folks in Professional Services or Presales. That being said, this example is provided for demonstration purposes to explain a specific scenario. No Support or maintenance is implied or provided. Further customization is expected to be necessary and it is the responsibility of the end administrator to test and implement an appropriate rule for their specific use case. For access to more tips and tricks, best practices, and ever-evolving creative solutions, we recommend joining us in our active Qlik Community.

In this scenario, the administrator wants to grant access to the Data Load Editor on a series of apps which the user or set of users already have read rights to.

Setup:

Name: _DLEUserAccess
Description / Explanation: This rule will grant update rights to an application based on the inherited Read rights provided elsewhere. Update rights to an app are necessary to see the Data Load Editor Option
Resource filter(s): App_*
Action(s): Update
Conditions: resource.resourcetype = "App" and resource.Stream.HasPrivilege("read") and (user.name="User2")
- Note: In this example we are using a statically defined user.name value. In a realistic scenario you would want to have a more robust user selection criteria (e.g. user.group="BI Developers" if there is group membership which selects the specific users which you want to target).
- Note2: This example assumes Authentication Setup is on Stream level -- the user is allowed to access all Apps under a Stream that he/she has "read" access on. Thus resource.Stream.HasPrivilege("read"). In a realistic scenario, depending on the exact Authentication setup, modification on this condition may be required.

Name: _ScriptUserAccess
Description / Explanation: This rule will grant read and update rights to specific app objects which scope to the load script of an app based on the inherited Read rights on the app provided elsewhere.
Resource filter(s): App.Object_*
Action(s): Read, Update
Conditions: ((resource.objectType="loadmodel" or resource.objectType="app_appscript")) and resource.app.HasPrivilege("read")
- Note: In this example we are using a statically defined user.name value. In a realistic scenario you would want to have a more robust user selection criteria (e.g. user.group="BI Developers" if there is group membership which selects the specific users which you want to target).

Sample with Screenshots:

Before applying above rules, User 2 has "Read" Access to the Stream where App "12345" is in. "12345" is owned by another user. So User 2 has no access to Data Load Editor:
Create the 1st rule, which grants "update" to User2 on App 12345:
At this point User2 still cannot access Script Editor of App 12345(Even though Data model viewer shows up):
Now create the 2nd rule:
Now, User2 has access to Data Load Editor(and Data Manager) of App 12345:

Re: Security Rule Example: Allow access to Data Load Editor on an app

sri_c003 — Mon, 29 Mar 2021 14:27:16 GMT

We tried using the above rules, but it does not show the Data Manager link to us - these rules did open up the Data Load Editor and Data Model.

Could you please help us with a rule to open the Data Manager.

Re: Security Rule Example: Allow access to Data Load Editor on an app

Roberto_Licciardello — Fri, 07 Oct 2022 11:43:52 GMT

Hi Andre,
sorry to bother you.

I'm not very good with this kind of setting. I have the reverse problem. I have a Professional user (I need to use the VixLib writeback features) and I would like to inhibit some possibilities (user XXX only):

1 Data Manager
2 Data Load Editor
3 Create new app (in hub)

Qalu is the syntax I should use?
Where can I find all the rules and functions to enable / disable?

Many thanks in advance!!!

Re: Security Rule Example: Allow access to Data Load Editor on an app

Sonja_Bauernfeind — Fri, 07 Oct 2022 14:06:36 GMT

Hello @Roberto_Licciardello

I recommend posting your query directly in our Qlik Sense Management forum to make use of the wider reach of our community and our active support engineers. When posting, include the symptoms of your issue, any error messages that you have seen, and what troubleshooting steps you've already taken. Feel free to refer back to this article as an example of what you tried.

All the best,
Sonja

Re: Security Rule Example: Allow access to Data Load Editor on an app

Narges — Tue, 13 Aug 2024 09:29:22 GMT

Hi,

Is that possible to grant only read access? Only see the script but not to be able to modify the script.