- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Security Rule to Access an App without having access to the Stream
Dear Community,
I'm trying to give permisson to user to specific apps without give them access to the stream where the apps are published. Why do I try such a "strange" thing? In this special case i'll created a mashup for those apps, therefore i only want to grant the user to the mashup and the should not be able to see the corresponding app in the hub (That's why I'm trying to hide the stream where the app is published)).
Therefore my question is it possible to give user directly access to an app without having access to the Stream? Or is there any other way how I can hide the stream to the user.
My setup is the QS Server November Relase.
We had setup up an access concept on stream and on app layer by custom properties. Similar to this video (Qlik Sense Stream Management Security Rules and Exception Management - YouTube) .
We have created two different Streams, Apps (Where the normal apps are stored), Mashup (The stream where all apps which are used only for mashup are stored into and that stream which should be hidden)
Thanks for any help,
Best regards Oli
- « Previous Replies
-
- 1
- 2
- Next Replies »
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the outset, Security rules are applied equally on the Hub as they are on Mashups. If you want to prevent visibility on the Hub but allow access via the mashup, then this is not going to be possible in any realistic scenario assuming all things are equal.
What you can do, is as follows:
- Disable the Stream security rule which inherits rights from the Stream > App > App.Object
- Recreate a new rule which breaks this inheritance for a single stream
What this will do is mean that the user will not see the Stream which makes it difficult to access the app, but they could, in theory, access the App via https://sense.company.com/sense/app/AppGUID. Basically they can see the app but can't see the stream.
Example:
Name: _StreamMashupUseCase
Description: This will allow inheritance for all streams except the stream named mashup
Filter: App*
Actions: Read / Publish
Conditions: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name !="mashup") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
Context: Hub and QMC
Name: _StreamMashup-AppLevel
Description: This will grant read rights to a specified App GUID + the App Objects based on a user criterion
Filter: App*
Actions: Read / Publish
Conditions: (resource.resourcetype = "App" and resource.id="dea8864b-734c-42c3-b8c1-2d789409a817") or (resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel")
and user.userId="mashupexclusion"
Context: Hub and QMC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
one thing you can try instead of complex security rules, is create a separate stream for mashup applications and give access to only mashup users and restrict for all users.
This will make your life easy, as it wont need much maintenance.
Regards,
Kaushik Solanki
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if you already have a Stream dedicated to Mashup's, why do you want to hide that Stream ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kaushik,
Thank you for your reply.
Thats what I've already tried. But it doesn't match my requirements. Cause if i handle this like your proposal, the mashup user can still go to the hub and see the stream and thus the app. And my requirements are: The mashup user only should have access to the mashup and should not be able to see the mashup stream, so that he doesnt have the opportunity to go the app via the qlik hub. Or do I missunderstand your proposal?
Regards.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Cause the only point how the user should access the information is via the mashup. He should not be able to access the app via the hub.
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Check this link.
https://community.qlik.com/thread/240954
Hope it helps to understand and solve your problem.
Regards,
Kaushik Solanki
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the link.
I've already came to this community entry due to my research, but as i do understand this, it only restrict the access to the personal section in the hub and not to certain streams.
Regarding to this video: https://help.qlik.com/en-US/sense/3.1/Content/Videos/Videos-disable-hub.htm?_ga=2.205245776.11451523...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the outset, Security rules are applied equally on the Hub as they are on Mashups. If you want to prevent visibility on the Hub but allow access via the mashup, then this is not going to be possible in any realistic scenario assuming all things are equal.
What you can do, is as follows:
- Disable the Stream security rule which inherits rights from the Stream > App > App.Object
- Recreate a new rule which breaks this inheritance for a single stream
What this will do is mean that the user will not see the Stream which makes it difficult to access the app, but they could, in theory, access the App via https://sense.company.com/sense/app/AppGUID. Basically they can see the app but can't see the stream.
Example:
Name: _StreamMashupUseCase
Description: This will allow inheritance for all streams except the stream named mashup
Filter: App*
Actions: Read / Publish
Conditions: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name !="mashup") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
Context: Hub and QMC
Name: _StreamMashup-AppLevel
Description: This will grant read rights to a specified App GUID + the App Objects based on a user criterion
Filter: App*
Actions: Read / Publish
Conditions: (resource.resourcetype = "App" and resource.id="dea8864b-734c-42c3-b8c1-2d789409a817") or (resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel")
and user.userId="mashupexclusion"
Context: Hub and QMC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Levi
Thank you a lot for your comprehensive answer.
It's exactly what I was looking for. I'm aware of the fact that the access to the app via APP-ID will still be possible, but I dont see this as a big problem. For me its important that the app is not easily accessible via the hub.
I wasnt aware of the concept of inheritance, thank you for open my eyes.
I diasbled the default Stream Rule and implemented your proposed two rules. Now I can access the app and the mashup. But unfortunately, something is still blocking the access to the app objects. By accessing the App directly via ID, I can see an app without any sheets. I guess I need to disable still one rule or I have to give somewhere more rights, do you have an Idea where this issue could be caused?
However, thank you a lot for your help, its a big step forward..
Oliver
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Levi
New knowledge..
It works as you proposed. I tried to generalize the user access by "((user.@group)=resource.@group))", what doesnt work in this way. I guess the proplem is located by how we've choosen the approach to give permisson to a stream and app, we do that by the group attribute and give permisson to the app also by the group attribute. In this special case I only allocated this attribute only to the app, thus I dont want that the user can see the stream. I think the problem is located there that the expression "((user.@group)=resource.@group))" doesnt work, cause I think by resource is the stream and app intended.
Regards
- « Previous Replies
-
- 1
- 2
- Next Replies »