Qlik Community

Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
WE ARE LISTENING! New Navigation for Qlik Community, Sept. 26: TELL ME MORE
cancel
Showing results for 
Search instead for 
Did you mean: 
jpjust
Specialist
Specialist

Security on Load Data- Dev and Prod on same cluster

All,

I have my environment like this and trying n to tighten the security. Please let me know how to achieve this?

I have Dev and Prod on cluster.

Prod Link : https://qlik.url.com/hub/my/work     ->I can see few apps under my work. I am also able to edit the script and run the script which hits the Prod node- Ultimately I should not be able to see the "work" folder OR I should not be able to run the script.

Dev Link : https://devqlik.url.com/hub/my/work   -> I can see the same set of apps under my work. I am  able to edit the script and run the script which hits the Dev node which is fine.

I really want to restrict anyone not to run script when they are in Prod node. How can I achieve this type of security?

Thanks

1 Solution

Accepted Solutions
Bastien_Laugiero

Hello @jpjust

This really depend on how your environment looks like but here is a scenario with 3 nodes that would allow you to achieve the described outcome. Hope this will help you applying something similar in your environment. 

Environment:

QlikServer1: Central node - Act as a Qlik Sense Proxy

QlikServer2: Rim node - Act as a Qlik Sense Engine and configured as DEV Purpose in the QMC

QlikServer3: Rim node - Act as a Qlik Sense Engine and configured as PROD Purpose in the QMC

Configuration:

  • VirtualProxy1 with prefix "dev" is configured to load balance to QlikServer2
  • VirtualProxy2 with prefix "prod" is configured to load balance to QlikServer3
  • LoadBalancing rule ResourcesOnNonCentralNodes is disabled

Now you will need to created two addition LoadBalancing rule

  • Load Balancing Rule 1 (for dev):
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Development"))
  • Load Balancing Rule 2 (for prod)
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Production" and !resource.stream.Empty()))

With this scenario, "My work" will not appear when pointing to the prod virtual proxy and no unpublished application will be available on the prod engine. 

Hope this helps!

 

 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

6 Replies
Bastien_Laugiero

Hello @jpjust

This really depend on how your environment looks like but here is a scenario with 3 nodes that would allow you to achieve the described outcome. Hope this will help you applying something similar in your environment. 

Environment:

QlikServer1: Central node - Act as a Qlik Sense Proxy

QlikServer2: Rim node - Act as a Qlik Sense Engine and configured as DEV Purpose in the QMC

QlikServer3: Rim node - Act as a Qlik Sense Engine and configured as PROD Purpose in the QMC

Configuration:

  • VirtualProxy1 with prefix "dev" is configured to load balance to QlikServer2
  • VirtualProxy2 with prefix "prod" is configured to load balance to QlikServer3
  • LoadBalancing rule ResourcesOnNonCentralNodes is disabled

Now you will need to created two addition LoadBalancing rule

  • Load Balancing Rule 1 (for dev):
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Development"))
  • Load Balancing Rule 2 (for prod)
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Production" and !resource.stream.Empty()))

With this scenario, "My work" will not appear when pointing to the prod virtual proxy and no unpublished application will be available on the prod engine. 

Hope this helps!

 

 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
jpjust
Specialist
Specialist
Author

Thanks Bastien. Really appreciate it. I will try it out.

I have attached my environment here. Based upon my environment, do you suggest any changes from what you have outlined above?

I would like to have this same security implemented for root admin as well. 

Thanks

Bastien_Laugiero

It is difficult to say only based on this screenshot. 

The one tip that I can give you is to not use the Central node engine in the Production Virtual Proxy (In the load balancing section)

The central node has the particularity to have access to every app and there is nothing that can be configured to prevent that. 

Finally the scenario I have presented will also apply to root admin yes. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
jpjust
Specialist
Specialist
Author

Ok Thanks Bastien. I will give it a go.

Bastien_Laugiero

Let us know how it goes and if you need additional help along the way. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
jpjust
Specialist
Specialist
Author

Hi Bastien - I implemented that rule. Then all the apps from Dev stream (Logged to dev url ) vanished including tre apps on my work folder.

No change in Prod url, every stream and the apps are visible including my work folder.

If you need any information from my environment, please let me know.