First of all, maybe on some environments the way that topic suggest is enought, but in my environment I'm managing a QMC with more than 25 apps linked with more than 10 streams and it won't stop to grow, so its unable for maintenance and administration reasons hide everything and from then make rules for every user on every stream on every app on every sheet... just impossible.
Then Im trying to get the solution by custom-properties filters, I'm thinking to assing a custom-property on every user and then make the appropiate security rules letting those users with the right custom-properties associated access to some sheets or not.
My troubles are the following,
- I don't know what is the internal hierarchy which follow QlikSense to apply the distinct security rules, I mean, it's possible make a security rule on QMC-> Security Rules, also in QMC->Streams, and also some security rules are applyed by default just creating a stream or an app.
if two rules clash ¿which one will apply and which one will be disabled due to the other rule?
- I don't know If I must to apply the rules on Stream level or on App level.
¿It's possible make what I need or actually Sense just isn't ready for that nowadays?
wherever you make your Security Rule you can find all of them in QMC --> Security Rules.
You can have Read Only Rules (you cannot modify those rules) Default rules (coming with the installation, you can modify and delete those rules) and the Custom Rules, but do not exist any execution Hierarchy, all rules will be executed, the union of two sets will benefits. That mean if you have a rule A which allow only Engineering users except the anonymous to create an App, and the rule B which allow only the Power users to create an App, both of them will be executed, as result Engineering and Power user will allow to create an App.
Security rules are very flexible, you can realy implement the same behavior in several different way, so is up to you where and how to write the rule.
If you have 25 apps in more then 10 streams probably sheet level access is not what you want to implement.