Qlik Community

Qlik Sense App Development

Discussion board where members can learn more about Qlik Sense App Development and Usage.

Announcements
Coming your way, the Qlik Data Revolution Virtual Summit. October 27-29. REGISTER
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor III
Contributor III

App Level Security with Active Directory

We have our environment tied to Active Directory, and I'm attempting to configure Application level security. I believe I'm close, but its not quite working. Note that I do not want sheet level security at this point. If a user has access to an app, I'm ok with them seeing all sheets within that app. 

I created two Custom Properties, one each for streams (StreamGroup) and apps (AppGroup). The values in both of custom properties match the names of the AD groups that I want to to use to secure the apps. 

I then added all the stream property values to each stream that are associated with the apps that are published to each stream. If a stream has 3 published apps, then it is given the 3 stream property values that match those apps.  I then gave each app its associated app custom property value. 

Next, I disabled the default Stream Security Rule. Then I created two new security rules, on each for streams and apps. The stream rule has "Stream*" for a filter and the following condition: ((user.group=resource.@StreamGroup)) It seems to be working as intended. 

The app rule has "App*" as a filter and the following condition: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@AppGroup = user.group). On its own this isn't working. If I add an additional rule for each app with an "App*" filter and condition: ((user.group="AD Group Name Here")), then everything appears to be working until an app is opened. None of the sheets are visible to users at this point. 

Any advice would be greatly appreciated. Thank you. 

 

4 Replies
Highlighted
Partner
Partner

Hi,

It looks like with your second "App level" rule, you specified resource filter "App*" and overwrote it inside the rule resource.resourcetype="App", which means Application only, but not App.Objects...

Try below:

(resource.resourcetype = "App*" and resource.stream.HasPrivilege("read") and resource.@AppGroup = user.group)

Hard to test on my side, but hope this helps.

//Andrei

Highlighted
Contributor III
Contributor III

Hi there,

Thanks for the response. I gave that a try though and unfortunately it didn't do the trick. I'm new to writing these conditions, but do you think it would be possible to call additional app.object criteria in the code? I'm just not sure what's available to specify...

Nate

Highlighted
Partner
Partner

Hi Nate,

Check this and this help article for details. It's pretty hard to advise from outside, as soon as there are other security rules which could affect the result.

I'd recommend to use "Audit" qmc section and verify which rules are contributing to the result.

Hope this helps.

//Andrei

Highlighted
Contributor III
Contributor III

Sounds good. I'll take a look at those links. Thanks again