Skip to main content
Announcements
Global Transformation Awards submissions are open! SUBMIT YOUR STORY
cancel
Showing results for 
Search instead for 
Did you mean: 
hartmoli
Partner - Contributor III

Security Rule to Access an App without having access to the Stream

Dear Community,

I'm trying to give permisson to user to  specific apps without give them access to the stream where the apps are published. Why do I try such a "strange" thing? In this special case i'll created a mashup for those apps, therefore i only want to grant the user to the mashup and the should not be able to see the corresponding app in the hub (That's why I'm trying to hide the stream where the app is published)).

Therefore my question is it possible to give user directly access to  an app without having access to the Stream? Or is there any other way how I can hide the stream to the user.

My setup is the QS Server November Relase.

We had setup up an access concept on stream and on app layer by custom properties. Similar to this video (Qlik Sense Stream Management Security Rules and Exception Management - YouTube) .

We have created two different Streams, Apps (Where the normal apps are stored), Mashup (The stream where all apps which are used only for mashup are stored into and that stream which should be hidden)

Thanks for any help,

Best regards Oli

1 Solution

Accepted Solutions
Levi_Turner
Employee

At the outset, Security rules are applied equally on the Hub as they are on Mashups. If you want to prevent visibility on the Hub but allow access via the mashup, then this is not going to be possible in any realistic scenario assuming all things are equal.

What you can do, is as follows:

  1. Disable the Stream security rule which inherits rights from the Stream > App > App.Object
  2. Recreate a new rule which breaks this inheritance for a single stream

What this will do is mean that the user will not see the Stream which makes it difficult to access the app, but they could, in theory, access the App via https://sense.company.com/sense/app/AppGUID. Basically they can see the app but can't see the stream.

Example:

Name: _StreamMashupUseCase

Description: This will allow inheritance for all streams except the stream named mashup

Filter: App*

Actions: Read / Publish

Conditions: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name !="mashup") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

Context: Hub and QMC

Name: _StreamMashup-AppLevel

Description: This will grant read rights to a specified App GUID + the App Objects based on a user criterion

Filter: App*

Actions: Read / Publish

Conditions: (resource.resourcetype = "App" and resource.id="dea8864b-734c-42c3-b8c1-2d789409a817") or (resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel")

and user.userId="mashupexclusion"

Context: Hub and QMC

View solution in original post

11 Replies
kaushiknsolanki
Partner Ambassador/MVP

Hi,

one thing you can try instead of complex security rules, is create a separate stream for mashup applications and give access to only mashup users and restrict for all users.

This will make your life easy, as it wont need much maintenance.

Regards,

Kaushik Solanki

Please remember to hit the 'Like' button and for helpful answers and resolutions, click on the 'Accept As Solution' button. Cheers!
YoussefBelloum
Champion

Hi,

if you already have a Stream dedicated to Mashup's, why do you want to hide that Stream ?

hartmoli
Partner - Contributor III
Author

Hi Kaushik,


Thank you for your reply.

Thats what I've already tried. But it doesn't match my requirements. Cause if i handle this like your proposal, the mashup user can still go to the hub and see the stream and thus the app. And my requirements are: The mashup user only should have access to the mashup and should not be able to see the mashup stream, so that he doesnt have the opportunity to go the app via the qlik hub. Or do I missunderstand your proposal?

Regards.

hartmoli
Partner - Contributor III
Author

Hi,

Cause the only point how the user should access the information is via the mashup. He should not be able to access the app via the hub.

Best regards

kaushiknsolanki
Partner Ambassador/MVP

Hi,

Check this link.

https://community.qlik.com/thread/240954

Hope it helps to understand and solve your problem.

Regards,

Kaushik Solanki

Please remember to hit the 'Like' button and for helpful answers and resolutions, click on the 'Accept As Solution' button. Cheers!
hartmoli
Partner - Contributor III
Author

Hi,

Thanks for the link.

I've already came to this community entry due to my research, but as i do understand this, it only restrict the access to the personal section in the hub and not to certain streams.

Regarding to this video: https://help.qlik.com/en-US/sense/3.1/Content/Videos/Videos-disable-hub.htm?_ga=2.205245776.11451523...

Levi_Turner
Employee

At the outset, Security rules are applied equally on the Hub as they are on Mashups. If you want to prevent visibility on the Hub but allow access via the mashup, then this is not going to be possible in any realistic scenario assuming all things are equal.

What you can do, is as follows:

  1. Disable the Stream security rule which inherits rights from the Stream > App > App.Object
  2. Recreate a new rule which breaks this inheritance for a single stream

What this will do is mean that the user will not see the Stream which makes it difficult to access the app, but they could, in theory, access the App via https://sense.company.com/sense/app/AppGUID. Basically they can see the app but can't see the stream.

Example:

Name: _StreamMashupUseCase

Description: This will allow inheritance for all streams except the stream named mashup

Filter: App*

Actions: Read / Publish

Conditions: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name !="mashup") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

Context: Hub and QMC

Name: _StreamMashup-AppLevel

Description: This will grant read rights to a specified App GUID + the App Objects based on a user criterion

Filter: App*

Actions: Read / Publish

Conditions: (resource.resourcetype = "App" and resource.id="dea8864b-734c-42c3-b8c1-2d789409a817") or (resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel")

and user.userId="mashupexclusion"

Context: Hub and QMC

hartmoli
Partner - Contributor III
Author

Hi Levi

Thank you a lot for your comprehensive answer.

It's exactly what I was looking for. I'm aware of the fact that the access to the app via APP-ID will still be possible, but I dont see this as a big problem. For me its important that the app is not easily accessible via the hub.

I wasnt aware of the concept of inheritance, thank you for open my eyes.

I diasbled the default Stream Rule and implemented your proposed two rules. Now I can access the app and the mashup. But unfortunately, something is still blocking the access to the app objects. By accessing the App directly via ID, I can see an app without any sheets. I guess I need to disable still one rule or I have to give somewhere more rights, do you have an Idea where this issue could be caused?

However, thank you a lot for your help, its a big step forward..

Oliver

hartmoli
Partner - Contributor III
Author

Hi Levi

New knowledge..

It works as you proposed. I tried to generalize the user access by "((user.@group)=resource.@group))", what doesnt work in this way. I guess the proplem is located by how we've choosen the approach to give permisson to a stream and app, we do that by the group attribute and give permisson to the app also by the group attribute. In this special case I only allocated this attribute only to the app, thus I dont want that the user can see the stream. I think the problem is located there that the expression  "((user.@group)=resource.@group))" doesnt work, cause I think by resource is the stream and app intended.

Regards