Direct access to sheet objects for mashup without access to App
I'm trying to achieve something with the Security Rules but so far i had no luck at all. Let me describe the scenario here:
I have one App, lets call it "App1"
This App1 has multiple sheets, charts, etc
I have a mashup that reads objects from the App1 app
I have a user called "UserApp" that should be restricted to only see the data that the mashup makes available
The problem is the following:
In order for UserApp to have access to the App1 sheets and objects, i have to setup a security rule giving UserApp read access to the whole App1 app.
Once the user has read access to the whole app, he will see the app in the corresponding stream under the hub, so he can freely navigate through the data, manually checking every sheet he has access to, changing the filters, etc.
What i need is that this particular user can access the data, but only through the provided mashup, and even if the user navigates to the hub, he is not allowed to freely explore the app.
I've been trying this with multiple approaches but so far, no success:
Trying to hide the app from the hub: so far the only way i found is to remove the read access from the user, but once that is done, the user cannot see anything in the mashup
Trying to give direct access to the app's objects: by writing a security rule, i can give direct access from the user to the app's objects, without giving read access to the app itself, and in the QMC Audit looks like the user has read access to the objects, but once i test out the access to the sheet itself, or through the mashup, once more no data is presented.
Is there any other way to achieve this?
The bottom line is that i need to restrict the user to only explore the data through a controlled mashup environment. The user must not be allowed to freely explore it using Qlik Sense interface.