Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
Is it possible to get access to stream by having one ore more apps that the user have access to ?
it tried to implement the following rule, but it didn't work.
resource filter : Stream_*
action: read
condition :
resource.App.HasPrivilege("read")
can't see the different between my example and thwe in the video below for Reload Tasks
https://youtu.be/h5nBdt969XI?t=1577 (already at 26:17)
Thank in advance
Shay
How have you given read access to the application?
In the tutorial, access to the stream is granted by testing if (user.group = resource.name) or (user.role=resource.name). Security is hierarchical, so I believe resrouce.App.HasPrivilege("read") is based on access to the stream.
If you wanted to grant access to the stream based on an app, you would need something like:
(resource.resourcetype="App" and !resource.@name.empty() and resource.@name = user.group)
basically see if the app custom property matches the user group. You would also need an exception when the apps do not have a resource.name assigned.
I know the hierarchical principal and that's why I wondered how it was possible.
In the tutorial the access has granted by user role but also an app read privilege, as in the image below.
correct me if i wrong, the resource in the condition refers to the ReloadTask.
Shay
If you have a stream security rule based on a custom property and the user matches that property, they will have access to the stream. This would grant them access to the applications in the stream unless you also add a custom property to the application and create a security rule to define access to the app. Once those 2 security rules are evaluated, then the reload task security rule can determine if the app has read privilege.
Below is what I have been testing:
SchedulerQMCTasksMenu(only users with scheduler custom property can see the Tasks menu in QMC):
Resource filter: QmcSection_Task,QmcSection_ReloadTask,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent
Actions: Read
Conditions:!user.IsAnonymous() and ((user.@UserType="Scheduler"))
Context: Only in QMC
Stream:
Resource filter: Stream_*
Actions: Read
Conditions:((resource.@ADGroup=user.@Developer))
Context: Only in QMC
ReloadTaskDefault (app does not have custom property assigned):
Resource filter:ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read,Update,Delete
Conditions:((user.@UserType="Scheduler"))
and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
resource.app.@ADGroup.Empty())
or
(resource.resourcetype = "SchemaEvent"
or resource.resourcetype = "CompositeEvent"
))
Context: Only in QMC
ReloadTaskException (app has a custom property assigned):
Resource filter:ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read,Update,Delete
Conditons: ((user.@UserType="Scheduler"))
and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
!resource.app.@ADGroup.Empty()
and resource.app.@ADGroup = user.@Developer)
or
(resource.resourcetype = "SchemaEvent"
or resource.resourcetype = "CompositeEvent"
))
Context: Only in QMC
I've only disabled the delivered Stream security rule.
Checking on this. I suspect not. I suspect it's a one-way hierarchy. I am also suspicious that the hierarchies are outlined in this API call (GET /qrs/about/api/relations). Example response from April 2019:
[
"App.owner > User",
"App.stream > Stream",
"App.tags > Tag",
"AppAvailability.app > App",
"AppAvailability.appDataSegment > App.DataSegment",
"AppAvailability.serverNodeConfiguration > ServerNodeConfiguration",
"App.Content.app > App",
"App.Content.references > StaticContentReference",
"App.Content.whiteList > FileExtensionWhiteList",
"App.DataSegment.app > App",
"App.DataSegment.file > FileReference",
"App.DataSegment.owner > User",
"App.Internal.app > App",
"App.Internal.file > FileReference",
"App.Object.app > App",
"App.Object.file > FileReference",
"App.Object.owner > User",
"App.Object.tags > Tag",
"AppSeedInfo.app > App",
"AppStatus.app > App",
"CompositeEvent.externalProgramTask > ExternalProgramTask",
"CompositeEvent.operational > CompositeEventOperational",
"CompositeEvent.reloadTask > ReloadTask",
"CompositeEvent.userSyncTask > UserSyncTask",
"CompositeEvent.Rule.externalProgramTask > ExternalProgramTask",
"CompositeEvent.Rule.operational > CompositeEventRuleOperational",
"CompositeEvent.Rule.reloadTask > ReloadTask",
"CompositeEvent.Rule.userSyncTask > UserSyncTask",
"ContentLibrary.owner > User",
"ContentLibrary.references > StaticContentReference",
"ContentLibrary.tags > Tag",
"ContentLibrary.whiteList > FileExtensionWhiteList",
"CustomPropertyValue.definition > CustomPropertyDefinition",
"DataConnection.owner > User",
"DataConnection.tags > Tag",
"EngineService.serverNodeConfiguration > ServerNodeConfiguration",
"EngineService.tags > Tag",
"ExecutionResult.details > ExecutionResult.Detail",
"ExecutionSession.app > App",
"ExecutionSession.executingNode > SchedulerService",
"ExecutionSession.executionResult > ExecutionResult",
"ExecutionSession.externalProgramTask > ExternalProgramTask",
"ExecutionSession.reloadTask > ReloadTask",
"ExecutionSession.userSyncTask > UserSyncTask",
"Extension.owner > User",
"Extension.references > StaticContentReference",
"Extension.tags > Tag",
"Extension.whiteList > FileExtensionWhiteList",
"ExternalProgramTask.operational > ExternalProgramTaskOperational",
"ExternalProgramTask.qlikUser > User",
"ExternalProgramTask.tags > Tag",
"ExternalProgramTaskOperational.lastExecutionResult > ExecutionResult",
"FileExtension.mimeType > MimeType",
"FileExtensionWhiteList.fileExtensions > FileExtension",
"License.AnalyzerAccessType.user > User",
"License.AnalyzerAccessUsage.analyzerAccessType > License.AnalyzerAccessType",
"License.AnalyzerTimeAccessUsage.analyzerTimeAccessType > License.AnalyzerTimeAccessType",
"License.AnalyzerTimeAccessUsage.user > User",
"License.LoginAccessUsage.loginAccessType > License.LoginAccessType",
"License.LoginAccessUsage.user > User",
"License.ProfessionalAccessType.user > User",
"License.ProfessionalAccessUsage.professionalAccessType > License.ProfessionalAccessType",
"License.UserAccessType.user > User",
"License.UserAccessUsage.userAccessType > License.UserAccessType",
"OdagEngineGroup.owner > User",
"OdagLink.modelGroups > OdagModelGroup",
"OdagLink.owner > User",
"OdagLink.templateApp > App",
"OdagLinkUsage.link > OdagLink",
"OdagLinkUsage.selectionApp > App",
"OdagModelGroup.owner > User",
"OdagRequest.engineGroup > OdagEngineGroup",
"OdagRequest.generatedApp > App",
"OdagRequest.link > OdagLink",
"OdagRequest.owner > User",
"OdagService.Settings.anonymousProxyUser > User",
"PrintingService.serverNodeConfiguration > ServerNodeConfiguration",
"PrintingService.tags > Tag",
"ProxyService.serverNodeConfiguration > ServerNodeConfiguration",
"ProxyService.tags > Tag",
"ProxyServiceCertificate.proxyService > ProxyService",
"ProxyService.Settings.virtualProxies > VirtualProxyConfig",
"ReloadTask.app > App",
"ReloadTask.operational > ReloadTaskOperational",
"ReloadTask.tags > Tag",
"ReloadTaskOperational.lastExecutionResult > ExecutionResult",
"RepositoryService.serverNodeConfiguration > ServerNodeConfiguration",
"RepositoryService.tags > Tag",
"SchedulerService.serverNodeConfiguration > ServerNodeConfiguration",
"SchedulerService.tags > Tag",
"SchemaEvent.externalProgramTask > ExternalProgramTask",
"SchemaEvent.operational > SchemaEventOperational",
"SchemaEvent.reloadTask > ReloadTask",
"SchemaEvent.userSyncTask > UserSyncTask",
"ServerNodeConfiguration.roles > ServerNodeRole",
"ServerNodeConfiguration.serviceCluster > ServiceCluster",
"ServerNodeConfiguration.tags > Tag",
"ServerNodeHeartbeat.serverNodeConfiguration > ServerNodeConfiguration",
"ServiceStatus.serverNodeConfiguration > ServerNodeConfiguration",
"SharedContent.owner > User",
"SharedContent.references > StaticContentReference",
"SharedContent.tags > Tag",
"SharedContent.whiteList > FileExtensionWhiteList",
"StaticContentReference.files > FileReference",
"Stream.owner > User",
"Stream.tags > Tag",
"SyncSession.serverNodeConfiguration > ServerNodeConfiguration",
"SystemRule.tags > Tag",
"TempContent.owner > User",
"TermsAcceptance.user > User",
"User.tags > Tag",
"UserDirectory.tags > Tag",
"UserSyncTask.operational > UserSyncTaskOperational",
"UserSyncTask.tags > Tag",
"UserSyncTask.userDirectory > UserDirectory",
"UserSyncTaskOperational.lastExecutionResult > ExecutionResult",
"VirtualProxyConfig.loadBalancingServerNodes > ServerNodeConfiguration",
"VirtualProxyConfig.tags > Tag",
"WebExtensionLibrary.owner > User",
"WebExtensionLibrary.tags > Tag",
"Widget.extensionType > WebExtensionType",
"Widget.library > WebExtensionLibrary",
"Widget.owner > User",
"Widget.tags > Tag"
]