Qlik Community

Ask a Question

Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
Qlik Insider - Maximize your investment, Join this webinar, May 26th. Register Today
cancel
Showing results for 
Search instead for 
Did you mean: 
dana
Creator
Creator

Streams Security rules

Hi People,

I have a couple of questions:

1. How can I limit a user to view in the hub only a specific stream?

2. I created a stream with Update for the user, but he still can't edit an app.

The rule is:

StreamRule.png

Thanks in advance!

 

Labels (2)
1 Solution

Accepted Solutions
Bastien_Laugiero

Hi, 

So if the user has Professional license then it should be prioritized so I don't think this is the cause. 

Here is a quick test you can perform. 

Create a security rule with the following parameters:

Filter: App*
Action: Read, Update, Create
Condition: User.name = "Username"

Note: This is just for testing purposes to understand if the issue comes from the security rules or the type of license. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

11 Replies
Bastien_Laugiero

Hello!

This question depends on how much security rules customization you have already made. 

Security rules are only permissive and not forbidding. This means that your security rule can be affected by other permissive security rules set in your environment. So my below explanation will be based on a default environment with no custom security rules:

  • To limit a user to see only a particular stream you can create a rule like below
Filter: Stream_ID
Action: Read
Condition: User.name = "Username"

 You will also need to disable or modify the default security rule called "StreamEveryone". This rule gives access to the stream "Everyone" to any authenticated user. 

  • Regarding your second question, it depends what you are trying to edit. You are not supposed to edit the script or base sheet of a published application. However you should be able to create/modify personal sheets. By default, if you have read permission in a stream (like above) you have those permissions. 

Hope this helps!

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
dana
Creator
Creator
Author

Hi Bastien,

re the 2nd question:

I realized that the specific user has an Analyzer license which is in a Quarantined status, and allocated a Professional license as well. Could that be the reason that the user cannot duplicate a sheet?

Thank you!

Bastien_Laugiero

Hi, 

So if the user has Professional license then it should be prioritized so I don't think this is the cause. 

Here is a quick test you can perform. 

Create a security rule with the following parameters:

Filter: App*
Action: Read, Update, Create
Condition: User.name = "Username"

Note: This is just for testing purposes to understand if the issue comes from the security rules or the type of license. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.

View solution in original post

dana
Creator
Creator
Author

Hi Bastien,

Now it's working!

Can you explain the reason?

Thank You!

 

dana
Creator
Creator
Author

Hi Sebastian,

I would appreciate you kind help in defining a permanent solution.

Is the rule you suggested should be implemented as is or should I do something else  in order not to impact other users?

Thank you!

 

 

Bastien_Laugiero

Hi!

Thanks for the test and this confirms that the issue is related to custom security rules.

In a default system, the fact that you would give "Read" permission to a stream will automatically gives you rights to see any application within that stream and create any AppObject (sheet, chart,...)

This is handled by two security rules named: "Stream" and "CreateAppObjectsPublishedApp"

The fact that it does not work in your environment means that at least one of these security rule has been altered or disabled or removed. 

Could you check these two rules and see if they have been customized or disabled (Feel free to attach a screenshot)?

By default they look like this: 

Name: Stream
Filter: App*
Action: Read
Condition: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
Context: Both in hub and QMC

Name: CreateAppObjectsPublishedApp
Filter: App.Object_*
Action: Create
Condition: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()
Context: Only in hub
Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
dana
Creator
Creator
Author

Hi Sebastien,

Thanks for you prompt reply.

Indeed, the Stream rule was modified (marked in red), whereas the  CreateAppObjectsPublishedApp rule is the default one.

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")and (resource.objectType != "sheet"))

How does it impact?

Thanks!

Bastien_Laugiero

Hi, 

Yes one will affect the other. Basically the rule "Stream" exclude the AppObject type "Sheet" and then as a result the security rule "CreateAppObjectsPublishedApp" does not apply specifically on AppObject type "Sheet".

To implement a proper solution, you may want to check internally with the person/team who implemented that change and understand what is the requirement / reason behind that. 

Bastien Laugiero
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
dana
Creator
Creator
Author

Hi Sebastien,

I have modified the original rule you suggested, filtering a specific app, and it seems to be ok.

Any "side effects" I'm not aware of?

Thanks!

 

APP RULE.png