Solved: Re: Security role problem - Qlik Community

Jeffrey_Li · ‎2019-12-05

Hi, All,

I created the following two security roles.

CustomizedContentadmin
Resources:Stream_*,App*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*,FileReference*

CustomizedDeveloper
Resources:App*,ReloadTask_*,SchemaEvent_*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*,FileReference*,Scheduler*

Comparing with CustomizedContentadmin, CustomizedDeveloper role has Scheduler* added, and has Stream_*,UserSyncTask_*,User*,CustomProperty* removed. So basically CustomizedContentadmin role has more resources access than CustomizedDeveloper except Scheduler. That means for data connections, when users with these two roles log into hub site, they should be able to see the same data connections listed there. However, when roles are applied, users with CustomizedDeveloper role are able to see all data connections in hub, including those connection created by other users. But Users with CustomizedContentadmin role can only see a few data connections. I cannot find what the cause is, and need second eyes on it. Could you help?

Thanks

Bo

Levi_Turner · ‎2019-12-05

Nothing looks obviously amiss there. On off-hours can you cycle services to see if it's some weird caching issue? That shouldn't be needed but I've seen it come up from time to time.

View solution in original post

andoryuu · ‎2019-12-05

Can you please post a screenshot of each of your security roles with all of the configured properties? Just the resource filter is not enough to diagnose this issue.

Jeffrey_Li · ‎2019-12-05

Customized_developer role screen shot

Jeffrey_Li · ‎2019-12-05

Customized_contentadmin role screen shot

Jeffrey_Li · ‎2019-12-05

Thanks for your reply. Screen shots have been uploaded

Jeffrey_Li · ‎2019-12-05

One more thing. CustomizedContentAdmin users also have DeploymentAdmin role.

Levi_Turner · ‎2019-12-05

Nothing looks obviously amiss there. On off-hours can you cycle services to see if it's some weird caching issue? That shouldn't be needed but I've seen it come up from time to time.

andoryuu · ‎2019-12-05

Agreed @Levi_Turner . It's odd.

@Jeffrey_Li when you are in the problematic security rule go into the audit pane on the right and filter on a single user that *should* have these read rights and select "Data Connection" as the resource. Click "Preview" on the security rule to see what comes up. Does the user show up with a blue block for "R" meaning the rule grants them read rights? What about if you click audit? Look for a data connection that they *should* have - what color is the box? Double click the "R" box - which security rules are displayed and can you provide a screenshot?

One thing that I've seen with security rules is that when trying to do certain security functions for hub activities you need to configure it "Only in Hub" even though you aren't trying to restrict it to hub, per se. Try that and see if your test user can now see the data connections.

Jeffrey_Li · ‎2019-12-05

Thanks @Levi_Turner @andoryuu for your reply. I will find a time to restart the services and let users try again. Will let you know.

andoryuu · ‎2019-12-06

@Jeffrey_Li You can also try my “only in hub” suggestion before having to cycle the services.