Skip to main content

Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
Welcome to Qlik Community! Check out our new navigation! FIND OUT MORE
cancel
Showing results for 
Search instead for 
Did you mean: 
jimmy_rhoat
Partner - Contributor II
Partner - Contributor II

Allowing end users to create bookmarks on sheets

Good afternoon Qlik Community,

I am new to Qlik Sense I am hoping you can help me on an issue we are having.

What we are trying to accomplish - 

  • Allow end users to create bookmarks on sheets with the least privileges
    • This would not allow users to create other objects such as stories, other sheets, or etc. ONLY Bookmarks

Here are a few previous postings that were used as a guide to create the below rule:

Resource Filter

App.Object_Bookmark* 

Actions

Create

Conditions

!resource.App.stream.Empty()

and resource.App.HasPrivilege("read")

and (resource.objectType = "sheet")

and !user.IsAnonymous()

When using the audit portion it does look like this is exactly what we needed and it seems to apply the permissions correctly, however, it does not allow the users to create bookmarks, as I have tested this with a standard user account.

We are also noticing that it is not all sheets are behaving in the same fashion. Some of the sheets belong to a different stream, one stream allows users to publish while the other does not. The one that is working allows users to publish.

So the questions are:

  1. What are the least privileges you need to create bookmarks?
  2. Can this be done without allowing unnecessary privileges?
  3. Is there a document discussing the hierarchy to better understand Least-Privilege administration in Qlik?
1 Solution

Accepted Solutions
jimmy_rhoat
Partner - Contributor II
Partner - Contributor II
Author

Updating my original post as it is now solved. The problem I was having with the other posts not working was a bug in sync persistence shown here.

https://qliksupport.force.com/QS_CaseWizardKnowledgeArticle?Id=ka5D00000004RtIIAU

The straight-forward method is this:

Filter: App.Object_*

Action: Create

Conditions: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "bookmark") and !user.IsAnonymous()

Context: Hub

Logic: Non-anonymous users can create app objects on apps which belong to streams where the user has read privileges already and the object that they are creating are bookmarks.

Additionally, the publish rights to the stream is not required.

View solution in original post

5 Replies
jimmy_rhoat
Partner - Contributor II
Partner - Contributor II
Author

Updating my original post as it is now solved. The problem I was having with the other posts not working was a bug in sync persistence shown here.

https://qliksupport.force.com/QS_CaseWizardKnowledgeArticle?Id=ka5D00000004RtIIAU

The straight-forward method is this:

Filter: App.Object_*

Action: Create

Conditions: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "bookmark") and !user.IsAnonymous()

Context: Hub

Logic: Non-anonymous users can create app objects on apps which belong to streams where the user has read privileges already and the object that they are creating are bookmarks.

Additionally, the publish rights to the stream is not required.

TKendrick20
Partner - Specialist
Partner - Specialist

Thank you so much for posting this. I've been driving myself crazy reading all the documentation on how to do this. Don't know if I should be relieved or worried that it turned out just to be a bug...

avkeep01
Partner - Specialist
Partner - Specialist

Hi James,

I'm not able to look into the support ticket, but I solved it by restarting the services. Is that what the bug is? So after changing the security rule restarting the services?

jimmy_rhoat
Partner - Contributor II
Partner - Contributor II
Author

Basically, there is an issue with sync persistence that means you will need to recycle your services on all nodes due to caching from the repository service.

They provide a way of disabling the caching all together, but we opted not to do this because of how many users we get to log into the system. I believe this was the better route as I didn't want to track making custom changes due to a bug and confirm when I would need to revert. I just make note that services may need to be restarted as we wait for shared persistence. I would also like to add that this was the only time it happened for us, so it is a rare occurrence.

avkeep01
Partner - Specialist
Partner - Specialist

Thanks, that explains why restarting the services fixes my issue of applying the business rules.