Solved: Re: How do I setup a user to see 2 stream but only... - Qlik Community

johnh · ‎2014-11-21

Hi All,

I am needing to setup security rules to do the following:

A user needs access to 2 Stream in the Hub (Say Sales and Solutions).

In the one Stream (Sales) he can only view the Apps in the Hub.

For the other Stream (Solutions) he can view and manage the reload tasks via QMC.

Overall in QMC the user should only have access to the App and Tasks for the Solutions Stream.

So far I have managed to set the user up so that he can only se Apps and Tasks in QMC as well as both Streams in the Hub.

However I cannot seem to stop him from seeing the Sales Stream Tasks and Apps in QMC.

Is there a way to do this?

Thanks

John

korsikov · ‎2014-11-21

if needed I have expamle security rules

1. Allow user Atest read stream "Core" only in HUB

2. Allow user Atest read stream "test" both in QMC and Hub

3 Create rule to acces to section QMC

4. Aand allow access to resources to which it has permission to read

Certainly recommend instead of specifying a particular user in the rules make reference to a custom properties of users.

result.

I see a hub applications in both streams. and in the management console only applications from stream "test", and tasks for these applications

View solution in original post

korsikov · ‎2014-11-21

Oh, interesting task.

What rules will allow users to view applications in the console and the problem for them?

I would create 2 rules.

1. allow user read to stream's in HUB

2. allow user read and reload app in QMC

need to pay attention to the default rules that can perform actions with applications if the user has permission to stream.

Try to make an example on its server. If you succeed, I will describe an example.

Michael_Tarallo · ‎2014-11-21

Hi John,

Have you looked at applying the appropriate context to the stream rule - when creating streams there is an associated access rule editor that displays - if you select Advanced you can choose to select where the rule is valid. Such as apply to the hub, qmc or both:

Give that a try and let us know.

Please mark the appropriate replies as helpful / correct so our team and other members know that your question(s) has been answered to your satisfaction.

Regards,

Mike Tarallo

Qlik

Regards,
Mike Tarallo
Qlik

johnh · ‎2014-11-21

Hi Michael / Alexander,

Now that you point out the Hub / QMC / Hub and QMC option it all falls into place.

I think I got myself too buried in the security rules to consider that.

Thanks

Michael_Tarallo · ‎2014-11-21

Great - however I am still looking at providing you with a solid example - this is a good use case. I will update you with a solution shortly.

Mike

Regards,
Mike Tarallo
Qlik

Michael_Tarallo · ‎2014-11-21

Hey John - you may find this help topic sample example interesting - this may also be something you want to do:

Security rules example: Creating QMC organizational admin roles

This gets into more detail how you can define custom rules using the resource.resourcetype attribute and the QmcSection_* resource filter - with this combination - you can lock down almost anything and create custom roles that you assign to users.

Mike

Regards,
Mike Tarallo
Qlik

korsikov · ‎2014-11-21

if needed I have expamle security rules

1. Allow user Atest read stream "Core" only in HUB

2. Allow user Atest read stream "test" both in QMC and Hub

3 Create rule to acces to section QMC

4. Aand allow access to resources to which it has permission to read

Certainly recommend instead of specifying a particular user in the rules make reference to a custom properties of users.

result.

I see a hub applications in both streams. and in the management console only applications from stream "test", and tasks for these applications

Michael_Tarallo · ‎2014-11-21

Oh one more thing, note that security rules are additive - that means even thought you created a new rule, another rule might override your new rule. So make sure to disable the other rules that may provide access to a resource, when your rule is trying to deny access to a resource etc.

Mike

Regards,
Mike Tarallo
Qlik

johnh · ‎2014-11-24

Hi Michael / Alex,

Thanks for you help. I have it working and now have a better understanding of security roles.

One thing I have found is that you need to properly plan and implement your Security Rules. Then of course you need to have some form of documentation / naming conventions so that others in you team can pickup where you left of. It is a lot more complicate that QV but I can see the benefits.

Cheers

korsikov · ‎2014-11-24

For these purposes, I always mark my rules a tag. So much easier to understand me and other administrators were default rule and which were added later

p.s.

Add more questions. Security rules in the Q Sernse server is a very interesting area that requires diligent study

How do I setup a user to see 2 stream but only has access to the tasks in 1.