Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello Experts,
We have setup security and access using AD groups and Security Rules. This was done so that we can automate the access process and the admins don't need to be involved for access.
The security we have is setup at App level. So, people who have access to a stream can only see the apps which they have access to. To make this happen, we had to disable the default rule called "Stream".
Now, we want to create a stream and give an AD group access to the stream and everything within the stream. This way whoever is added to the AD group has access to all the apps published within the stream. This is possible when I enable to default Stream rule, but it would break the app level security. Is there a way to write a rule specific to the steam with all apps without having to enable the default stream rule?
I appreciate your help.
Thanks,
Ilyas
Just spitballing here off the top of my head and disclaimer, I don't know what I'm doing. But I would first begin flailing around by creating two rules. The first would provide stream access based on AD group.
With that rule, the users in the AD group can see the specific stream and only that stream based on the Stream's GUID. Then, I would make the apps available to users based on group.
This way, you preserve the permissions structure for your other streams and apps, but only provide an exception for this specific stream. I would be excited to know how non-amateur hour folks would solve this.
Hi Justin,
I am doing that already. But in this case, a rule needs to be created for every app since the default STREAM is disabled.
What I am trying to do is create a stream rule and tie it with a stream and an ad group. and the members of the ad groups gets access to what is published within that stream. any idea how to do this?
Just recreate the Stream rule but scope it to a single stream. For example:
I tried adding in the AD group and it doesn't seem to grant access to its members...I created a rule with the condition
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name="ThisIsTheStreamName" and user.group="ADGroupName") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
I also tried the condition
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name="ThisIsTheStreamName") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))and (user.group="ADGroupName")
I used the actual stream name and the AD group name in the condition.
Any thoughts?
Thank you for your help.
The rule inherits from read rights on the stream. Is there a rule providing that AD group read rights on the stream in question?
No, there is no separate rule to grant the ad group read access to the stream. I was trying to build one rule that grants the read access to the stream and all the contents in it. Is it not possible?
Of course it's possible. Something like:
Thanks Levi. With the condition you provided, I would need another rule that grants read access to the stream to the AD group. Correct?