If you could identify some bit of information you could use in a security rule to determine which type of access it is, you could set up separate security rules for each.  A significant question is will you be able to enforce this via convention, for example  hub users will use one proxy and API users will use another?  Or do you require that this be hard security such that a malicious API user couldn't game the system and pretend to be a hub user?  Which level of security do you require?

Will the API users you are tasked with blocking come in on a different network interface than internal Hub users who should have more access?

-Rob

Firstly, thanks @rwunderlich  and @ajaykakkar93  for yours answer. 

I think I should be more specific so you can understand the problem. 

I have a QlikSense aplication with some sensitive data in some fields. But I need these fields to work with master items using aggregation functions (ex.: count(distinct sensitive_data), ...)

We decide to do a Mashup to better display the objects in a HTML page, using da API Javascript (https://help.qlik.com/en-US/sense-developer/August2023/Subsystems/APIs/Content/Sense_ClientAPIs/Capa...).

We tried to use the HidePreffix (https://help.qlik.com/pt-BR/qlikview/May2023/Subsystems/Client/Content/QV_QlikView/Scripting/SystemV...), but it only hides the fields. So if you know the name of the field or try to get it right, you will have access to the sensitive data.

This Mashup needs to be public on internet.

So, we need some configuration on the QlikSense application that blocks the access to specific fields via javascript API functions, but it stills permit that access to master items that do calculations with these sensitive data.

Hi,
In order to obtain a list of master measures or dimensions, you can use the creategenericobject() function. However, if you wish to exclude certain master dimensions from being listed or prevent data from being published for specific developers or users who have the ability to edit the mashup, you may need to use section access and apply the OMIT option to omit the relevant fields for these individuals. They will still be able to view the list of master measures or dimensions, but will not have access to the data related to those fields due to the application of section access.

Conclusion:

1. Master Dimension, Mesure Or Variable List cannot be restricted for specific developers or users
2. Section access OMIT can be used in your use-case

Hi @Dcarvalho, there isn't a "true" out-of-box solution to your problem and but there are measures you can take to make it difficult for users to get to the data that you don't want them to have access to. Essentially you want to make it as hard as possible for users to find a point in the code that they can intercept -

- Avoid using console.log() and similar methods that give users an easy way in to your code.
- Don't use global variables, especially for the Qlik API objects
- Minify and obfuscate your code to make it more difficult for users to intercept the code execution at a point where they can poke around with the APIs/Web Socket

These will help prevent the "hacking" but they won't stop it. If you want a better solution then you'll need to build a Web Socket proxy to process the traffic, which will give you the ability to prevent certain API methods or check for particular fields/properties before processing the request.

Obviously this adds more time and effort to the development so you'll need to evaluate if it's necessary or not. It takes a very specific skillset and knowledge of the Qlik APIs (along with a very determined user) to be able to extract the information.

I'm curious about the use case for needing it in an expression but not wanting it exposed. Does that mean you never actually display the value to user? If so, perhaps you could just hash the value or use and internal mapping mechanism to hide the true value but still be able to use it in your expressions?