In my organization, we have a Qlik Sense Enterprise server. We have a website where we create mashups for non-public apps (no anonymous access allowed).
For each mashup:
- Our website authenticates the user and checks if they are authorized to access the mashup.
- If not authorized: we show an error message.
- If the user is authorized:
- Our website requests a ticket from the QPS API.
- We make the user's browser request a static resource from the Qlik Sense server, consuming the ticket, which starts the session and establishes the cookie.
- Once the session is started, using the Capability API, we open the Qlik Sense app, retrieve objects and embed them into our website's HTML.
The thing is we didn't want to manage user rights on Qlik, because we already had all permissions set in our website. We wanted Qlik to be as detached from the actual permissions and security rules as possible.
With this in mind, we designed a very simple system: one dummy user per app and each user has access to that app and only to that app. One single access rule: userId = appId.
This way, with the QRS, we request a ticket for the dummy user, the human's browser consumes the ticket and immediately opens the app with the Capability API.
This approach looked very good because:
- A ticket can never be used to access more than one app.
- Qlik Sense is completely free of complex security rules, which were already implemented in our website's code.
However, we are experiencing some issues:
- If, on tab T1 of the browser, you open mashup M1, linked to app A1, everything works fine.
- If you then, on tab T2 of the browser, open mashup M2, linked to app A2, everything works fine.
- If you go back to tab T1 of the browser, all interaction (selections, retrieving visualizations, etc.) with app A1 works fine, but:
- Images from app A1's content library that were not loaded before app A2 was open will not be loaded.
- You can start data exports for app A1's visualisations, but you will not be able to download the resulting file.
This is because whenever we open a new mashup, linked to a new app (A2), we obtain a new ticket, linked to another Qlik Sense user (also called A2). So, even if the Capability API works fine because it relies on the unaffected WebSocket connection, any kind of HTTP request sent to the server will be linked to user A2. So, all resources of app A1 will be forbidden.
Our question is: What would be the best strategy to follow in our case to solve this issue?
We thought of creating one virtual proxy per app (~300 apps), but we don't know how that would affect performance. Also, even though we could create the per-app virtual proxy on the fly, that would invalidate ALL sessions linked to the central proxy, which we don't want. All users would be immediately logged out.
We really would like to keep the security handled by our website and Qlik believing blindly what the website says.
Permissions are set dynamically through a web interface on our website and they can change often. They are based on usernames, departments, email addresses, users belonging to groups defined on our website and some other details that are not necessarily stored in Qlik Sense.
What we need to achieve is something like each mashup having its own Qlik Sense HTTP session (cookie) so they don't overwrite each other's sessions. When you export data from app A1, you retrieve it with a Cookie linked to user A1. When you export data from app A2, you retrieve it with a Cookie linked to user A2.
If anyone has had a similar problem in the past with non-public mashups that require authentication and authorization handled by external systems, I would love to hear how they managed to implement the security on Qlik Sense.
Thanks a lot for your ideas!
.png "Luminary Alumni"){kind=icon}
