Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
19iv1987
Contributor III
Contributor III

Disable sharing unpublished sheet

Hi all,

I am working with Qliksense server and I have some issue regarding security permission.

I have an app shared among 2 different user group :sales and aftersales.

I'd like that if a sales user publishes a sheet it will be available only for other sales users but not for aftersales ones.

Furthermore If a user create a new sheet but doesn't publish it, it would not be visible to any other user but now it is so.

how can I achieve this two goals?

Thank u in advance

5 Replies
YoussefBelloum
Champion
Champion

Hi,

Interesting post, I'll try to do this and if it works for me I'll describe step by step how to do it.

Maybe experts here can quickly guide you on how to do it (if it is possible)

Hi Guys ltu, mto , do you think it is possible ?

Michael_Tarallo
Employee
Employee

Hi Guys - need some clarification here - when we say new user and publish - are we talking about a content admin type person creating new sheets in an app in their work space and then publishing the app to a stream?

OR

Are we talking about an already published app in a stream - where someone creates their own sheet BASED of the existing approved app - and then has the option to publish it to the broader community so others can see THEIR work?

I assume you mean the latter - since you said you have an APP shared by 2 different groups - but need to check.

So what we are looking at is sheet level security - but more granular depending the group it belongs too - I am not a security rule expert - but I believe this should be possible with a custom rule and perhaps custom properties.

Most likely will be defined with App Objects:

See if this thread helps: Sheet or App Object Level Security Qlik Sense

Let me know how you do.

Regards,

Mike T

Qlik

Regards,
Mike Tarallo
Qlik
Levi_Turner
Employee
Employee

Correct @mto, this distinction is a major issue.

If it's Community sheets on a Published app, then you would need to fiddle with the Stream rule 19iv1987

The key portion of the rule is bolded below:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

Both base and community sheets fulfill this condition, so you'd want to disable the Stream rule and change resource.published to resource.approved (which distinguishes community from base).

For the schema of the rule to handle the community sheets

Filter: App.Object_*

Action: Read

Conditions: ((resource.published="true" and resource.owner.group=user.group))

Context: Both

This assumes that there is perfect alignment between the group attribute and there isn't sufficient noise inside of the users' persistent attributes which would make this rule non-function (e.g. all folks are members of geographical groups in AD / UDC). In an AD context where perfect control over the group membership isn't possible then something like this should point in the right direction:

Filter: App.Object_*

Action: Read

Conditions: ((resource.published="true" and  (resource.owner.group="foo" and user.group="foo")))

Context: Both

Hope that points in the right direction.

YoussefBelloum
Champion
Champion

Hi mto

that's what I thought too, that he was talking about app already published

Thank you

YoussefBelloum
Champion
Champion

Hi ltu‌,

It is kind of advanced level here, but interesting.. Thank you