Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Vegar
MVP
MVP
‎2023-01-23 08:20 AM

How to handle access to data model viewer for published apps?

I have a group of users with proffesional access allocation on a Qlik Sense on Windows environment. 

When designing their own sheets and objects in a published application they would benifit from having read access to the data model viewer, but I am having problem granting them this access without granting them access to make edits in the published app. I have been looking at this support page Security Rule Example: How to show data model viewer for published apps by @Andre_Sostizzo , but need to get an deeper understaning on how to pinpoint just the data model viewer.

Do you guys know how to scoping down a security rule to just handle data model "object" of a Qlik Sense application? 

This is how narrow I have managed to go. (I get the impression that the Data Model is considered a sheet):

Read Create and Update 

using filter

(
(resource.resourcetype="App")
or
(resource.resourcetype="App.Object" and resource.objectType like "sheet")
)

Vegar
Qlik Community MVP
Labels (2)
Labels
1 user say ditto
1,573 Views
9 Replies
NadiaB
Support
Support
‎2023-01-24 10:13 AM

Hi @Vegar 

By any chance have you seen this already ?

https://community.qlik.com/t5/Official-Support-Articles/Security-Rule-Example-How-to-show-data-model...

Kind Regards. 

Don't forget to mark as "Solution Accepted" the comment that resolves the question/issue. #ngm
1,507 Views
0 Likes
Vegar
MVP
MVP
‎2023-01-24 03:22 PM
Author

In response to NadiaB

@NadiaB 

I was linking to that post in my orignal post. As you see in the comments section of that article the solutions grants the users edit rights to parts of the published app such as the application name, description and the apps custom properties.  That is a big no-no in my case.

With my posting I was hoping for help on narrowing down the scope of my security rule to the data model section only or at least eliminate the possibility for the users to make edits to the app/app properties. Do you have any security rules experts in your support team that help us with this? I assume this is an interresting problem to get solved for more than me.

Vegar
Qlik Community MVP
1,503 Views
NadiaB
Support
Support
‎2023-01-24 03:29 PM

Hi  @Vegar 

The documentation about resources and conditions available are in our site:

https://help.qlik.com/en-US/sense-admin/November2022/Subsystems/DeployAdministerQSE/Content/Sense_De...

https://help.qlik.com/en-US/sense-admin/November2022/Subsystems/DeployAdministerQSE/Content/Sense_De...

It is suggested to look at objectype "loadmodel" described in the resources condition and and remove privileges as needed, I believe there are other posts around this topic, is just each one might be looking for something specific on a rule so the best way to go probably would be design from scratch. 

Hope it helps. 

 

 

Don't forget to mark as "Solution Accepted" the comment that resolves the question/issue. #ngm
1,500 Views
QFabian
Specialist III
Specialist III
‎2023-01-24 03:42 PM

@Vegar , since that data model does not change often, i just would take a screenshot and put it as an library image, then show it in a text box, with some fields descriptions and relations

QFabian
1,495 Views
Vegar
MVP
MVP
‎2023-01-24 03:58 PM
Author

@QFabian Thanks for the suggestion. I actually found my self giving the same advice to another user in a  couple of years old community post.

If there is no other way to do it then I might do this for the most important self service applications, but shere is more to the datamodel page than just the relationship diagrams. So I would prefere to find a solution. 

---------

@NadiaB 

I am not sure about the objectype "loadmodel", I get the impression that it is referring to the load script and not the data model. As support for this I find this article Security Rule Example: Allow access toData Load Editor on an app that is using "loadmodel". However, if you can confirm that the datamodel is in fact reffered to as objecttype="loadmodel" I will pursue that path and investigate further.  

Vegar
Qlik Community MVP
1,493 Views
QFabian
Specialist III
Specialist III
‎2023-01-24 04:09 PM

In response to Vegar

@Vegar  hope that that security rule works!

QFabian
1,487 Views
0 Likes
ThijsDeBruijnEscuLine
Partner - Contributor II
Partner - Contributor II
‎2023-08-08 09:49 AM

@Vegar did you get this to work in the end?

1,137 Views
0 Likes
Vegar
MVP
MVP
‎2023-08-08 04:22 PM
Author

@ThijsDeBruijnEscuLine unfortunately no. WE Where not able to pinpoint just this feature without opening up for more privileges than was acceptable.

Vegar
Qlik Community MVP
1,122 Views
mbespartochnyy
Creator III
Creator III
‎2023-08-10 04:47 PM

I ran into the same issue. I did bunch of tests and confirmed that the object type "LoadModel" is not a data model.

In fact, the data model is not part of App.Object_* resource at all. It is part of App_* resource. (I believe App_* and App.Object_* resources are different but I'm not 100% sure on that.)

Furthermore, visibility into data model is not controlled by Read action but instead by Update action.

I did a simple test to confirm this.

1. Give a user with Professional license (Mikhail in this example) access to specific app.

mbespartochnyy_1-1691697374171.png

2. Publish app to stream Everyone.
3. Disable any rule that gives access to app objects, namely the Stream rule.
4. Ensure that app owner is not the user (not Mikhail) that has been given access to the app.
5. Have the user (Mikhail) that has been given access to the app open the app and try accessing the data model.

With only Read and Update access to App_dcd544f3-e330-4c71-af52-eeeb1988914b resource, the user (Mikhail) was able to see the data model:

mbespartochnyy_2-1691697874265.png

 

As expected, the user was not able to see any of the sheets, bookmarks, or stories within the app:

mbespartochnyy_3-1691697975729.png

 

Updating the security rule to only give read permission to the app:

mbespartochnyy_5-1691698444517.png

 

Resulted in loss of user's ability see the data model:

mbespartochnyy_6-1691698570926.png

Summary

  1. Data model is part of App_* resource and not App.Object_* resource.
  2. In order for a user to view data model in a published app that user needs to be given Update permissions to an App resource.
  3. If the default Stream security rule was meant to prevent users from seeing the data model in a published app, then that rule is broken as it doesn't actually prevent users from seeing data model in a published app when a user is given update permissions to a published app.
    1. I've confirmed this by enabling Stream security rule and giving user update permission to a published app. The user was still able to see the data model.

This feels like a bug. It makes sense for data model to be part of App.Object_* resource of object type LoadModel, but evidently it is not.

 

Test Environment

This test was done on a brand new install of Qlik Sense Enterprise on Windows environment with no security rules other than the built-in Default and Read-Only security rules and the one custom rule that was created (step 1 above) to give user access to the app.

1,099 Views