Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Caiut
Contributor
Contributor
‎2022-10-05 06:39 PM

On-Demand App Generation(ODAG) QlikSense possible security issue

Hi All!

I think we found a security problem using ODAG.

We have a lot of corporative data connections, including to databases, with access controlled by security rules.

But recently we found out an user that using ODAG can access a data connection wich he doesn't have permission, but as ODAG apps are generated through user service permissions (sa_api), he can execute queries against this data connection.

The user from a business area, with professional license, generated an ODAG app originally created by the IT team that uses a database connection.  The user can't  access de connection directly, but through Script Editor he found the data connection name, created his ODAG apps and now he can use the "forbidden" database.

 

I haven't found a way to avoid this, other than disabling the On-Demand App Services in QMC.

Are we missing something?

Appreciate any help!

 

Caiut

 

ps: Qlik Enterprise, version november-2021

Labels (2)
Labels
367 Views
0 Likes
0 Replies