article Security Rule Example: Providing deployment admin role for a user for a specific stream only in Official Support Articles https://community.qlik.com/t5/Official-Support-Articles/Security-Rule-Example-Providing-deployment-admin-role-for-a-user/ta-p/1717080 <P>In this scenario, the administrator wants to create a Deployment Admin who has access to a single stream only.</P> <P>&nbsp;</P> <H4><STRONG><STRONG><STRONG>Resolution:</STRONG></STRONG></STRONG></H4> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdminAppAccess-SingleStream<BR /></STRONG>Description: Uses resources.stream.name to limit the scope of which apps are visible in the QMC<BR />Filter: App_*<BR />Actions: Read + Update<BR />Conditions: ((user.roles="DeploymentAdmin-single") and (resource.stream.name="Completed Code"))<BR />Context: Only in QMC</P> <P>It creates a new user role which is assigned to a given user and statically references a stream name. resource.stream.id is a more robust way of referencing a stream since the GUID does not change while the name can.</P> <P>&nbsp;</P> <P>Name:<STRONG> _DeploymentAdmin<BR /></STRONG>Description: Same as the default but with a different user.roles and we removed ReloadTask_* since it needs to be handled separately<BR />Filter: ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*,User*,CustomProperty*,Tag_*,License*,TermsAcceptance_*,UserSyncTask_*,SchemaEvent_*,CompositeEvent_*<BR />Actions: Create + Read + Update + Delete<BR />Conditions: ((user.roles="DeploymentAdmin-single"))<BR />Context: Only in QMC</P> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdminQmcSections<BR /></STRONG>Description: Same as the default but with a different user.roles&nbsp;<BR />Filter: Actions: Read<BR />Conditions: ((user.roles="DeploymentAdmin-single"))<BR />Context: Only in QMC</P> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdminRulesAccess<BR /></STRONG>Description: Same as the default but with a different user.roles&nbsp;<BR />Filter: SystemRule_*<BR />Actions: Create + Read + Update + Delete<BR />Conditions: user.roles = "DeploymentAdmin-single" and (resource.category = "Sync" or resource.category = "License")<BR />Context: Only in QMC</P> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdmin-Reloads<BR /></STRONG>Description: Totally new rule where it inherits the ability to interact with tasks based on inheritance from App read rights<BR />Filter: &nbsp;ReloadTask_*<BR />Actions: Create + Read + Update + Delete<BR />Conditions: ((user.roles="DeploymentAdmin-single") and (resource.App.HasPrivilege("read")))<BR />Context: Only in QMC</P> <P><BR /><STRONG>Notes:</STRONG></P> <P>This isn't very scalable since it requires a specific role to be created for each stream. There are alternative approaches if you have user meta-data (e.g. user.group) which can be leveraged.</P> <P>&nbsp;</P> <P><EM>We in Qlik Support have virtually no scope when it comes to debugging or writing custom security rules for customers. That level of implementation advice needs to be handled by the folks in Professional Services or Presales. That being said, this example is provided for demonstration purposes to explain a specific scenario. No Support or maintenance is implied or provided. Further customization is expected to be necessary and it is the responsibility of the end administrator to test and implement an appropriate rule for their specific use case.</EM></P> Tue, 29 Sep 2020 09:10:10 GMT Andre_Sostizzo 2020-09-29T09:10:10Z Security Rule Example: Providing deployment admin role for a user for a specific stream only https://community.qlik.com/t5/Official-Support-Articles/Security-Rule-Example-Providing-deployment-admin-role-for-a-user/ta-p/1717080 <P>In this scenario, the administrator wants to create a Deployment Admin who has access to a single stream only.</P> <P>&nbsp;</P> <H4><STRONG><STRONG><STRONG>Resolution:</STRONG></STRONG></STRONG></H4> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdminAppAccess-SingleStream<BR /></STRONG>Description: Uses resources.stream.name to limit the scope of which apps are visible in the QMC<BR />Filter: App_*<BR />Actions: Read + Update<BR />Conditions: ((user.roles="DeploymentAdmin-single") and (resource.stream.name="Completed Code"))<BR />Context: Only in QMC</P> <P>It creates a new user role which is assigned to a given user and statically references a stream name. resource.stream.id is a more robust way of referencing a stream since the GUID does not change while the name can.</P> <P>&nbsp;</P> <P>Name:<STRONG> _DeploymentAdmin<BR /></STRONG>Description: Same as the default but with a different user.roles and we removed ReloadTask_* since it needs to be handled separately<BR />Filter: ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*,User*,CustomProperty*,Tag_*,License*,TermsAcceptance_*,UserSyncTask_*,SchemaEvent_*,CompositeEvent_*<BR />Actions: Create + Read + Update + Delete<BR />Conditions: ((user.roles="DeploymentAdmin-single"))<BR />Context: Only in QMC</P> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdminQmcSections<BR /></STRONG>Description: Same as the default but with a different user.roles&nbsp;<BR />Filter: Actions: Read<BR />Conditions: ((user.roles="DeploymentAdmin-single"))<BR />Context: Only in QMC</P> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdminRulesAccess<BR /></STRONG>Description: Same as the default but with a different user.roles&nbsp;<BR />Filter: SystemRule_*<BR />Actions: Create + Read + Update + Delete<BR />Conditions: user.roles = "DeploymentAdmin-single" and (resource.category = "Sync" or resource.category = "License")<BR />Context: Only in QMC</P> <P>&nbsp;</P> <P>Name: <STRONG>_DeploymentAdmin-Reloads<BR /></STRONG>Description: Totally new rule where it inherits the ability to interact with tasks based on inheritance from App read rights<BR />Filter: &nbsp;ReloadTask_*<BR />Actions: Create + Read + Update + Delete<BR />Conditions: ((user.roles="DeploymentAdmin-single") and (resource.App.HasPrivilege("read")))<BR />Context: Only in QMC</P> <P><BR /><STRONG>Notes:</STRONG></P> <P>This isn't very scalable since it requires a specific role to be created for each stream. There are alternative approaches if you have user meta-data (e.g. user.group) which can be leveraged.</P> <P>&nbsp;</P> <P><EM>We in Qlik Support have virtually no scope when it comes to debugging or writing custom security rules for customers. That level of implementation advice needs to be handled by the folks in Professional Services or Presales. That being said, this example is provided for demonstration purposes to explain a specific scenario. No Support or maintenance is implied or provided. Further customization is expected to be necessary and it is the responsibility of the end administrator to test and implement an appropriate rule for their specific use case.</EM></P> Tue, 29 Sep 2020 09:10:10 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Rule-Example-Providing-deployment-admin-role-for-a-user/ta-p/1717080 Andre_Sostizzo 2020-09-29T09:10:10Z