Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
We have two streams where we want everybody with access to stream A to have access also to stream B. Is it possible to create such a rule?
Erik Wetterberg
Hey Erik,
I am not seeing a way to do that style of inheritance in any direct sense. You can always create a security rule which simultaneously grants access to two streams. Example rule:
user.name = "ExampleUserName" can always be adjusted to use user.group or some other attribute information so that you do not need to statically assign users to these two streams.
Hope that help.
Thanks,
I'll try that approach.
Erik Wetterberg
We created custom properties that apply to users and streams, then a rule to say if the user property matches the stream property, they have access
rule applied to Stream_*
((user.@StreamSecurity=resource.@StreamSecurity))
adding this to grant access to apps in a stream
App*
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript") and resource.app.stream.HasPrivilege("read"))
Yep, custom properties can work here, although from a management perspective custom properties should be used judiciously and ideally reserved for instances where existing meta-data is not well scoped for use in security rules.
In the example that you are using, it would require setting a property (which is an explicit QMC activity or requires custom work to assign via APIs) on each new user to on-board. On-boarding a new stream means re-using an existing custom property or assigning new one to the stream + all the users.
Custom Properties are great but can be a bit of a chore to use depending on volume of users / frequency of changes. Doing things 10 times is fine. But doing it 200 times creates a fair amount of administrative overhead.
So if there is existing user meta-data from a User Directory Connector (AD / LDAP / a Database), it's ideal to leverage this information but, unfortunately, it isn't always available or tailored for use.