Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
dana
Creator III
Creator III
‎2021-03-10 04:53 AM

Streams Security rules

Hi People,

I have a couple of questions:

1. How can I limit a user to view in the hub only a specific stream?

2. I created a stream with Update for the user, but he still can't edit an app.

The rule is:

StreamRule.png

Thanks in advance!

 

Labels (2)
Labels
2,431 Views
1 Solution

Accepted Solutions
Bastien_Laugiero
Support
Support
‎2021-03-10 09:34 AM

In response to dana

Hi, 

So if the user has Professional license then it should be prioritized so I don't think this is the cause. 

Here is a quick test you can perform. 

Create a security rule with the following parameters:

Filter: App*
Action: Read, Update, Create
Condition: User.name = "Username"

Note: This is just for testing purposes to understand if the issue comes from the security rules or the type of license. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

2,084 Views
11 Replies
Bastien_Laugiero
Support
Support
‎2021-03-10 09:06 AM

Hello!

This question depends on how much security rules customization you have already made. 

Security rules are only permissive and not forbidding. This means that your security rule can be affected by other permissive security rules set in your environment. So my below explanation will be based on a default environment with no custom security rules:

  • To limit a user to see only a particular stream you can create a rule like below
Filter: Stream_ID
Action: Read
Condition: User.name = "Username"

 You will also need to disable or modify the default security rule called "StreamEveryone". This rule gives access to the stream "Everyone" to any authenticated user. 

  • Regarding your second question, it depends what you are trying to edit. You are not supposed to edit the script or base sheet of a published application. However you should be able to create/modify personal sheets. By default, if you have read permission in a stream (like above) you have those permissions. 

Hope this helps!

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
2,096 Views
0 Likes
dana
Creator III
Creator III
‎2021-03-10 09:21 AM
Author

In response to Bastien_Laugiero

Hi Bastien,

re the 2nd question:

I realized that the specific user has an Analyzer license which is in a Quarantined status, and allocated a Professional license as well. Could that be the reason that the user cannot duplicate a sheet?

Thank you!

2,093 Views
0 Likes
Bastien_Laugiero
Support
Support
‎2021-03-10 09:34 AM

In response to dana

Hi, 

So if the user has Professional license then it should be prioritized so I don't think this is the cause. 

Here is a quick test you can perform. 

Create a security rule with the following parameters:

Filter: App*
Action: Read, Update, Create
Condition: User.name = "Username"

Note: This is just for testing purposes to understand if the issue comes from the security rules or the type of license. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
2,085 Views
dana
Creator III
Creator III
‎2021-03-10 10:40 AM
Author

In response to Bastien_Laugiero

Hi Bastien,

Now it's working!

Can you explain the reason?

Thank You!

 

2,077 Views
0 Likes
dana
Creator III
Creator III
‎2021-03-10 11:59 PM
Author

In response to Bastien_Laugiero

Hi Sebastian,

I would appreciate you kind help in defining a permanent solution.

Is the rule you suggested should be implemented as is or should I do something else  in order not to impact other users?

Thank you!

 

 

2,047 Views
0 Likes
Bastien_Laugiero
Support
Support
‎2021-03-11 02:20 AM

Hi!

Thanks for the test and this confirms that the issue is related to custom security rules.

In a default system, the fact that you would give "Read" permission to a stream will automatically gives you rights to see any application within that stream and create any AppObject (sheet, chart,...)

This is handled by two security rules named: "Stream" and "CreateAppObjectsPublishedApp"

The fact that it does not work in your environment means that at least one of these security rule has been altered or disabled or removed. 

Could you check these two rules and see if they have been customized or disabled (Feel free to attach a screenshot)?

By default they look like this: 

Name: Stream
Filter: App*
Action: Read
Condition: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
Context: Both in hub and QMC

Name: CreateAppObjectsPublishedApp
Filter: App.Object_*
Action: Create
Condition: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()
Context: Only in hub
Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
2,037 Views
0 Likes
dana
Creator III
Creator III
‎2021-03-11 03:03 AM
Author

In response to Bastien_Laugiero

Hi Sebastien,

Thanks for you prompt reply.

Indeed, the Stream rule was modified (marked in red), whereas the  CreateAppObjectsPublishedApp rule is the default one.

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")and (resource.objectType != "sheet"))

How does it impact?

Thanks!

2,031 Views
0 Likes
Bastien_Laugiero
Support
Support
‎2021-03-11 03:33 AM

Hi, 

Yes one will affect the other. Basically the rule "Stream" exclude the AppObject type "Sheet" and then as a result the security rule "CreateAppObjectsPublishedApp" does not apply specifically on AppObject type "Sheet".

To implement a proper solution, you may want to check internally with the person/team who implemented that change and understand what is the requirement / reason behind that. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
2,023 Views
0 Likes
dana
Creator III
Creator III
‎2021-03-11 04:03 AM
Author

In response to Bastien_Laugiero

Hi Sebastien,

I have modified the original rule you suggested, filtering a specific app, and it seems to be ok.

Any "side effects" I'm not aware of?

Thanks!

 

APP RULE.png

2,017 Views