Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Open Lakehouse is Now Generally Available! Discover the key highlights and partner resources here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
DireStraits
Contributor
Contributor
‎2023-03-08 02:25 AM

QS Security by application/user automated

Hi, 

Currently we are managing QS security at Stream level. We are loading an Excel file containing User/Stream relationship via User directory connectors. If we create a new Stream we only have to associate the user with the Excel loaded users and the value with the loaded Stream values: 

DireStraits_0-1678259809484.png

 

This works perfectly since it allows us to manage Stream/User security in an easy way. Now I'm trying to add security at application level while mantaining the same level of automation. The idea is to create a new file containing User/Application relationship and load this in an automated way. I want to avoid managing users in the qmc.. 

 

Anyone knows if this is possible?

Thanks.

Labels (1)
Labels
586 Views
0 Likes
1 Solution

Accepted Solutions
Eduardo_Monteiro
Partner - Contributor III
Partner - Contributor III
‎2023-03-09 09:39 PM

Hello @DireStraits 

Yes, it is possible. I did it using Custom Properties and AD groups. 

Create a custom property like "AppLevelSecurity" and add the AD group names as values in the custom property.

Replace default "Stream" security rule with the following condition:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and (resource.@AppLevelSecurity.empty() or resource.@AppLevelSecurity = user.group)) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

And then create a rule binding it to ad group, see the conditions below:

((user.group=resource.@AppLevelSecurity ))

Please let me know if this is helpful.

BR,

Eduardo Monteiro

View solution in original post

548 Views
0 Likes
1 Reply
Eduardo_Monteiro
Partner - Contributor III
Partner - Contributor III
‎2023-03-09 09:39 PM

Hello @DireStraits 

Yes, it is possible. I did it using Custom Properties and AD groups. 

Create a custom property like "AppLevelSecurity" and add the AD group names as values in the custom property.

Replace default "Stream" security rule with the following condition:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and (resource.@AppLevelSecurity.empty() or resource.@AppLevelSecurity = user.group)) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

And then create a rule binding it to ad group, see the conditions below:

((user.group=resource.@AppLevelSecurity ))

Please let me know if this is helpful.

BR,

Eduardo Monteiro

549 Views
0 Likes