Qlik Community

Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

How to prevent access to the hub? (3.1.2)

With the Service Release 2 for Qlik Sense 3.1 the release notes mention the new ability

     Support for disabling user access to the hub Resource filters can be used to restrict user access to the hub.

How can this be achieved? I figured a new security rule 'HubSections', but no matter whether I left it to true or changed it to false, it wouldn't make the hub behave differently at all. Has anybody more information on this topic?

Thanks alot

Thomas

19 Replies
Fredrik_Lautrup
Employee
Employee

Current implementation is limiting in that it will not limit access to the hub but it will remove the link from the app back to the hub.

So if you change the rule "HubSections" condition to something like

user.group="NoHubAccess"

This would mean that for the users in the group NoHubAcces the link from the app back to the hub will disappear.

In most use cases I think this would be enough, but if there are needs to limit access to the hub it would be good to understand these cases if we need to make improvements in the future.

markginqo
Partner
Partner

Thanks Fredrik, I can confirm that the flag does remove the link back to the hub from an App.

We are looking into this feature because one of our installations is used to host branded Mashups exclusively and by entering only the domain name an unsuspecting user can launch the Hub.

Ideally I would like to see a few more features typical to web servers available for cases where the client does not also want to run an IIS instance:

  • Override default directory - so root directory can be used to serve static HTML content
  • Custom names/locations for subdirectories - having to use "/extensions/" in the mashup path name makes for unwieldy URLs
  • "index.html"-style default document - so the user does not have to specify the full file name in a Mashup URL
  • Hostname-based routing - so we could use dev.domain.com for a virtual proxy instead of domain.com/dev/
  • Redirect port 80 (HTTP) requests to port 443 (HTTPS)
  • Allow editing of HTML for Forms authentication pattern page
  • Mod_Rewrite style URL mapping

Cheers,

Mark

Not applicable
Author

Thanks for the explanation on this.

Also this new short video will help, I think: Disabling the hub ‒ Qlik Sense

Maria_Halley
Support
Support

I have tested this (in 3.1.4) and it seems like changing the rule like this would turn ON access to the hub for the group "NoHubAccess".

The default rule is granting access to all users. So shouldn't the rule be user.group!="NoHubAccess"?

Or am I misunderstanding?

Fredrik_Lautrup
Employee
Employee

You should not add to but replace the behaviour of the default rule. Changing the condition on the default rule would mean that only those matching the condition would get access.

EmmaC
Partner
Partner

Dear Mark,

You couldnt have summarized it better!  I would like to see all those features! None of them are ready? June 2017? September 2017?

Any updates?

markginqo
Partner
Partner

Hi Emma,

I don't think that these type of features have made it into the product yet.  I believe some folks are using nginx or IIS to achieve them if it is critical (and your budget doesn't allow for a more robust solution like F5 or a web application firewall)...

Cheers,

Mark

EmmaC
Partner
Partner

Qlik support answered my ticket, and yes, these features are out of the scope (i wanted to open a feature request! No chance!)

regards,

Emma

markginqo
Partner
Partner

Thanks for sharing that information, it's good to have confirmation so we can proceed with alternate solutions.  I think it makes sense, to an extent, to leverage products that have been specifically designed to tackle these issues.

Cheers,

Mark

berndjaegle
Creator II
Creator II

We could achieve it with the on-bord instruments: Block user.

All our users have CustomProperty @UserTyp (Consumer, Analyst, Contributor) which we implemented to assign security rules. However with this CustomProperty I can select all users I want to block.

Press Edit(multiple) an tick the BLOCKED check box.

Done.

Be careful to 'Clear filters and search' before editing onwoards...

Best regards,

Bernd  

custprop.pngselect_all.pngblock.png