Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
I know there are lots of posts on this sort of topic already, but rather than try and stitch together separate bits of of advice, I'm hoping someone can just steer me right, so I can ensure the correct Streams and Apps are visible to the relevant users, with the correct access level.
My current situation is as follows:
- About 30 data extract apps and 30 front end apps.
- The apps have been published to Streams based on department. I currently have 14 streams (7 for data extracts and 7 for front ends).
- 2 types of user initially:
* Developers - to be given access to specific Streams only (extract and front end) and every app within those streams. Create, Read, Update, Export Data, Duplicate rights.
* Testers - a handful of general users, to be given access to specific Streams (front end only) and only specific apps within those streams. Read and Export Data rights only.
- No users will have access to every app in a stream, even after testing is complete, so it is essential to handle user access at App level.
- Initially, I want to grant Developer and Tester access specifically by username. I have an AD group set up for each front end app, so once the testing is complete, the specified Testers will be replaced by the relevant AD groups. The Developers can continue to be specified by username.
I began trying to configure this in Qlik Sense, but ran into difficulty with the Testers access. Here's what I did:
1. Security Rules: Created a new rule for certain Developers to access 1 stream. Resource Filter = Stream_<streamID>, Actions as noted above, users specified by name. Works fine, developers can see all apps in stream.
2. Security Rules: Created a new rule for certain Testers to access the same stream, but with fewer permissions (Actions).
3. Need to limit the particular apps the Testers can see, so went to Custom Properties: Created AppLevelMgmt Set Resource Types = Apps and Users.
4. In the AppLevelMgmt custom property, set Values for several (front end) Apps.
5. Security Rules: Disabled the default Stream rule.
6. Security Rules: Duplicated the default Stream rule, renamed it to App Access. Added a Condition: @AppLevelMgmt .empty()). Ensured it was enabled. As I understand it, this means the user can now see the Stream, but no apps within it at this stage.
7. Apps: Edited each App. Under Custom Properties > AppLevelMgmt, applied the relevant Value created in step 4.
8. Users: Edited each Tester. Under Custom Properties > AppLevelMgmt, applied the relevant Values created in step 4.
The stream is visible (to a sample user) and he can see thumbnails for every app in the stream (not just those I created custom properties for). When he tries to open any app, it appears to be blank (no sheets). When he right-clicks a thumbnail, it does nothing, so can't Duplicate.
I also tried some additional steps:
9. Custom Properties: Created new property called StreamLevelMgmt, Resource Types set to Streams and Users.
10. Applied a value for the front end Stream.
11. Streams: Applied this Value to the Stream.
12. Users: Applied this Value to the User.
However, this made no difference, the user can still see all thumbnails, but can't open any.
So... can you tell me where I've gone wrong, and how to fix?
Thanks,
G
What does your @Group do? That looks like it's already attached to the app - is that not the AD group? If it's not, then I believe what you need is this:
((resource.stream.HasPrivilege("read") and (user.group = resource.@ADGroupReadRights ) and (user.@AppLevelMgmt=resource.@AppLevelMgmt or user.group=resource.@Group )))
Keep banging away at it....
Right, I made a handful of changes, and I think I might be there now.
* Edited the AppAccessSpec rule - the @Group was erroneous - something I'd copied from another solution. So got rid of that, and added or user.group = @ADGroupRead to the Conditions. 'or' rather than 'and', so I can grat access either by specific users OR by AD group.
* Edited the AppAccess rule - included resource.@ADGroupRead.empty (). I'm not sure if this is strictly necessary, but is in keeping with the existing resource.@AppLevelMgmt.empty ().
* Edited the ADGroupRead property - values now consist of all the relevant AD group names.
* Edited each front end App > Custom Properties to include the relevant AD group in the ADGroupRead property.
* Deleted the StreamAccessSpec rule and StreamLevelMgmt property, as unneeded.
* I've also made some AD group name changes and stuff to standardise things. I noted that after updating the list in the ADGroupRead property, the corresponding property on the App disappears and needs re-adding with its new name. Just something for me to be aware of, in case of future changes.
I've done some testing and I *think* it's all working as desired now. I'm going to do a full round of testing to ensure all bases are covered. Once confirmed, I'll add a reply to this thread, that lists the whole config as concisely as possible, just in case others might want to do something similar.
Thanks for your help, Andoryuu.
That's great to hear! Doing custom security that doesn't require a lot of maintenance is a bear at first, but it's so, so, so worth it. We are a 4 person admin, arch AND development team (with another three-person analytics team in our BI dept with us, but not admins) and a 3 environment, 14 server, 4800 user install. Without automation, active directory, and self-service we'd have jumped off a bridge by now.
Solution
In a nutshell, my requirements were to configure user access for 3 sets of users: Testers, Developers and AD Groups for general users.
To get the above working in Qlik Sense took a fair bit of research, advice, testing and tweaking. There are numerous threads and guides on how to configure Qlik Sense access, but none quite fit my scenario. So now that I have everything working, I thought I'd post my full config as a reply and accept it as the solution, as it may potentially help others in a similar position.
SECURITY RULES
Once user testing is complete, I will remove the Testers from these rules, and replace with the relevant AD groups.
CUSTOM PROPERTIES
Should I need to, I could replace the Stream-wide CP Value HR EXT with CP Values for each individual Extract App (HR Holidays EXT, HR Personnel EXT). This would allow me to specify exactly which Extract Apps Developers can see. However, this isn’t necessary for me at the moment.
APPS
USERS
USER DIRECTORY CONNECTORS
LICENSE MANAGEMENT
ADDITIONAL NOTES