Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
Dcarvalho
Contributor II
Contributor II

How do I deny access via API to some objects, fields or master items?

I have an application where some objects and fields should be accessed only via QlikSense Application and not via a public Mashup. 

So, how do I configure certain object or field to do not be accessible from javascript API?

Labels (3)
9 Replies
ajaykakkar93
Specialist III
Specialist III

Hi,

Ideally, a user ID with a professional licence can use these APIs.

if there is a configuration in QMC to no anonymous users it will not be a problem.

if you want to permanently deney the request I thing this is something Qlik Support might be able to help you with.

Please mark the correct replies as Solution. Regards, ARK
Profile| GitHub|YouTube|Extension|Mashup|Qlik API|Qlik NPrinting

rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP

If you could identify some bit of information you could use in a security rule to determine which type of access it is, you could set up separate security rules for each.  A significant question is will you be able to enforce this via convention, for example  hub users will use one proxy and API users will use another?  Or do you require that this be hard security such that a malicious API user couldn't game the system and pretend to be a hub user?  Which level of security do you require?

Will the API users you are tasked with blocking come in on a different network interface than internal Hub users who should have more access?

-Rob

Dcarvalho
Contributor II
Contributor II
Author

Firstly, thanks @rwunderlich  and @ajaykakkar93  for yours answer. 

I think I should be more specific so you can understand the problem. 

I have a QlikSense aplication with some sensitive data in some fields. But I need these fields to work with master items using aggregation functions (ex.: count(distinct sensitive_data), ...)

We decide to do a Mashup to better display the objects in a HTML page, using da API Javascript (https://help.qlik.com/en-US/sense-developer/August2023/Subsystems/APIs/Content/Sense_ClientAPIs/Capa...).

We tried to use the HidePreffix (https://help.qlik.com/pt-BR/qlikview/May2023/Subsystems/Client/Content/QV_QlikView/Scripting/SystemV...), but it only hides the fields. So if you know the name of the field or try to get it right, you will have access to the sensitive data.

This Mashup needs to be public on internet.

So, we need some configuration on the QlikSense application that blocks the access to specific fields via javascript API functions, but it stills permit that access to master items that do calculations with these sensitive data.

rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP

"So if you know the name of the field or try to get it right, you will have access to the sensitive data"

Who is the actor you are trying to block from the field?  Is it a mashup developer who is not following the guidelines or a user from the public side using your mashup?

-Rob

Dcarvalho
Contributor II
Contributor II
Author

Is a anonymous user that has skills in javascript, he can do commands on the browser console and get access to hidden fields if he knows the names of them.

The mashup does not use any object with the field. Only will use master items with functions agreggating data from them.

ajaykakkar93
Specialist III
Specialist III

If you use this activity, in my knowledge it is going to be just fine with the above statement if u do use master in your application.

Please mark the correct replies as Solution. Regards, ARK
Profile| GitHub|YouTube|Extension|Mashup|Qlik API|Qlik NPrinting

Dcarvalho
Contributor II
Contributor II
Author

Ok, we know that its possible to use master items and we doing it.

But how do I say to Qlik that a specific field cannot be accessed throw API Table functions that a javascript developer can use browser console to read all fields from the application?

 

 

ajaykakkar93
Specialist III
Specialist III

Hi,
In order to obtain a list of master measures or dimensions, you can use the creategenericobject() function. However, if you wish to exclude certain master dimensions from being listed or prevent data from being published for specific developers or users who have the ability to edit the mashup, you may need to use section access and apply the OMIT option to omit the relevant fields for these individuals. They will still be able to view the list of master measures or dimensions, but will not have access to the data related to those fields due to the application of section access.

Conclusion:

  1. Master Dimension, Mesure Or Variable List cannot be restricted for specific developers or users
  2. Section access OMIT can be used in your use-case

 

Please mark the correct replies as Solution. Regards, ARK
Profile| GitHub|YouTube|Extension|Mashup|Qlik API|Qlik NPrinting

websy1985
Luminary Alumni
Luminary Alumni

Hi @Dcarvalho, there isn't a "true" out-of-box solution to your problem and but there are measures you can take to make it difficult for users to get to the data that you don't want them to have access to. Essentially you want to make it as hard as possible for users to find a point in the code that they can intercept -

- Avoid using console.log() and similar methods that give users an easy way in to your code.
- Don't use global variables, especially for the Qlik API objects
- Minify and obfuscate your code to make it more difficult for users to intercept the code execution at a point where they can poke around with the APIs/Web Socket

These will help prevent the "hacking" but they won't stop it. If you want a better solution then you'll need to build a Web Socket proxy to process the traffic, which will give you the ability to prevent certain API methods or check for particular fields/properties before processing the request.

Obviously this adds more time and effort to the development so you'll need to evaluate if it's necessary or not. It takes a very specific skillset and knowledge of the Qlik APIs (along with a very determined user) to be able to extract the information.

I'm curious about the use case for needing it in an expression but not wanting it exposed. Does that mean you never actually display the value to user? If so, perhaps you could just hash the value or use and internal mapping mechanism to hide the true value but still be able to use it in your expressions?