Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.
I'm trying to allow specific users (based on a group, role, or whatever else) read only script access. They should be able to open the data load editor and view the script, but they should not be able to change anything, save, use data connections, etc. This rule should also be specific to the data load editor - I don't want to give them any other app editing permissions. As far as I'm concerned a global rule here is good enough - I can adapt it later to allow e.g. viewing script only in apps you are already allowed to see / based on stream / whatever else.
I've done my best with Qlik's resources and Google, but have not come up with a solution myself. Every suggested solution that allows a user to see the data load editor appears to require granting edit access to the entire app for that user, and even then the data load editor access isn't read-only.
Following up on this thread so I can close it - no solution was found in the Qlik infrastructure, sadly.
As a workaround, I've created an app that reads all of the reload logs from the server folder, purges all of the non-script elements (timestamps, mostly), and then displays the resulting text in a text object. This way I can allow people to at least copy this text and view it in Notepad or whatever else.
Here is a great write up on this subject. For your needs you should be able to uncheck the "Update" rights. Unfortunately, Qlik Sense security may require "Update" to expose the dataloadeditor option. At a basic level the security rule that lets them see the data load editor script is the following two as they are App.Objects that are not included in the default "Stream" rule with a standard install.
resource.objectType = "app_appscript" or resource.objectType = "loadmodel"
Thanks for the reply, @andoryuu . I visited that link before posting and tried the suggested solution - it allows full access to the script including saving changes and reloading, which is of course not something we want for published apps. Unchecking "Update" removes access to the script entirely. I fussed around with the conditions in that post, but wasn't able to achieve anything that met the read-only requirement. It is possible no such solution exists, but I figured I'd post here first and see if anyone else has managed one.
Sorry @Or perhaps one of the elite QS Masters will opine or have some esoteric knowledge of the security, but I think you may be toast here. If you want to allow users to see the data load editor scripts another option would be to use serializer to get the app contents spooled out into JSON and then load them into source control (i.e. a git repo).
I'm not saying this is a solution, but have a look at Add Sense which is a Chrome extension which allows you to view the load script of any app. Maybe you can make it work for you. Alternatively there might be a way in which you can store your load script as a variable and then just expand that variable in a Text Object for users to read (with some workarounds for special characters😉).
To be honest I haven't really used it as I have full access on all of our servers. We (are supposed to) store all of our load scripts in qvs files which means that our end users cannot use it to see the actual load script - only the Must_Include reference to the qvs. Sometimes it is nice if I want to check that the developers actually stored the load script in a qvs. I know you can create a security rule to allow certain roles to see the script at all times, but I try to stick to the standard Qlik rules as far as possible.
@Mauritz_SA but if they can see the data editor they can turn on debug and see your must_include reference anyway. If they can't see the data load editor your script is safe. We use must_include files for reusability for common code, but it won't provide any security above what's provided by cutting them out of the editor (unless I'm misunderstanding your security model...?).
@Mauritz_SAThanks for the tip - unfortunately, the same problem seems to remain even with this extension: how do we allow script access (without allowing script edit)? According to the extension it can show the script "if accessible" but I haven't found any way to make the script accessible without also making it editable.