Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

erikadvectas
Valued Contributor

Full access only on specific streams for developers

Hi!

I want to be able to have a "Publish Admin" role, where the developers can only publish new versions of apps they are allowed to develop on. There are other apps which they can see, but shouldn't be able to duplicate. Any idea how to do this?

User: .\test1

Streams: Newstream, Secondstream

Read, Publish-rights on both streams.

First a custom property:

Name: CanPublish

Resource types: Users, Streams

Values: [e.g.stream name - doesn't have to be identical to the actual stream name, as long as the value is identical on user and stream], ex. Newss

We add this custom property on:

User: ”test1” with value ”Newss”

Stream: ”NewStream” with value ”Newss”

Two rules is needed:

One for what you can see in the QMC

Name: _LocalAdmin QMC

Resource filter: QmcSection_App

Actions: Read

Conditions: user.roles="LocalAdmin"

Context: Only in QMC

One for what you should be able to do with the apps:

Name: _LocalAdmin apps

Resource filter: Stream_*,App_*,App.Object_*,Tag_*

Actions: all

Conditions: user.roles="LocalAdmin" and  (

(resource.resourcetype="App" or resource.resourcetype="App.Object" or resource.resourcetype="Stream" or resource.resourcetype="Tag") and

(resource.stream.@CanPublish=user.@CanPublish or resource.app.stream.@CanPublish=user.@CanPublish ) or

(resource.IsOwned()  and resource.owner = user)

)

Context: Only in QMC

First question:

The result is that users can duplicate all apps he can see, and he can replace all apps in streams where both he and the stream has the same custom property value on "CanPublish" (see attached yes.png). How can I deny him access on "SecondStream" (see attached no.png) ?

Without the (resource.IsOwned()  and resource.owner = user) the user can't duplicate his own apps, nor duplicate or replace apps that are present in the streams he should be "LocalAdmin" to.

Second question:

With these added conditions (+ QMC sections rules), he can add tasks under the QMC sections, but for some reason the "Create new reload task" under the Apps section of QMC is grayed out. Any idea how to allow this directly under Apps section of QMC?

Resource filter: Stream_*,App_*,App.Object_*,Tag_*, ReloadTask_*,SchemaEvent_*,CompositeEvent_*

Actions: all

Conditions: user.roles="LocalAdmin" and (

(resource.resourcetype="App" or resource.resourcetype="App.Object" or resource.resourcetype="Stream" or resource.resourcetype="ReloadTask" or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag")  and

(resource.stream.@CanPublish=user.@CanPublish or resource.app.stream.@CanPublish=user.@CanPublish) or

(resource.IsOwned()  and resource.owner = user)

)

Context: Only in QMC