Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
I am trying to give admin access to a developer in one stream. Basically, he should be able to access the QMC and able to perform actions like scheduling tasks, reloading apps (for that particular stream) in the QMC. But couldn't figure out how to do it. Tried all means, but it seems to work only at hub level, not able to give a restricted QMC access.
Appreciate if anyone can help resolve this.
Regards,
Bhaskar
When working with security rules, be VERY CAREFUL!!!
To customize security rules, you should use Custom Properties ( tutorial ).
We authenticate our users with Active Directory. We also wanted to limit which application in a stream a user could see. In the QMC, the developers only have access to the Apps and Tasks menu items. You will see 2 rules default and exception for each action. The exception rule was created to handle when an custom property was assigned to an application. I split a lot of the actions into multiple rules because I found it easier to validate the rules.
I created 3 Custom Properties:
ADGroup with resource types Apps and Streams and the values will be the Active Directory group names
Developer with resource types Users and the values will be the Active Directory group names
UserType with resource types Users and the value is Scheduler
After creating the rules below, I disabled the delivered Stream rule.
NEWAppLimiteUserDefault:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in hub
NEWAppLimitedUseException:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in hub
NEWAppLimitedUseQMCDefault:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in QMC
NEWAppLimitedUseQMCException:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in QMC
NEWAppObjectAccess:
Resource Filter: App.Object_*
Actions: Read
Conditions:
(resource.resourcetype = "App.Object" or
resource.objectType = "app_appscript" or
resource.objectType = "loadmodel") and
resource.published ="true"
Context: Both in hub and QMC
NEWCreateTask:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*
Actions: Create
Conditions: ((user.@UserType="Scheduler"))
Context: Only in QMC
NEWDeleteExportDefult:
Resource Filter: App*
Actions: Delete, Export, Export data
Conditions: ((resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and resource.@ADGroup.empty()))
Context: Both in hub and QMC
NEWDeleteExportException:
Resource Filter: App*
Actions: Delete, Export, Export Data
Conditions: ((resource.@ADGroup=user.@Developer and resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and !resource.@ADGroup.empty()))
Context: Both in hub and QMC
NEWDeveloperQmcAppsMenu:
Resource Filter: QmcSection_App
Conditions: ((user.group=user.@Developer))
Context: Only in QMC
NEWDuplicateAppDefault:
Resource Filter: App*
Actions: Publish, Duplicate
Conditions:
((resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and resource.@ADGroup.empty()))
Context: Both in hub and QMC
NEWDuplicateAppException:
Resource Filter: App*
Actions: Publish, Duplicate
Conditions:
((resource.@ADGroup=user.@Developer and resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and !resource.@ADGroup.empty()))
Context: Both in hub and QMC
NEWReloadTaskDefault:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read, Update, Delete
Conditions:
((user.@UserType="Scheduler")) and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
resource.app.@ADGroup.Empty()) or
(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))
Context: Only in QMC
NEWReloadTaskException:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read, Update, Delete
Conditions:
((user.@UserType="Scheduler"))
and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
!resource.app.@ADGroup.Empty() and resource.app.@ADGroup = user.@Developer) or
(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))
Context: Only in QMC
NEWSchedulerQMCTasksMenu:
Resource Filter: QmcSection_Task,QmcSection_ReloadTask,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent
Actions: Read
Conditions: !user.IsAnonymous() and ((user.@UserType="Scheduler"))
Context: Only in QMC
NEWStream:
Resource Filter: Stream_*
Actions; Read
Conditions: ((user.group=resource.@ADGroup))
Context: Only in hub
NEWStreamPublish:
Resource Filter: Stream_*
Actions: Publish
Conditions: ((resource.@ADGroup=user.@Developer))
Context: Both in hub and QMC
NEWStreamQMC:
Resource Filter: Stream_*
Actions: Read
Conditions: ((resource.@ADGroup=user.@Developer))
Context: Only in QMC
NEWUpdateAppDefault:
Resource Filter: App*
Actions: Update
Conditions:
((resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer and !resource.stream.empty()))
Context: Both in hub and QMC
NEWUpdateAppException:
Resource Filter: App*
Actions: Update
Conditions:
((resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer and !resource.stream.empty()) )
Context: Both in hub and QMC