Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jpjust
Specialist
Specialist
‎2021-05-25 04:23 PM

Security on Load Data- Dev and Prod on same cluster

All,

I have my environment like this and trying n to tighten the security. Please let me know how to achieve this?

I have Dev and Prod on cluster.

Prod Link : https://qlik.url.com/hub/my/work     ->I can see few apps under my work. I am also able to edit the script and run the script which hits the Prod node- Ultimately I should not be able to see the "work" folder OR I should not be able to run the script.

Dev Link : https://devqlik.url.com/hub/my/work   -> I can see the same set of apps under my work. I am  able to edit the script and run the script which hits the Dev node which is fine.

I really want to restrict anyone not to run script when they are in Prod node. How can I achieve this type of security?

Thanks

735 Views
1 Solution

Accepted Solutions
Bastien_Laugiero
Support
Support
‎2021-05-26 02:32 AM

Hello @jpjust

This really depend on how your environment looks like but here is a scenario with 3 nodes that would allow you to achieve the described outcome. Hope this will help you applying something similar in your environment. 

Environment:

QlikServer1: Central node - Act as a Qlik Sense Proxy

QlikServer2: Rim node - Act as a Qlik Sense Engine and configured as DEV Purpose in the QMC

QlikServer3: Rim node - Act as a Qlik Sense Engine and configured as PROD Purpose in the QMC

Configuration:

  • VirtualProxy1 with prefix "dev" is configured to load balance to QlikServer2
  • VirtualProxy2 with prefix "prod" is configured to load balance to QlikServer3
  • LoadBalancing rule ResourcesOnNonCentralNodes is disabled

Now you will need to created two addition LoadBalancing rule

  • Load Balancing Rule 1 (for dev):
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Development"))
  • Load Balancing Rule 2 (for prod)
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Production" and !resource.stream.Empty()))

With this scenario, "My work" will not appear when pointing to the prod virtual proxy and no unpublished application will be available on the prod engine. 

Hope this helps!

 

 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

692 Views
0 Likes
6 Replies
Bastien_Laugiero
Support
Support
‎2021-05-26 02:32 AM

Hello @jpjust

This really depend on how your environment looks like but here is a scenario with 3 nodes that would allow you to achieve the described outcome. Hope this will help you applying something similar in your environment. 

Environment:

QlikServer1: Central node - Act as a Qlik Sense Proxy

QlikServer2: Rim node - Act as a Qlik Sense Engine and configured as DEV Purpose in the QMC

QlikServer3: Rim node - Act as a Qlik Sense Engine and configured as PROD Purpose in the QMC

Configuration:

  • VirtualProxy1 with prefix "dev" is configured to load balance to QlikServer2
  • VirtualProxy2 with prefix "prod" is configured to load balance to QlikServer3
  • LoadBalancing rule ResourcesOnNonCentralNodes is disabled

Now you will need to created two addition LoadBalancing rule

  • Load Balancing Rule 1 (for dev):
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Development"))
  • Load Balancing Rule 2 (for prod)
    • Resource filter: App_*
    • Conditions: ((node.nodePurpose="Production" and !resource.stream.Empty()))

With this scenario, "My work" will not appear when pointing to the prod virtual proxy and no unpublished application will be available on the prod engine. 

Hope this helps!

 

 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
693 Views
0 Likes
jpjust
Specialist
Specialist
‎2021-05-26 09:29 AM
Author

In response to Bastien_Laugiero

Thanks Bastien. Really appreciate it. I will try it out.

I have attached my environment here. Based upon my environment, do you suggest any changes from what you have outlined above?

I would like to have this same security implemented for root admin as well. 

Thanks

Preview file
61 KB
676 Views
0 Likes
Bastien_Laugiero
Support
Support
‎2021-05-26 10:10 AM

In response to jpjust

It is difficult to say only based on this screenshot. 

The one tip that I can give you is to not use the Central node engine in the Production Virtual Proxy (In the load balancing section)

The central node has the particularity to have access to every app and there is nothing that can be configured to prevent that. 

Finally the scenario I have presented will also apply to root admin yes. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
664 Views
0 Likes
jpjust
Specialist
Specialist
‎2021-05-26 10:19 AM
Author

In response to Bastien_Laugiero

Ok Thanks Bastien. I will give it a go.

659 Views
Bastien_Laugiero
Support
Support
‎2021-05-26 10:22 AM

Let us know how it goes and if you need additional help along the way. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
649 Views
jpjust
Specialist
Specialist
‎2021-06-11 01:17 PM
Author

In response to Bastien_Laugiero

Hi Bastien - I implemented that rule. Then all the apps from Dev stream (Logged to dev url ) vanished including tre apps on my work folder.

No change in Prod url, every stream and the apps are visible including my work folder.

If you need any information from my environment, please let me know.

553 Views
0 Likes