I'm looking to control the Data Connections developers can access when writing / amending apps.
First, I see that there is a default Security Rule called DataConnection, which appears to grant Create rights to all users. Does this basically enable the Create New Connection button in the script window and allow users to create new connections?
Obviously, general user do not have CRUD access to Apps, so they won't see the script window anyway. But for Developers, I may need to disable this default rule and create a new more specific one. I don't want developers creating new connections to sources without approval.
I then have a folder connection to grant access to a directory called QlikFiles, which includes sub-folders by system or department, containing QVDs and external files (Excel etc). As a test, I modified the rule called Security rule for access to "QlikFiles", granting Read access to the Role "Developer". Is this necessary to allow developers to reload their apps (i.e. repopulate the QVDs)? Could a developer potentially load in QVDs emanating from other databases than the one they are authorised to work on using this connection?
Finally, I have Data Connections to each database, e.g. Db1MSSQL and Security Rules granting Read access to each. In testing, I specified one Developer by username in one of these Security Rules. They confirmed they could see and insert this connection into their apps, and could not see any other database connections. This is good, as it allows me to control which developers can use which existing database connections, without them having to know the login and password.
So... in short, I'm looking for the best way to lock down the Data Connections, so that developers can only include connections to databases and files in their apps that fall within their remit, and can only create / store data into / load from QVDs for those departments they're authorised to.
I have an App Level Management custom property configured, restricting the Developers to particular Apps, so perhaps this (or something like it) can be used to restrict access for Data Connections, too?