Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
stvegerton
Creator III
Creator III

Publish and REPLACE is not working for us

We're running a multi-node site v 2.2.3+Build:37release/ms15

We've got developers who own the apps, streams and app objects. They have the authority to publish and delete what they own via security rules...

Yet, when they try to publish and replace, it throws an error to the developer like this: "The operation failed due to insufficient privileges"

In the log it shows this:

Republish app403 Forbidden (HTTP code: 403)

Yet the rules audit show that they can publish and delete...

Anyone seen this before?

1 Solution

Accepted Solutions
stvegerton
Creator III
Creator III
Author

Got it working. The resource must be App* and the user must be allowed to  "Update".

We disabled our ContentAdmin rules and are using Custom Properties and custom rules. To troubleshoot, I added all resources from the default rule into my custom rule and slowly removed them until I landed on only App* remaining. Doing the same with resources until I had publish and replace working...

View solution in original post

31 Replies
stvegerton
Creator III
Creator III
Author

Got it working. The resource must be App* and the user must be allowed to  "Update".

We disabled our ContentAdmin rules and are using Custom Properties and custom rules. To troubleshoot, I added all resources from the default rule into my custom rule and slowly removed them until I landed on only App* remaining. Doing the same with resources until I had publish and replace working...

Anonymous
Not applicable

Hi Steve,

As I understood you already have a kind of stream admin role in place. I'm also trying to create a proper roles but can't get rid of the error about insufficient privileges. I have App* in resource filter and Update option checked and still nothing. Users also aren't able to duplicate apps from the stream (even once they are owning)

I used this example https://help.qlik.com/en-US/sense/3.0/Subsystems/ManagementConsole/Content/create-QMC-content-admin-...

May be you can share you knowledge how you did the whole setup for creating a stream admin role?

With best regards,
AT

stvegerton
Creator III
Creator III
Author

Hello Artjoms,

It's timely that you should ask because we're starting to see this issue pop up again. We're running version 3.2.3 now with shared persistence. I'm looking into two possibilities. 1. The apps that are being edited and are to replace the published apps we're around before the conversion to shared persistence. The other is related to app ownership. The published apps we have contain several app objects owned by other users. I'm going to be working on this today and will let you know.

Anonymous
Not applicable

great, thanks!

we are running 3.2.4. and have only one server with synchronized persistence. so this is the simplest environment. and my test app has only 1 object created by the same user who is trying to republish or duplicate published app

hope, you will find a solution

stvegerton
Creator III
Creator III
Author

I wonder why you're not running as shared persistence since Qlik seems to be moving away from synchronized.

When you run an audit on that user and app, what does it show? Run audits for both the app that is already published and the one you're editing that will be used to replace the published app.

Also do audits on that user and app objects that belong to both apps.

You can click on the results in the audits and it will bring you to the respective rules.

Forgive me if you know all of this already.

Anonymous
Not applicable

We will move to shared persistence. Just were waiting for a new release, because persistence change is possible only during new release install.

Your hint about app audit was very useful! Thanks! I did only stream audit before and didn't noticed any differences, but now there are some.

I want to share them with you.

Setup #1. The role has only one condition for a role nameQlikSense_SecurityRules_01.png

Audit results

QlikSense_SecurityRules_02.png

Associated rules

QlikSense_SecurityRules_03.png

Setup #2. I added a stream name to limit an admin access to only one specific stream

QlikSense_SecurityRules_04.png

Audit results

QlikSense_SecurityRules_05.png

Associated rules

QlikSense_SecurityRules_06.png

As you can see, after I added stream name in rule condition the rule wasn't associated with the app anymore. But in QMC and HUB the user still can see "test Stream" stream and app within it.

Please guide me, where is my mistake?

Thanks in advance

stvegerton
Creator III
Creator III
Author

Not sure. Might be the resource. Try this.

((user.roles="testStreamAdmin") and (resource.resourcetype="App" and resource.stream.name="test Stream") or (resource.resourcetype="App.Object" and resource.objectType="sheet" and resource.owner.name=user.name and resource.app.stream.name="test Stream") or (resource.resourcetype="App.Object" and resource.objectType="story" and resource.owner.name=user.name and resource.app.stream.name="test Stream"))

Anonymous
Not applicable

Thanks for your support, Steve! I appreciate it.

Unfortunately the result is the same - only Read and Publish options are active

stvegerton
Creator III
Creator III
Author

Do you get the same result when you run the audit for QMC only and Hub only?