Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello QS experts. I have implemented sheet level security by AD groups. All the groups that have access to the sheet called "Utilization" are granted access explicitly and the ones that don't are explicitly denied access by object name.
At first I wanted to do it by object ID, but I thought, what if a developer deleted the sheet and recreates it? What if he copies the whole app? Does it get as new ID? So I decided to go with Name but obviously, we could rename the sheet as well. I even included the App name in the rule, but even the App can change names/IDs.
My question is, what is the right way to implement this without the risk of inadvertently making the sheet visible to those that should not have access to it? How does one maintain the solution going forward?
Thanks!
Hello,
In our practice we tend to stick to Sheet ID as this is the most persistent solution:
This is still much better than relying on names as the name can be changed in a copy and the ID will remain after republish. The key is to keep App ID - Target ID relation.
The solution you can try is reversing the rule (splitting in two rules) - specify all sheets with "public" access and then set another rule for the "restricted" access sheet to AD group you have. This way if a new ID will somehow be generated for the sheet no one will have access (till you verify and add it to the list or replace the now "obsolete" one).
The downside is that you need to keep adding "new" sheets to the public rule and this adds some manual labor, but it will prevent any unwanted access in any circumstances.
Hello,
In our practice we tend to stick to Sheet ID as this is the most persistent solution:
This is still much better than relying on names as the name can be changed in a copy and the ID will remain after republish. The key is to keep App ID - Target ID relation.
The solution you can try is reversing the rule (splitting in two rules) - specify all sheets with "public" access and then set another rule for the "restricted" access sheet to AD group you have. This way if a new ID will somehow be generated for the sheet no one will have access (till you verify and add it to the list or replace the now "obsolete" one).
The downside is that you need to keep adding "new" sheets to the public rule and this adds some manual labor, but it will prevent any unwanted access in any circumstances.
This makes sense, but definitely needs attention from Qlik. In my scenario, I will be publishing the app to two streams. If I understand correctly. Only the primary published stream will keep the same IDs.
The one that I have to copy will always get new IDs everytime I revise the dashboard.
I'm almost better off sticking with these names and splitting the rule as you mentioned.
Thanks fore you're help!
May I ask what the purpose of hiding a sheet in your app is?
If it is for a better user experience, then all is good.
But if it is for security, then remember that the Qlik API let's the user create any chart they want. So "hiding" a sheet will not help much. In the sense of security, that is.
Just by pressing Selections or Insight, the user will get access to the data, that has not been restricted by section access (by row or by column).