Qlik Community

New to Qlik Sense

Discussion board where members can get started with Qlik Sense.

tomovangel
Contributor III

Security rules

Hello guys, So basically I have a lot of work into copying my Client's database security rules into qliksense.

So far I have managed to write section access on a Country level, but I also have securities based on certain Measures.


I have made the measures as Objects into the Application.

The name of the app is "Sales Report".

My measure name is Margin.

I thought to make a group in the QMC, which is called MARGIN, and then add all users, which can see this measure.

and After that I have to write a Security rule, which gives access to this measure to the specific users, and the other users must NOT see this measure.

for example something like each user part of the user group MARGIN, can see the measure Margin, which is inside Sales Report.


I have never written security rules, except some basic ones which gives users access to streams.

Any thoughts?  I have 6 different measures,  which has to be restricted to the specific usergroup. Since I can't include this in my section access statement i thought security rules might help me build the full security database into QlikSense.


THANKS !

1 Solution

Accepted Solutions
tomovangel
Contributor III

Re: Security rules

Hello guys, this post is for future people who come here !

IF you are reading this, You must have a basic knowledge on Custom Properties, and how to apply them to map users with apps and streams.

After I made Custom properties for my groups of users, and then I applied this properties to the corresponding Streams and Apps, I had to write security rules .

1. Disable default stream rule

2. Write rule that specifies Streams with the custom property of the groups

3. Write rule for App Access with the corresponding groups ( ex. Group1 can see Group1, Group2 can see Group2 etc.)

4. AND last, but not least you must specify rule for App object .

this is my rule

((user.@AppLevelManagement="Sales") and (resource.objectType!="measure" or resource.name="SalesSum" or resource.name="RegionsCount"))

BASICALLY this rule says, that IF   a user is part of the AppLevelManagement - Sales, he CAN'T see resource.objectType!="measures", and after that we specify which measures, this users can see, in our example the users which are part of the Sales group, can see the measures - "SalesSum" and "RegionsCount".

PS: The measures have to be saved  like Master Measures.
PS2: I am using this rule as part of my section access to restrict which users can see which measures.
PS3: If you have questions comment here and I will try to help you

Thanks to arvind654

8 Replies
sarahplymale
Contributor

Re: Security rules

This document goes step by step through implementing security rules at the app object level:

Sheet or App Object Level Security Qlik Sense

I know that sheets and charts are "app objects".  I don't know if master measures will be considered app objects or not.  Even if the master measure is considered an app object and you can use this method for restricting access, the field would still be in the data model and the user could hypothetically write a measure on that field themselves.  I'm not sure how to restrict access to entire fields (column level security) or if security rules can accomplish this.

Sarah

Khan_Mohammed
Honored Contributor II

Re: Security rules

doesn't disabling the measure disable the chart if it is based on single measure?

Yo may have to save those measure as Master Measures, not sure... but

resource.objectType="measure" or resource.objectType="masterobject"  ???

tomovangel
Contributor III

Re: Security rules

I have got some sensitive data, like Margins, Consolidated currency and etc. I am using them in KPI's only, and not in real charts, I am currently reading all the docs based on security rules and trying to get to know the logic behind them better .

And Yes, I have saved those measures as Master Items(Measures)

alextimofeyev
Contributor II

Re: Security rules

tomovangel‌,

why are you saying that you cannot restrict it via section access? Do all users need access to all fields that are used in calculating your measure? If not, just restrict access to at least one underlying field, and the measure will be calculated as <null> for unauthorized users.

tomovangel
Contributor III

Re: Security rules

Hello guys, this post is for future people who come here !

IF you are reading this, You must have a basic knowledge on Custom Properties, and how to apply them to map users with apps and streams.

After I made Custom properties for my groups of users, and then I applied this properties to the corresponding Streams and Apps, I had to write security rules .

1. Disable default stream rule

2. Write rule that specifies Streams with the custom property of the groups

3. Write rule for App Access with the corresponding groups ( ex. Group1 can see Group1, Group2 can see Group2 etc.)

4. AND last, but not least you must specify rule for App object .

this is my rule

((user.@AppLevelManagement="Sales") and (resource.objectType!="measure" or resource.name="SalesSum" or resource.name="RegionsCount"))

BASICALLY this rule says, that IF   a user is part of the AppLevelManagement - Sales, he CAN'T see resource.objectType!="measures", and after that we specify which measures, this users can see, in our example the users which are part of the Sales group, can see the measures - "SalesSum" and "RegionsCount".

PS: The measures have to be saved  like Master Measures.
PS2: I am using this rule as part of my section access to restrict which users can see which measures.
PS3: If you have questions comment here and I will try to help you

Thanks to arvind654

tomovangel
Contributor III

Re: Security rules

I have to restrict data based on 3 dimensional fields ( Segment, Country, SalesRegion) and furthermore on 5 expression fields.

So I'm strugling to make it work.

Have you written any complex Section Access, where you have 8 fields from which to cut data?

BR, Angel

alextimofeyev
Contributor II

Re: Security rules

Angel,

several fields in the data model - yes. I haven't had a need to restrict access to measures (I guess it's what you mean by "expression fields", right?), but I thought from your previous posts that you have figured that out by using security rules. Did I misunderstand?

Alex

tomovangel
Contributor III

Re: Security rules

Yes, I have but it's not tested on  a real environment yet.
I have thought of the OMIT function, but not sure if it will work.

Community Browser