Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
caio_caminoski
Creator
Creator
‎2019-07-23 05:59 AM

Separate Publishing of Sheets to Community and Publishing Apps to Streams

Hello everyone!

I have been trying to make some security rules work in Qlik Sense, but haven't been successful so far. 

My problem:

I want a few users to be able to publish apps from the hub (custom property user.@UserType="Developer") but I don't want anyone to be able to publish sheets to the community. Apparently, my security rules either let people do both or deny permission to do both. I am trying to split these actions to be controlled by two different security rules (as it is pointed out here). 

My original Security Rule (allows developers to publish in the community and publish app from hub):

Resource: Stream_*

Actions: Publish

Condition: ((user.@UserType="Developer"))

 

Can you help me figure out how to implement a security rule that only gives permission to publish apps from the hub but does not grant permission to publish a sheet to the community?

 

I tried a lot of different things to do that, for example:

Condition: user.@UserType="Developer" and resource.objectType != "sheet"

Condition: user.@UserType="Developer" and resource.resourcetype="App" and resource.published ="false"

etc...

 

Resource:

 https://support.qlik.com/articles/000059601

Labels (4)
1,623 Views
0 Likes
1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee
‎2019-07-23 09:09 AM

In response to caio_caminoski

This was tested in a clean June 2019 environment, but in order to decouple things and isolate app publishing from app.object publishing, it was as simple as disabling the OwnerPublishAppObject rule.

As background, up until September 2018, the right to publish to a stream and publish an App.Object were coupled. Beginning in September 2018, they can be de-coupled.

An inspection of the condition for the OwnerPublishAppObject rule is illustrative of this history:

resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish")

In plain English, so long as the App.Object is: (1) owned by the current user, (2) is not approved (aka isn't a base sheet), and (3) the user has the right to publish in the stream, then they can publish the App.Object.

Disabling that rule prevents all users from publishing sheets to the Community in Published apps.

If you wanted to provide some users the ability to publish to the Community then I would build out a new rule:

  • Name: Whatever
  • Resource Filter: App.Object_*
  • Actions: Publish:
  • Conditions: resource.IsOwned() and resource.owner = user and resource.approved = "false" and SOME USER FILTER

By removing the resource.app.stream.HasPrivilege("publish") bit, you will no longer require the user to have publish rights on the stream to be able to publish a Sheet to the Community.

Cheers.

View solution in original post

1,583 Views
4 Replies
Levi_Turner
Employee
Employee
‎2019-07-23 06:50 AM

What version of Qlik Sense are you on?

1,615 Views
0 Likes
caio_caminoski
Creator
Creator
‎2019-07-23 08:00 AM
Author

In response to Levi_Turner

Thank you for the reply @Levi_Turner . The version is the June 2019.

 

Cheers

1,596 Views
0 Likes
Levi_Turner
Employee
Employee
‎2019-07-23 09:09 AM

In response to caio_caminoski

This was tested in a clean June 2019 environment, but in order to decouple things and isolate app publishing from app.object publishing, it was as simple as disabling the OwnerPublishAppObject rule.

As background, up until September 2018, the right to publish to a stream and publish an App.Object were coupled. Beginning in September 2018, they can be de-coupled.

An inspection of the condition for the OwnerPublishAppObject rule is illustrative of this history:

resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish")

In plain English, so long as the App.Object is: (1) owned by the current user, (2) is not approved (aka isn't a base sheet), and (3) the user has the right to publish in the stream, then they can publish the App.Object.

Disabling that rule prevents all users from publishing sheets to the Community in Published apps.

If you wanted to provide some users the ability to publish to the Community then I would build out a new rule:

  • Name: Whatever
  • Resource Filter: App.Object_*
  • Actions: Publish:
  • Conditions: resource.IsOwned() and resource.owner = user and resource.approved = "false" and SOME USER FILTER

By removing the resource.app.stream.HasPrivilege("publish") bit, you will no longer require the user to have publish rights on the stream to be able to publish a Sheet to the Community.

Cheers.

1,584 Views
caio_caminoski
Creator
Creator
‎2019-07-23 10:15 AM
Author

In response to Levi_Turner

Ahh! Great, I hadn't seen this security rule OwnerPublishAppObject. Disabling it did the work!

 

Thank you very much for your help!

 

 

1,575 Views
0 Likes