Hi @rubenmarin ,

Thanks for the suggestion.  However, there is no Section Access in this  app.   Also, as mentioned, the owner of the app can see all visualizations without a problem.  I have set up three users for this test.  The only difference between the users is that they have different values in the "TipoUsuario" property (one is "FINAL"  and the other two "EXEC"), but this sheet that I am showing in the image does not contain the pattern "ACCESO RESTRINGIDO" in its name - so, it should be visible to anyone. 

I have verified that the EXEC user can see the sheet with its name containing the pattern, but the FINAL user can not.  However, when the user with the "EXEC" property opens the sheet with "ACCESO RESTRINGIDO", all the visualizations in this sheet display the same error of "Incomplete Visualization".

As  far as I know, access to the visualizations in a sheet can not be controlled via security rules, the sheet is the minimum level of granularity for this purpose, but I might be wrong on this.

So, as far as I can tell, the only difference is the security rule. 

Cheers,

++José

Hi @rubenmarin ,

Thanks for staying engaged.  No, I can not select values in the selection box with the title "Año", but I can select values in "Región Geográfica".  However, I now know why.  I changed a few things around (changed the license to one of the test users who had Analyzer license to Professional), and then I used that user to create a duplicate of the sheet and other visualizations. 

It turns out that neither the master Dimensions nor Measures  defined in the app are available.  "Región Geográfica" is a field - it hasn't been defined as a Dimension; so I can see its values and select them, but "Año", "Mes" y "Día" are Dimensions.  If you take a look at the Measure used in the visualization at the bottom of the sheet below, you will also see that it is missing.  Also, adding a new chart and selecting Dimensions or Measures will not display any of the master Dimensions or Measures.

Disabling the modified "Stream" security rule and enabling the default rule, brings everything back to normal, as can be seen below for the same user:

Do you have any ideas of why this is happening?  The security rule only changed who can see sheets.

Cheers,

++José

Thanks for the suggestion!  That did it!

So here is the new rule that substitutes the default Stream rule:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or
((resource.resourcetype = "App.Object" and
resource.published ="true" and
(resource.objectType != "sheet" or
(resource.objectType = "sheet" and !(resource.name like "*...___..."))) and
resource.objectType != "app_appscript" and
resource.objectType != "loadmodel") and
resource.app.stream.HasPrivilege("read"))

This rule will let pass every sheet whose name does not matches "*...---..." (or whatever character stream is desired).

I also moved the user type consideration outside the general Stream rule, so that this can be done on a per-sheet basis using a new rule based on the OID of the sheet.  In our case, where the OID of the test sheet ending in "*...---..."  is 005b3c83-5ece-46df-b06e-129a6fcf85b7, the new rule would work for a Resource filter = App.Object_005b3c83-5ece-46df-b06e-129a6fcf85b7 and would have the following Condition (user.@TipoUsuario="EXEC")

Thank you very much for your assistance!

Cheers,

++José