We have security set on stream level (custom properties) and not on app level. As a result users who have access to a stream can see all apps within that stream. This also means that these users can see, in case of ODAG -- with or without section access -- also the generated apps of all users.
We would like to create a security rule to allow users with access to the stream to see all apps BUT for the ODAG generated ones only the ones created by user itself.
To give an example:
Stream A with following apps:
demo1
demo2
demo_odag
demo_odag_template
demo_odag_template_<domain>-userID1
demo_odag_template_<domain>-userID2
So all users with access to the stream should be able to see:
demo1
demo2
demo_odag
demo_odag_template
UserID1 should additionally also see "demo_odag_template_<domain>-userID1" but not the one from UserID2
UserID2 should additionally also see "demo_odag_template_<domain>-userID2" but not the one from UserID1
UserID3 should not see either "demo_odag_template_<domain>-userID1" nor "demo_odag_template_<domain>-userID2"
Does anyone have a security rule suggestion on this since the ODAG apps are generated at runtime?
We solved the issue by duplicating the default Stream security rule and created a customized one to replace it.
BEFORE:
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
AFTER:
( (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read") ))
No suggestion for security rules, but ODAG by default places the generated apps in the user's Work space rather than in a stream. It sounds like that might be what you want to do?
We have a multi node (D/A/P) configuration where the WORK is only available in in the D(evelopment) node, whereas the A(cceptance) & P(ublished) are basically only read-only nodes. For ODAG the generated apps are therefor placed in the stream itself and not in the WORK.
The question for the security also applies on another purpose where we want to hide (technical / data model) apps from end users as well in the P(ublished) node.
I'm not entirely sure if this would work, but perhaps you could have the generated apps saved to a separate stream that's specifically intended for this purpose, and for that stream all apps are not shown by default, and a security rule allows access only in cases where the app name is like *username? Security rules with exclusions tend to be tricky, but this approach works around that.
Otherwise, perhaps someone else who is more knowledgeable than I am about security rules can help with getting it done without an extra stream.
We solved the issue by duplicating the default Stream security rule and created a customized one to replace it.
BEFORE:
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
AFTER:
( (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read") ))
