Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
kdaniels-obrien
Partner - Creator
Partner - Creator

Stuck: App level management and stream access

Hi, I am trying to only show some apps from certain users within a stream.  I have followed the videos and read the other community posts on this topic.  Currently, I have two security rules to make this work.  One gives access to the stream if the user is apart of a custom property, SGroup and the stream is also apart of that property, SGroup. The second rule says if a user and app are apart of the custom property, SRole, then show the app.  

I would like to find away to combine this with one security rule for less maintenance.  I have tried a few different solutions but can't seem to get it to work. I have disabled the Stream rule created by Qlik.  The way it behaves now is that if I disable the stream access rule I created, the user can no longer see the stream at all. 

Stream access rule condition: ((user.@SRole=resource.@SGroup))

App Level Mgt rule condition: 

(
resource.resourceType= "App"
or resource.resourceType= "Steam"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole

)
or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")

)

 

So I would like to be able to create this same result using only one custom property and one security rule. 

1 Solution

Accepted Solutions
Øystein_Kolsrud
Employee
Employee

You mean without having that stream rule in place as well? I guess if you want to combine the two then it would look something like this:

(
  resource.resourceType= "Stream"
  and user.@SGroup=resource.@SGroup
) or (
  resource.resourceType= "App"
  and resource.stream.HasPrivilege("read")
  and resource.@SRole = user.@SRole
) or (
  resource.resourcetype = "App.object"
  and resource.published ="true"
  and resource.objectType != "app_appscript"
  and resource.objectType != "loadmodel"
  and resource.app.stream.HasPrivilege("read")
)

View solution in original post

7 Replies
Øystein_Kolsrud
Employee
Employee

The first part of the app level property reads like this:

resource.resourceType= "App"
or resource.resourceType= "Steam"
and resource.stream.HasPrivilege("read")
and resource.@SRole = user.@SRole

Now 'and' takes precedence over 'or' so this would return true for any user for any app which I guess is not what you want. And there is a typo in the second resource type. It reads 'Steam' but I take it you mean 'Stream'. I think you should probably remove that second line all together though as 'resource.stream' doesn't make sense when the resource is a stream anyway.

kdaniels-obrien
Partner - Creator
Partner - Creator
Author

Yes, that was a typo.  I removed that line but now I don't see any streams besides the one's I am an owner of. 

Øystein_Kolsrud
Employee
Employee

You mean without having that stream rule in place as well? I guess if you want to combine the two then it would look something like this:

(
  resource.resourceType= "Stream"
  and user.@SGroup=resource.@SGroup
) or (
  resource.resourceType= "App"
  and resource.stream.HasPrivilege("read")
  and resource.@SRole = user.@SRole
) or (
  resource.resourcetype = "App.object"
  and resource.published ="true"
  and resource.objectType != "app_appscript"
  and resource.objectType != "loadmodel"
  and resource.app.stream.HasPrivilege("read")
)
kdaniels-obrien
Partner - Creator
Partner - Creator
Author

Is there a way to accomplish this using only one custom property?  I would like to remove the SGroup property and assign streams, apps and users an SRole and grant access based on that property.  For example, if the stream, app and user all share the same role, the user should have read access to the stream and see only the apps tagged with the SRole property/value that matches the user. 

Øystein_Kolsrud
Employee
Employee

I don't think it's possible to express that a stream, app and user all share the same role as you can only compare two at a time. You can certainly write a property like this;

resource.resourceType= "App"
and resource.@SRole = user.@SRole
and resource.@SRole = resource.stream.@SRole

But that would simply mean that the app and user share a property value and that the app and stream share a property value, but not that the user and stream shares that same value.

kdaniels-obrien
Partner - Creator
Partner - Creator
Author

So I'm trying that but I received the error: "Security rule validation error. Expected 'user/node' found 'resource'.  Below is the condition I used: 

(
resource.resourceType= "App"
and resource.@SRole = user.@SRole
and resource.@SRole = resource.stream.@SRole

)
or (
resource.resourcetype = "App.object"
and resource.published ="true"
and resource.objectType != "app_appscript"
and resource.objectType != "loadmodel"
and resource.app.stream.HasPrivilege("read")

)

Øystein_Kolsrud
Employee
Employee

Oh, sorry, I forgot about this... Did you get it working? I saw you marked one of the answers as a solution.