Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ilyas393
Creator
Creator
‎2019-04-04 10:26 AM

Stream Access for AD group when default stream rule is disabled

Hello Experts,

We have setup security and access using AD groups and Security Rules. This was done so that we can automate the access process and the admins don't need to be involved for access.

The security we have is setup at App level. So, people who have access to a stream can only see the apps which they have access to. To make this happen, we had to disable the default rule called "Stream".

Now, we want to create a stream and give an AD group access to the stream and everything within the stream. This way whoever is added to the AD group has access to all the apps published within the stream. This is possible when I enable to default Stream rule, but it would break the app level security. Is there a way to write a rule specific to the steam with all apps without having to enable the default stream rule?

I appreciate your help.

Thanks,

Ilyas

Labels (3)
Labels
1,991 Views
0 Likes
11 Replies
JustinDallas
Specialist III
Specialist III
‎2019-04-04 12:01 PM

Just spitballing here off the top of my head and disclaimer, I don't know what I'm doing.  But I would first begin flailing around by creating two rules.  The first would provide stream access based on AD group.

2019-04-04 11_59_53-Edit security rule - QMC.png

 

With that rule, the users in the AD group can see the specific stream and only that stream based on the Stream's GUID.  Then, I would make the apps available to users based on group.

 

2019-04-04 12_03_22-Edit security rule - QMC2.png

 

This way, you preserve the permissions structure for your other streams and apps, but only provide an exception for this specific stream.  I would be excited to know how non-amateur hour folks would solve this.

1,822 Views
0 Likes
ilyas393
Creator
Creator
‎2019-04-04 03:36 PM
Author

In response to JustinDallas

Hi Justin,

I am doing that already. But in this case, a rule needs to be created for every app since the default STREAM is disabled.

What I am trying to do is create a stream rule and tie it with a stream and an ad group. and the members of the ad groups gets access to what is published within that stream. any idea how to do this?

1,812 Views
0 Likes
Levi_Turner
Employee
Employee
‎2019-04-08 08:18 AM

Just recreate the Stream rule but scope it to a single stream. For example:

  • App*
  • Read+Publish
  • (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name="ThisIsTheStreamName") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
1,800 Views
JustinDallas
Specialist III
Specialist III
‎2019-04-08 09:41 AM

In response to Levi_Turner
I like this better than my response. This is what I was trying to do, but I didn't know how to do it with the Conditions.
1,792 Views
0 Likes
ilyas393
Creator
Creator
‎2019-04-08 09:58 AM
Author

In response to Levi_Turner

I tried adding in the AD group and it doesn't seem to grant access to its members...I created a rule with the condition

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name="ThisIsTheStreamName" and user.group="ADGroupName") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

I also tried the condition


(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name="ThisIsTheStreamName") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))and (user.group="ADGroupName")

I used the actual stream name and the AD group name in the condition.

Any thoughts?

Thank you for your help.

1,786 Views
Levi_Turner
Employee
Employee
‎2019-04-08 10:02 AM

In response to ilyas393

The rule inherits from read rights on the stream. Is there a rule providing that AD group read rights on the stream in question?

1,781 Views
0 Likes
ilyas393
Creator
Creator
‎2019-04-08 11:48 AM
Author

In response to Levi_Turner

No, there is no separate rule to grant the ad group read access to the stream. I was trying to build one rule that grants the read access to the stream and all the contents in it. Is it not possible?

1,771 Views
0 Likes
Levi_Turner
Employee
Employee
‎2019-04-08 04:26 PM

In response to ilyas393

Of course it's possible. Something like:

  • Filter: *
  • Actions: Read
  • Conditions: (resource.resourcetype = "Stream" and resource.stream.name="ThisIsTheStreamName") and
    ((resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.stream.name="ThisIsTheStreamName") or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")))
1,751 Views
ilyas393
Creator
Creator
‎2019-04-11 10:35 AM
Author

In response to Levi_Turner

Thanks Levi. With the condition you provided, I would need another rule that grants read access to the stream to the AD group. Correct?

1,730 Views
0 Likes