Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Necator
Contributor III
Contributor III
‎2023-02-06 03:57 AM

Engine API GetScript Empty

Hello,

I recently tried to get some App Scripts via the Engine API. But I noticed,  I sometimes get empty scripts as result. After testing a little bit with the engine explorer I found Apps which I own, I can get the script of. Apps I don't own not, besides me being root admin. So my question is, is there any security rule I need to modify to also getScripts of Apps I do not own?

 

Best

Labels (1)
Labels

  • API

591 Views
0 Likes
6 Replies
stefanstoichev123
Creator
Creator
‎2023-02-06 07:04 AM

As far as i know there is only one default security rule that is related to the app scripts. The rule name is "Stream".

 

 

(
   resource.resourcetype = "App" 
   and resource.stream.HasPrivilege("read")
) 
or 
(
  (    
         resource.resourcetype = "App.Object" 
     and resource.published ="true" 
     and resource.objectType != "app_appscript" 
     and resource.objectType != "loadmodel"
   ) 
   and 
     resource.app.stream.HasPrivilege("read")
)

In the second part of the rule there is and resource.objectType != "loadmodel" part. This part governs the script availability.

 

WARNING: this is a base rule. Modifying it have consequences that affect all users of the system!

 

Stefan

562 Views
0 Likes
Necator
Contributor III
Contributor III
‎2023-02-06 07:18 AM
Author

Thanks for the info Stefan,

is there any other way to grant rootAdmin access to all scripts? It kinda feels weird, that  a role called rootAdmin, doesn't have all privilges per default?

559 Views
0 Likes
stefanstoichev123
Creator
Creator
‎2023-02-06 07:29 AM

You can try and add additional rule explicitly "targeting" specific user(s) and the script. Its a bit of a trial and error (imo) with security rules. But in general security rules are "permissive". Which means that if there are 2 security rules applied in the current case and one of them returns "true" and the other one "false" then the result will be "true"

 

If you check the context of the "RootAdmin" security rule you'll see that it is "QMC". Which means that RootAdmin have meaning only in QMC and such users have full control but only in QMC. In the Hub RootAdmin privileges have no meaning and you'll have to have a rule with Hub context that specifies the script (being a Hub "entity") permissions. (Such as the "Stream" security rule or another).

 

Stefan

556 Views
0 Likes
rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2023-02-06 07:13 PM

In response to stefanstoichev123

It may also be possible to utilize the QMC context rule by including the header

X-Qlik-Security:  Context=ManagementAccess;

https://help.qlik.com/en-US/sense-developer/November2022/Subsystems/ProxyServiceAPI/Content/Sense_Pr...

-Rob

530 Views
0 Likes
Necator
Contributor III
Contributor III
‎2023-02-07 03:23 AM
Author

Hi Rob,

 

is there a specific QMC Context Security rule or are you talking about something different ?

 

Best

518 Views
0 Likes
rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2023-02-07 12:35 PM

In response to Necator

What Context=ManagementAccess does is apply the Security Context of "Only in QMC". Same as using the dropdown in QMC Audit.

rwunderlich_0-1675791192605.png

Or in a Security Rule Def:

rwunderlich_1-1675791286146.png

 

-Rob

504 Views
0 Likes