Qlik Community

Ask a Question

Knowledge Base

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Live chat with experts, bring your API Integration questions. June 15th, 10 AM ET. REGISTER TODAY

Hierarchical relationships in Security Rules for Qlik Sense

Andre_Sostizzo
Digital Support
Digital Support

Hierarchical relationships in Security Rules for Qlik Sense

Inside of Qlik Sense, user access is proscribed by the security rules which are configured in the deployment. When designing a security rule framework, it is important to understand the hierarchical relationships between different resource filters in order to ensure that the rule performs as intended.

 

Streams > Apps > App.Objects

User-added image

As illustrated above. Apps are in Streams. This means that you can use inheritance to cascade the intended action from the action assigned at the Stream level. This is used in this portion of the default Stream security rule:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))

The meaning of this condition is that the action will be applied to Apps where the user has read rights to the stream.

The same hierarchy exists in Apps <> App.Objects. App.Objects belong to apps and thus you can inherit rights from the App or Stream level. This is used in this portion of the default Stream security rule:

((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" 
and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

The meaning of this condition is that the action will be applied to an App's Objects where the object is (a) published and (b) not an app_appscript or loadmodel type of App.Object when the user has read rights on the stream.

Apps > Tasks

User-added image

As illustrated above, Tasks are applied to Apps. This means that you can use inheritance to cascade the intended action from the action assigned at the App level. For example:

Filter: ReloadTask*
Action: Read, Update, Delete
Condition: ((user.name="TaskAdmin"))and (resource.App.HasPrivilege("read"))

In this rule, the user with the name TaskAdmin is able to read / update / delete all tasks which are associated with Apps which they already have Read rights to.

  • Note: As of Qlik Sense April 2018, there is no logical relationship between tasks and triggers. So an administrator cannot use inheritance for this resource type.
Labels (1)
Version history
Revision #:
5 of 5
Last update:
‎2020-09-29 04:15 AM
Updated by: