Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi, I am trying to only show some apps from certain users within a stream. I have followed the videos and read the other community posts on this topic. Currently, I have two security rules to make this work. One gives access to the stream if the user is apart of a custom property, SGroup and the stream is also apart of that property, SGroup. The second rule says if a user and app are apart of the custom property, SRole, then show the app.
I would like to find away to combine this with one security rule for less maintenance. I have tried a few different solutions but can't seem to get it to work. I have disabled the Stream rule created by Qlik. The way it behaves now is that if I disable the stream access rule I created, the user can no longer see the stream at all.
Stream access rule condition: ((user.@SRole=resource.@SGroup))
App Level Mgt rule condition:
(
resource.resourceType= "App"
or resource.resourceType= "Steam"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole
)
or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")
)
So I would like to be able to create this same result using only one custom property and one security rule.
You mean without having that stream rule in place as well? I guess if you want to combine the two then it would look something like this:
(
resource.resourceType= "Stream"
and user.@SGroup=resource.@SGroup
) or (
resource.resourceType= "App"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole
) or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")
)
The first part of the app level property reads like this:
resource.resourceType= "App"
or resource.resourceType= "Steam"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole
Now 'and' takes precedence over 'or' so this would return true for any user for any app which I guess is not what you want. And there is a typo in the second resource type. It reads 'Steam' but I take it you mean 'Stream'. I think you should probably remove that second line all together though as 'resource.stream' doesn't make sense when the resource is a stream anyway.
Yes, that was a typo. I removed that line but now I don't see any streams besides the one's I am an owner of.
You mean without having that stream rule in place as well? I guess if you want to combine the two then it would look something like this:
(
resource.resourceType= "Stream"
and user.@SGroup=resource.@SGroup
) or (
resource.resourceType= "App"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole
) or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")
)
Is there a way to accomplish this using only one custom property? I would like to remove the SGroup property and assign streams, apps and users an SRole and grant access based on that property. For example, if the stream, app and user all share the same role, the user should have read access to the stream and see only the apps tagged with the SRole property/value that matches the user.
I don't think it's possible to express that a stream, app and user all share the same role as you can only compare two at a time. You can certainly write a property like this;
resource.resourceType= "App"
and resource.@SRole = user.@SRole
and resource.@SRole = resource.stream.@SRole
But that would simply mean that the app and user share a property value and that the app and stream share a property value, but not that the user and stream shares that same value.
So I'm trying that but I received the error: "Security rule validation error. Expected 'user/node' found 'resource'. Below is the condition I used:
(
resource.resourceType= "App"
and resource.@SRole = user.@SRole
and resource.@SRole = resource.stream.@SRole
)
or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")
)
Oh, sorry, I forgot about this... Did you get it working? I saw you marked one of the answers as a solution.