Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello,
I recently tried to get some App Scripts via the Engine API. But I noticed, I sometimes get empty scripts as result. After testing a little bit with the engine explorer I found Apps which I own, I can get the script of. Apps I don't own not, besides me being root admin. So my question is, is there any security rule I need to modify to also getScripts of Apps I do not own?
Best
As far as i know there is only one default security rule that is related to the app scripts. The rule name is "Stream".
(
resource.resourcetype = "App"
and resource.stream.HasPrivilege("read")
)
or
(
(
resource.resourcetype = "App.Object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
)
and
resource.app.stream.HasPrivilege("read")
)
In the second part of the rule there is and resource.objectType != "loadmodel" part. This part governs the script availability.
WARNING: this is a base rule. Modifying it have consequences that affect all users of the system!
Stefan
Thanks for the info Stefan,
is there any other way to grant rootAdmin access to all scripts? It kinda feels weird, that a role called rootAdmin, doesn't have all privilges per default?
You can try and add additional rule explicitly "targeting" specific user(s) and the script. Its a bit of a trial and error (imo) with security rules. But in general security rules are "permissive". Which means that if there are 2 security rules applied in the current case and one of them returns "true" and the other one "false" then the result will be "true"
If you check the context of the "RootAdmin" security rule you'll see that it is "QMC". Which means that RootAdmin have meaning only in QMC and such users have full control but only in QMC. In the Hub RootAdmin privileges have no meaning and you'll have to have a rule with Hub context that specifies the script (being a Hub "entity") permissions. (Such as the "Stream" security rule or another).
Stefan
It may also be possible to utilize the QMC context rule by including the header
X-Qlik-Security: Context=ManagementAccess;
-Rob
Hi Rob,
is there a specific QMC Context Security rule or are you talking about something different ?
Best
What Context=ManagementAccess does is apply the Security Context of "Only in QMC". Same as using the dropdown in QMC Audit.
Or in a Security Rule Def:
-Rob