Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
nate_ak
Contributor III
Contributor III
‎2019-03-07 10:26 PM

App Level Security with Active Directory

We have our environment tied to Active Directory, and I'm attempting to configure Application level security. I believe I'm close, but its not quite working. Note that I do not want sheet level security at this point. If a user has access to an app, I'm ok with them seeing all sheets within that app. 

I created two Custom Properties, one each for streams (StreamGroup) and apps (AppGroup). The values in both of custom properties match the names of the AD groups that I want to to use to secure the apps. 

I then added all the stream property values to each stream that are associated with the apps that are published to each stream. If a stream has 3 published apps, then it is given the 3 stream property values that match those apps.  I then gave each app its associated app custom property value. 

Next, I disabled the default Stream Security Rule. Then I created two new security rules, on each for streams and apps. The stream rule has "Stream*" for a filter and the following condition: ((user.group=resource.@StreamGroup)) It seems to be working as intended. 

The app rule has "App*" as a filter and the following condition: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@AppGroup = user.group). On its own this isn't working. If I add an additional rule for each app with an "App*" filter and condition: ((user.group="AD Group Name Here")), then everything appears to be working until an app is opened. None of the sheets are visible to users at this point. 

Any advice would be greatly appreciated. Thank you. 

 

607 Views
0 Likes
4 Replies
crusader_
Partner - Specialist
Partner - Specialist
‎2019-03-07 11:25 PM

Hi,

It looks like with your second "App level" rule, you specified resource filter "App*" and overwrote it inside the rule resource.resourcetype="App", which means Application only, but not App.Objects...

Try below:

(resource.resourcetype = "App*" and resource.stream.HasPrivilege("read") and resource.@AppGroup = user.group)

Hard to test on my side, but hope this helps.

//Andrei

598 Views
0 Likes
nate_ak
Contributor III
Contributor III
‎2019-03-07 11:39 PM
Author

In response to crusader_

Hi there,

Thanks for the response. I gave that a try though and unfortunately it didn't do the trick. I'm new to writing these conditions, but do you think it would be possible to call additional app.object criteria in the code? I'm just not sure what's available to specify...

Nate

592 Views
0 Likes
crusader_
Partner - Specialist
Partner - Specialist
‎2019-03-07 11:55 PM

In response to nate_ak

Hi Nate,

Check this and this help article for details. It's pretty hard to advise from outside, as soon as there are other security rules which could affect the result.

I'd recommend to use "Audit" qmc section and verify which rules are contributing to the result.

Hope this helps.

//Andrei

587 Views
0 Likes
nate_ak
Contributor III
Contributor III
‎2019-03-08 12:05 AM
Author

In response to crusader_

Sounds good. I'll take a look at those links. Thanks again

582 Views
0 Likes