Qlik Community

Qlik Sense App Development

Discussion board where members can learn more about Qlik Sense App Development and Usage.

Announcements
BI & Data Trends 2021. Discover the top 10 trends emerging in today. Join us on Dec. 8th REGISTER
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Partner
Partner

Qlik Sense App Level Security Issue

Hi,

I am trying to make some security on app level based on Active Directory groups.

I have followed this dockument and this works fine. The users can now see the apps they are supposed to based on a value from Active Directory.

What is the problem now that I have some developers who should be able to see everything, as if there is no App Level Security.

Can I combine this in some way?

users ABC have security based on active directory

and XYZ have security based on lets say a tag or custom property I give them that lets them see everything?

Thanks for any suggestions.

Best,

Ali A

7 Replies
Highlighted
MVP & Luminary
MVP & Luminary

Are the developers members of a Developers AD group? Then modify the exception rule:

((user.group = resource.@AppLevelMgmt) OR (user.group = 'Developers' ))


talk is cheap, supply exceeds demand
Highlighted
Partner
Partner

No, they are not and I was considering that, but I am trying to do it based on a custom property I set on the users in Qlik.

Is that possible? I found another default rule in Qlik Sense where I could add their names and that seems to make it work, but still trying to understand this.

Best,

Ali A

Highlighted
MVP & Luminary
MVP & Luminary

Custom properties will work too, but you'll have to add the custom property manually to each user that's a developer. You could for example create a custom property named UserRole with a value Developer. Assign the developer users that value Developer. Then adapt the exception rule to ((user.group = resource.@AppLevelMgmt) OR (user.@UserRole = 'Developer'))


talk is cheap, supply exceeds demand
Highlighted
Partner
Partner

Hi,

So I adapted it from:

((user.group=resource.@AppLevelManagement))

to

((user.group = resource.@AppLevelMgmt) or (user.@UserRole = 'Developer'))

and got this:

Capture.PNG

Tried to change to this:

((user.group = resource.@AppLevelMgmt) or (user.@UserRole = "Developer"))

Which made it valid, but I still can't see License Monitor or Operation Overview App which I should since I have user specified stream access to this:

Capture.PNG

Could it be the Custom Stream Rule that is doing this?

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@AppLevelMgmt.empty()) or ((resource.resourcetype = "App.Object" and resource.published ="true") and resource.app.stream.HasPrivilege("read"))

Thanks for helping out!

Best,

Ali A

Highlighted
MVP & Luminary
MVP & Luminary

That rule in the screenshot has nothing to do with it. Rules can only grant access, not take access away. Did you create the UserRole custom property and assign the value Developer to your developer users?


talk is cheap, supply exceeds demand
Highlighted
Partner
Partner

Ok.

Yes I did, but didn't make any difference 😕

Best,

Ali A

Highlighted
Master II
Master II

Not an expert in this but...few questions and suggestions.

Is user dev_aah a root admin?


A. Create custom property based on app & User (Just the app custom property would not work)

B. Tag that property to app you like to restrict

C. Disable your default Stream rule

D. Create a new rule

(resource.stream.HasPrivilege("read") and (user.@AppLevelMgmt=resource.@AppLevelMgmt))

I think this should work

E. Check if your root admin has access to Monitoring apps w/o creating a new rule? If he doesn't then create a new rule for Monitoring Stream

((user.roles="RootAdmin")) << if the user is root admin he/she can see that stream.

Test out with resource filter as 'App' only instead of 'App_*'

* would mean all the apps.