Skip to main content

Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

cancel
Showing results for 
Search instead for 
Did you mean: 
caio_caminoski
Creator
Creator

Separate Publishing of Sheets to Community and Publishing Apps to Streams

Hello everyone!

I have been trying to make some security rules work in Qlik Sense, but haven't been successful so far. 

My problem:

I want a few users to be able to publish apps from the hub (custom property user.@UserType="Developer") but I don't want anyone to be able to publish sheets to the community. Apparently, my security rules either let people do both or deny permission to do both. I am trying to split these actions to be controlled by two different security rules (as it is pointed out here). 

My original Security Rule (allows developers to publish in the community and publish app from hub):

Resource: Stream_*

Actions: Publish

Condition: ((user.@UserType="Developer"))

 

Can you help me figure out how to implement a security rule that only gives permission to publish apps from the hub but does not grant permission to publish a sheet to the community?

 

I tried a lot of different things to do that, for example:

Condition: user.@UserType="Developer" and resource.objectType != "sheet"

Condition: user.@UserType="Developer" and resource.resourcetype="App" and resource.published ="false"

etc...

 

Resource:

 https://support.qlik.com/articles/000059601

Labels (4)
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee

This was tested in a clean June 2019 environment, but in order to decouple things and isolate app publishing from app.object publishing, it was as simple as disabling the OwnerPublishAppObject rule.

As background, up until September 2018, the right to publish to a stream and publish an App.Object were coupled. Beginning in September 2018, they can be de-coupled.

An inspection of the condition for the OwnerPublishAppObject rule is illustrative of this history:

resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish")

In plain English, so long as the App.Object is: (1) owned by the current user, (2) is not approved (aka isn't a base sheet), and (3) the user has the right to publish in the stream, then they can publish the App.Object.

Disabling that rule prevents all users from publishing sheets to the Community in Published apps.

If you wanted to provide some users the ability to publish to the Community then I would build out a new rule:

  • Name: Whatever
  • Resource Filter: App.Object_*
  • Actions: Publish:
  • Conditions: resource.IsOwned() and resource.owner = user and resource.approved = "false" and SOME USER FILTER

By removing the resource.app.stream.HasPrivilege("publish") bit, you will no longer require the user to have publish rights on the stream to be able to publish a Sheet to the Community.

Cheers.

View solution in original post

4 Replies
Levi_Turner
Employee
Employee

What version of Qlik Sense are you on?

caio_caminoski
Creator
Creator
Author

Thank you for the reply @Levi_Turner . The version is the June 2019.

 

Cheers

Levi_Turner
Employee
Employee

This was tested in a clean June 2019 environment, but in order to decouple things and isolate app publishing from app.object publishing, it was as simple as disabling the OwnerPublishAppObject rule.

As background, up until September 2018, the right to publish to a stream and publish an App.Object were coupled. Beginning in September 2018, they can be de-coupled.

An inspection of the condition for the OwnerPublishAppObject rule is illustrative of this history:

resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish")

In plain English, so long as the App.Object is: (1) owned by the current user, (2) is not approved (aka isn't a base sheet), and (3) the user has the right to publish in the stream, then they can publish the App.Object.

Disabling that rule prevents all users from publishing sheets to the Community in Published apps.

If you wanted to provide some users the ability to publish to the Community then I would build out a new rule:

  • Name: Whatever
  • Resource Filter: App.Object_*
  • Actions: Publish:
  • Conditions: resource.IsOwned() and resource.owner = user and resource.approved = "false" and SOME USER FILTER

By removing the resource.app.stream.HasPrivilege("publish") bit, you will no longer require the user to have publish rights on the stream to be able to publish a Sheet to the Community.

Cheers.

caio_caminoski
Creator
Creator
Author

Ahh! Great, I hadn't seen this security rule OwnerPublishAppObject. Disabling it did the work!

 

Thank you very much for your help!