Re: Qlik Sense App Level Security Issue - Qlik Community

bwisealiahmad · ‎2018-10-30

Hi,

I am trying to make some security on app level based on Active Directory groups.

I have followed this dockument and this works fine. The users can now see the apps they are supposed to based on a value from Active Directory.

What is the problem now that I have some developers who should be able to see everything, as if there is no App Level Security.

Can I combine this in some way?

users ABC have security based on active directory

and XYZ have security based on lets say a tag or custom property I give them that lets them see everything?

Thanks for any suggestions.

Best,

Ali A

Gysbert_Wassenaar · ‎2018-10-30

Are the developers members of a Developers AD group? Then modify the exception rule:

((user.group = resource.@AppLevelMgmt) OR (user.group = 'Developers' ))

talk is cheap, supply exceeds demand

bwisealiahmad · ‎2018-10-30

No, they are not and I was considering that, but I am trying to do it based on a custom property I set on the users in Qlik.

Is that possible? I found another default rule in Qlik Sense where I could add their names and that seems to make it work, but still trying to understand this.

Best,

Ali A

Gysbert_Wassenaar · ‎2018-10-30

Custom properties will work too, but you'll have to add the custom property manually to each user that's a developer. You could for example create a custom property named UserRole with a value Developer. Assign the developer users that value Developer. Then adapt the exception rule to ((user.group = resource.@AppLevelMgmt) OR (user.@UserRole = 'Developer'))

talk is cheap, supply exceeds demand

bwisealiahmad · ‎2018-10-31

Hi,

So I adapted it from:

((user.group=resource.@AppLevelManagement))

to

((user.group = resource.@AppLevelMgmt) or (user.@UserRole = 'Developer'))

and got this:

Tried to change to this:

((user.group = resource.@AppLevelMgmt) or (user.@UserRole = "Developer"))

Which made it valid, but I still can't see License Monitor or Operation Overview App which I should since I have user specified stream access to this:

Could it be the Custom Stream Rule that is doing this?

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@AppLevelMgmt.empty()) or ((resource.resourcetype = "App.Object" and resource.published ="true") and resource.app.stream.HasPrivilege("read"))

Thanks for helping out!

Best,

Ali A

Gysbert_Wassenaar · ‎2018-11-01

That rule in the screenshot has nothing to do with it. Rules can only grant access, not take access away. Did you create the UserRole custom property and assign the value Developer to your developer users?

talk is cheap, supply exceeds demand

bwisealiahmad · ‎2018-11-01

Ok.

Yes I did, but didn't make any difference 😕

Best,

Ali A

MK9885 · ‎2018-11-01

Not an expert in this but...few questions and suggestions.

Is user dev_aah a root admin?

A. Create custom property based on app & User (Just the app custom property would not work)

B. Tag that property to app you like to restrict

C. Disable your default Stream rule

D. Create a new rule

(resource.stream.HasPrivilege("read") and (user.@AppLevelMgmt=resource.@AppLevelMgmt))

I think this should work

E. Check if your root admin has access to Monitoring apps w/o creating a new rule? If he doesn't then create a new rule for Monitoring Stream

((user.roles="RootAdmin")) << if the user is root admin he/she can see that stream.

Test out with resource filter as 'App' only instead of 'App_*'

* would mean all the apps.