Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
kdaniels-obrien
Partner - Creator
Partner - Creator
‎2020-07-27 10:20 AM

Stuck: App level management and stream access

Hi, I am trying to only show some apps from certain users within a stream.  I have followed the videos and read the other community posts on this topic.  Currently, I have two security rules to make this work.  One gives access to the stream if the user is apart of a custom property, SGroup and the stream is also apart of that property, SGroup. The second rule says if a user and app are apart of the custom property, SRole, then show the app.  

I would like to find away to combine this with one security rule for less maintenance.  I have tried a few different solutions but can't seem to get it to work. I have disabled the Stream rule created by Qlik.  The way it behaves now is that if I disable the stream access rule I created, the user can no longer see the stream at all. 

Stream access rule condition: ((user.@SRole=resource.@SGroup))

App Level Mgt rule condition: 

(
resource.resourceType= "App"
or resource.resourceType= "Steam"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole

)
or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")

)

 

So I would like to be able to create this same result using only one custom property and one security rule. 

1,786 Views
0 Likes
1 Solution

Accepted Solutions
Øystein_Kolsrud
Employee
Employee
‎2020-07-27 11:02 AM

In response to kdaniels-obrien

You mean without having that stream rule in place as well? I guess if you want to combine the two then it would look something like this:

(
  resource.resourceType= "Stream"
  and user.@SGroup=resource.@SGroup
) or (
  resource.resourceType= "App"
  and resource.stream.HasPrivilege("read")
  and resource.@SRole = user.@SRole
) or (
  resource.resourcetype = "App.object"
  and resource.published ="true"
  and resource.objectType != "app_appscript"
  and resource.objectType != "loadmodel"
  and resource.app.stream.HasPrivilege("read")
)

View solution in original post

1,756 Views
0 Likes
7 Replies
Øystein_Kolsrud
Employee
Employee
‎2020-07-27 10:54 AM

The first part of the app level property reads like this:

resource.resourceType= "App"
or resource.resourceType= "Steam"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole

Now 'and' takes precedence over 'or' so this would return true for any user for any app which I guess is not what you want. And there is a typo in the second resource type. It reads 'Steam' but I take it you mean 'Stream'. I think you should probably remove that second line all together though as 'resource.stream' doesn't make sense when the resource is a stream anyway.

1,767 Views
0 Likes
kdaniels-obrien
Partner - Creator
Partner - Creator
‎2020-07-27 10:58 AM
Author

In response to Øystein_Kolsrud

Yes, that was a typo.  I removed that line but now I don't see any streams besides the one's I am an owner of. 

1,764 Views
0 Likes
Øystein_Kolsrud
Employee
Employee
‎2020-07-27 11:02 AM

In response to kdaniels-obrien

You mean without having that stream rule in place as well? I guess if you want to combine the two then it would look something like this:

(
  resource.resourceType= "Stream"
  and user.@SGroup=resource.@SGroup
) or (
  resource.resourceType= "App"
  and resource.stream.HasPrivilege("read")
  and resource.@SRole = user.@SRole
) or (
  resource.resourcetype = "App.object"
  and resource.published ="true"
  and resource.objectType != "app_appscript"
  and resource.objectType != "loadmodel"
  and resource.app.stream.HasPrivilege("read")
)
1,757 Views
0 Likes
kdaniels-obrien
Partner - Creator
Partner - Creator
‎2020-07-27 11:09 AM
Author

In response to Øystein_Kolsrud

Is there a way to accomplish this using only one custom property?  I would like to remove the SGroup property and assign streams, apps and users an SRole and grant access based on that property.  For example, if the stream, app and user all share the same role, the user should have read access to the stream and see only the apps tagged with the SRole property/value that matches the user. 

1,753 Views
0 Likes
Øystein_Kolsrud
Employee
Employee
‎2020-07-27 11:19 AM

In response to kdaniels-obrien

I don't think it's possible to express that a stream, app and user all share the same role as you can only compare two at a time. You can certainly write a property like this;

resource.resourceType= "App"
and resource.@SRole = user.@SRole
and resource.@SRole = resource.stream.@SRole

But that would simply mean that the app and user share a property value and that the app and stream share a property value, but not that the user and stream shares that same value.

1,744 Views
0 Likes
kdaniels-obrien
Partner - Creator
Partner - Creator
‎2020-07-27 01:22 PM
Author

In response to Øystein_Kolsrud

So I'm trying that but I received the error: "Security rule validation error. Expected 'user/node' found 'resource'.  Below is the condition I used: 

(
resource.resourceType= "App"
and resource.@SRole = user.@SRole
and resource.@SRole = resource.stream.@SRole

)
or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")

)

1,725 Views
0 Likes
Øystein_Kolsrud
Employee
Employee
‎2020-08-07 08:55 AM

In response to kdaniels-obrien

Oh, sorry, I forgot about this... Did you get it working? I saw you marked one of the answers as a solution.

1,678 Views
0 Likes