Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Nov 11, 2021 10:17:06 AM
Feb 12, 2018 8:36:13 AM
Inside of Qlik Sense, user access is proscribed by the security rules which are configured in the deployment. When designing a security rule framework, it is important to understand the hierarchical relationships between different resource filters in order to ensure that the rule performs as intended.
Streams > Apps > App.Objects
As illustrated above. Apps are in Streams. This means that you can use inheritance to cascade the intended action from the action assigned at the Stream level. This is used in this portion of the default Stream security rule:
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))
The meaning of this condition is that the action will be applied to Apps where the user has read rights to the stream.
The same hierarchy exists in Apps <> App.Objects. App.Objects belong to apps and thus you can inherit rights from the App or Stream level. This is used in this portion of the default Stream security rule:
((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
The meaning of this condition is that the action will be applied to an App's Objects where the object is (a) published and (b) not an app_appscript or loadmodel type of App.Object when the user has read rights on the stream.
Apps > Tasks
As illustrated above, Tasks are applied to Apps. This means that you can use inheritance to cascade the intended action from the action assigned at the App level. For example:
Filter: ReloadTask* Action: Read, Update, Delete Condition: ((user.name="TaskAdmin"))and (resource.App.HasPrivilege("read"))
In this rule, the user with the name TaskAdmin is able to read / update / delete all tasks which are associated with Apps which they already have Read rights to.