Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
diagonjope
Partner - Creator III
Partner - Creator III

Some charts display OK but others show "Incomplete visualization" errors when using security rule to control sheet visibility...

Greetings!

I am using the following security rule as a substitute for the default "Stream" rule to control visibility of sheets with a pattern in their name ("ACCESO RESTRINGIDO") , so that they can only be seen by users with a particular value in a custom property ("EXEC"):

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or
((resource.resourcetype = "App.Object" and
resource.published ="true" and
(resource.objectType = "sheet" and ((user.@TipoUsuario="EXEC" and resource.name like "*ACCESO RESTRINGIDO*") or !(resource.name like "*ACCESO RESTRINGIDO*"))) and
resource.objectType != "app_appscript" and
resource.objectType != "loadmodel") and
resource.app.stream.HasPrivilege("read"))

The only difference with the default Stream rule is the condition for resource.objectType = "sheet".

Now, it seems that the rule works OK for controling the visibility of "sheet" objects meeting these conditions, because I can control the visibility of the sheets containing the pattern for users not in the EXEC group.  The problem is that none of the charts in the sheets with resource.name like "*ACCESO RESTRINGIDO*" show up.  Also, in the other sheets, some of the charts display OK, but others don't.  The App owner can see all sheets and charts perfectly.  Please see the images attached.

We are using QSEoW November 2020.

Any ideas on why this is happening?

Cheers,

++José

Labels (2)
1 Solution

Accepted Solutions
rubenmarin

Hi @diagonjope, I think I know what's happening, dimensions and measures are also app.objects, and the "and
(resource.objectType = "sheet" and ((user.@TipoUsuario="EXEC" and resource.name like "*ACCESO RESTRINGIDO*") or !(resource.name like "*ACCESO RESTRINGIDO*")))" will be restricting access.

I think you need to have the default rule adding a condition like and resource.objectType != "sheet", so all the object types like dimensions, measures, etc go with default rule, and add an or (resource.objectType = "sheet"...) with the conditions where the object type is a sheet to restrict access to only the objectType.

Not tested but it may be something like:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or
((resource.resourcetype = "App.Object" and
(resource.objectType != "sheet" or (resource.objectType = "sheet" and ((user.@TipoUsuario="EXEC" and resource.name like "*ACCESO RESTRINGIDO*") or !(resource.name like "*ACCESO RESTRINGIDO*"))))
resource.published ="true" and
resource.objectType != "app_appscript" and
resource.objectType != "loadmodel") and
resource.app.stream.HasPrivilege("read"))

 

View solution in original post

6 Replies
rubenmarin

Hi @diagonjope, it looks like they don't have access to some data fields, I don't think it has something to do with security rules, if it's the same app this can be caused by section access restricting data to some users.

To check if the security rule is causing this behaviour you can add another rule that gives all access to some test user to confirm that having access it shows all objects and disabling this test rule the objects show as incomplete.

diagonjope
Partner - Creator III
Partner - Creator III
Author

Hi @rubenmarin ,

Thanks for the suggestion.  However, there is no Section Access in this  app.   Also, as mentioned, the owner of the app can see all visualizations without a problem.  I have set up three users for this test.  The only difference between the users is that they have different values in the "TipoUsuario" property (one is "FINAL"  and the other two "EXEC"), but this sheet that I am showing in the image does not contain the pattern "ACCESO RESTRINGIDO" in its name - so, it should be visible to anyone. 

I have verified that the EXEC user can see the sheet with its name containing the pattern, but the FINAL user can not.  However, when the user with the "EXEC" property opens the sheet with "ACCESO RESTRINGIDO", all the visualizations in this sheet display the same error of "Incomplete Visualization".

As  far as I know, access to the visualizations in a sheet can not be controlled via security rules, the sheet is the minimum level of granularity for this purpose, but I might be wrong on this.

So, as far as I can tell, the only difference is the security rule. 

Cheers,

++José

rubenmarin

Hi @diagonjope, as you say, the sheet is the minium level of granularity to apply security rules (so far I know), if there were extensions the objects can be affected by that, but those look as standard objects.

If you go to selections with the user thats displays "Incomplete Visualization" and try to select anything in the field Año... is this field available to make selections?

diagonjope
Partner - Creator III
Partner - Creator III
Author

Hi @rubenmarin ,

Thanks for staying engaged.  No, I can not select values in the selection box with the title "Año", but I can select values in "Región Geográfica".  However, I now know why.  I changed a few things around (changed the license to one of the test users who had Analyzer license to Professional), and then I used that user to create a duplicate of the sheet and other visualizations. 

It turns out that neither the master Dimensions nor Measures  defined in the app are available.  "Región Geográfica" is a field - it hasn't been defined as a Dimension; so I can see its values and select them, but "Año", "Mes" y "Día" are Dimensions.  If you take a look at the Measure used in the visualization at the bottom of the sheet below, you will also see that it is missing.  Also, adding a new chart and selecting Dimensions or Measures will not display any of the master Dimensions or Measures.

jdiaz_0-1612272402006.png

jdiaz_1-1612272845246.png

jdiaz_2-1612273202977.png

Disabling the modified "Stream" security rule and enabling the default rule, brings everything back to normal, as can be seen below for the same user:

jdiaz_3-1612273515982.png

Do you have any ideas of why this is happening?  The security rule only changed who can see sheets.

Cheers,

++José

rubenmarin

Hi @diagonjope, I think I know what's happening, dimensions and measures are also app.objects, and the "and
(resource.objectType = "sheet" and ((user.@TipoUsuario="EXEC" and resource.name like "*ACCESO RESTRINGIDO*") or !(resource.name like "*ACCESO RESTRINGIDO*")))" will be restricting access.

I think you need to have the default rule adding a condition like and resource.objectType != "sheet", so all the object types like dimensions, measures, etc go with default rule, and add an or (resource.objectType = "sheet"...) with the conditions where the object type is a sheet to restrict access to only the objectType.

Not tested but it may be something like:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or
((resource.resourcetype = "App.Object" and
(resource.objectType != "sheet" or (resource.objectType = "sheet" and ((user.@TipoUsuario="EXEC" and resource.name like "*ACCESO RESTRINGIDO*") or !(resource.name like "*ACCESO RESTRINGIDO*"))))
resource.published ="true" and
resource.objectType != "app_appscript" and
resource.objectType != "loadmodel") and
resource.app.stream.HasPrivilege("read"))

 

diagonjope
Partner - Creator III
Partner - Creator III
Author

Thanks for the suggestion!  That did it!

So here is the new rule that substitutes the default Stream rule:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or
((resource.resourcetype = "App.Object" and
resource.published ="true" and
(resource.objectType != "sheet" or
(resource.objectType = "sheet" and !(resource.name like "*...___..."))) and
resource.objectType != "app_appscript" and
resource.objectType != "loadmodel") and
resource.app.stream.HasPrivilege("read"))

This rule will let pass every sheet whose name does not matches "*...---..." (or whatever character stream is desired).

I also moved the user type consideration outside the general Stream rule, so that this can be done on a per-sheet basis using a new rule based on the OID of the sheet.  In our case, where the OID of the test sheet ending in "*...---..."  is 005b3c83-5ece-46df-b06e-129a6fcf85b7, the new rule would work for a Resource filter = App.Object_005b3c83-5ece-46df-b06e-129a6fcf85b7 and would have the following Condition (user.@TipoUsuario="EXEC")

Thank you very much for your assistance!

Cheers,

++José