Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi all,
I am working with Qliksense server and I have some issue regarding security permission.
I have an app shared among 2 different user group :sales and aftersales.
I'd like that if a sales user publishes a sheet it will be available only for other sales users but not for aftersales ones.
Furthermore If a user create a new sheet but doesn't publish it, it would not be visible to any other user but now it is so.
how can I achieve this two goals?
Thank u in advance
Hi Guys - need some clarification here - when we say new user and publish - are we talking about a content admin type person creating new sheets in an app in their work space and then publishing the app to a stream?
OR
Are we talking about an already published app in a stream - where someone creates their own sheet BASED of the existing approved app - and then has the option to publish it to the broader community so others can see THEIR work?
I assume you mean the latter - since you said you have an APP shared by 2 different groups - but need to check.
So what we are looking at is sheet level security - but more granular depending the group it belongs too - I am not a security rule expert - but I believe this should be possible with a custom rule and perhaps custom properties.
Most likely will be defined with App Objects:
See if this thread helps: Sheet or App Object Level Security Qlik Sense
Let me know how you do.
Regards,
Mike T
Qlik
Correct @mto, this distinction is a major issue.
If it's Community sheets on a Published app, then you would need to fiddle with the Stream rule 19iv1987
The key portion of the rule is bolded below:
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
Both base and community sheets fulfill this condition, so you'd want to disable the Stream rule and change resource.published to resource.approved (which distinguishes community from base).
For the schema of the rule to handle the community sheets
Filter: App.Object_*
Action: Read
Conditions: ((resource.published="true" and resource.owner.group=user.group))
Context: Both
This assumes that there is perfect alignment between the group attribute and there isn't sufficient noise inside of the users' persistent attributes which would make this rule non-function (e.g. all folks are members of geographical groups in AD / UDC). In an AD context where perfect control over the group membership isn't possible then something like this should point in the right direction:
Filter: App.Object_*
Action: Read
Conditions: ((resource.published="true" and (resource.owner.group="foo" and user.group="foo")))
Context: Both
Hope that points in the right direction.
Hi ltu,
It is kind of advanced level here, but interesting.. Thank you