Solved: Concrete answer on creating security rule at strea... - Qlik Community

Report Inappropriate Content · ‎2016-09-06

Hello Guru's,

I would like to get concrete answer on this.

Problem: i have 10 active streams with already established security rules for them. I created new stream and would like to restrict access to certain sheets. For example :

Stream	App	sheets	test_user1	test_user2
test stream	test app	1	0	1
test stream	test app	2	1	0

So as you see i want both users to have access to the same stream and same app, but restrict access at sheet level.

I read this:

https://community.qlik.com/thread/155799

which didn't provide an answer. I read many other posts, in which states, that security at sheet level is not possible in Sense (as of yet).

I understand i can create multiple apps and restrict access at app level, but before doing that i would like to see maybe there is a way to be able to do restrictions for 1 app.

Hope it makes sense

Waiting for your responses and thank you in advance

Oredas

Levi_Turner · ‎2016-09-06

Yes, sheet level restrictions are possible.

In order to accomplish this, you will have to disable the Stream security rule which allows inheritance from the Stream to the App and to the App Objects and either rebuild it (1) or manually handle app level access.

(Both examples involve disabling the Stream rule and rebuilding it to fit the use case.

(1) e.g. (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.app.@SheetLevelSecurity!="Yes") and resource.app.stream.HasPrivilege("read"))

-- Which ties into a custom property SheetLevelSecurity which is applied to Apps and has the values Yes or No.

or

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and (resource.objectType= "sheet") and (resource.name!="Finance Dashboard" and resource.name!="HR Dashboard") ) and resource.app.stream.HasPrivilege("read"))

-- This refers to specific sheet names

This is not an elegant route which does have non-trivial maintenance costs.

View solution in original post

Levi_Turner · ‎2016-09-06

Yes, sheet level restrictions are possible.

In order to accomplish this, you will have to disable the Stream security rule which allows inheritance from the Stream to the App and to the App Objects and either rebuild it (1) or manually handle app level access.

(Both examples involve disabling the Stream rule and rebuilding it to fit the use case.

(1) e.g. (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.app.@SheetLevelSecurity!="Yes") and resource.app.stream.HasPrivilege("read"))

-- Which ties into a custom property SheetLevelSecurity which is applied to Apps and has the values Yes or No.

or

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and (resource.objectType= "sheet") and (resource.name!="Finance Dashboard" and resource.name!="HR Dashboard") ) and resource.app.stream.HasPrivilege("read"))

-- This refers to specific sheet names

This is not an elegant route which does have non-trivial maintenance costs.

Report Inappropriate Content · ‎2016-09-07

Thank you Levi for the answer, i will mark it as correct, even though i will need time to test it. (need to find down time in case i mess up something for other streams, which I'm trying to avoid )

If anyone else would like to shed some light on this subject, please feel free.

oredas

Levi_Turner · ‎2016-09-07

I can promise that it works in principle since I've done it as a demo in the past But the precise implementation may be tricky to get precisely right.

Concrete answer on creating security rule at stream sheet level