Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Not applicable

Security rule to drive stream access based on app access

Hi all,

So I am trying to figure out a security rule (not even sure if it is possible I'll be honest) and thought I would post up and see any bright spark had an issue.

The rule I am trying to put is in place is, to only make a Stream readable (visible on the hub), once a user has access to any one of the underlying Apps within that Stream.

The reason for wanting this is that each App will have it's own user base and rule for it and as there will be a number of different functional area streams, so to avoid have to double up on rules it would be good to be able to have the stream work from the app read permission (the client basically doesn't want to see other Streams if they aren't part of that function).

Thoughts on a postcard

Thanks

Joe

10 Replies
srm12213
New Contributor III

Re: Security rule to drive stream access based on app access

You can give the read access to all the user and restrict the usage of the dashboard using the section access script in each dashboard.

Not applicable

Re: Security rule to drive stream access based on app access

Hi Santosh,

thanks for the reply, that's not really what I am after I'm afraid, not sure if the question wasn't detailed enough.

I have a stream lets say 'Finance', an app lets call is 'P&L' (which is published into the stream) and a user 'Bob'.

When Bob logs onto the hub he should not by default see the stream 'Finance'.

Bob is now added to the security rule for the app 'P&L' and now he should see the stream 'Finance' because he now had access to 'P&L app which is published to the stream

Hopefully that makes more sense

Thanks

Joe

srm12213
New Contributor III

Re: Security rule to drive stream access based on app access

Any new stream which is created are default hidden.

Example: In your example a new stream is created 'Finance' and user Bob cannot see the stream by default.

After you add him to the security rules in QMC, he can access the stream.

Hope this answered your question

Thank you

guantujiang
New Contributor III

Re: Security rule to drive stream access based on app access

but that will required system admin to add both access for stream and app.

if we can authorization stream base APP, then the mgmt work loading will be more easier

but base my understand in Qliksens SR, it was match rule with resouce one by one,

you can not get the stream object from the app object, and also can not refer to sub-app from stream,

so I think it will not work in this way

thkarner
Contributor III

Re: Security rule to drive stream access based on app access

Hi, I´d like to achive the same thing: Stream is visible in case the user has access to at least one app of the stream (managed by custom properties).

The explanation above tells it wouldn´t be possible.

Can anybody confirm? Or is there a solution?

Regards, Thomas

riccardozenere
Contributor III

Re: Security rule to drive stream access based on app access

Hi Thomas,

no, it is possible with Custom Properties.

You will need a Custom Property that is applied to the Apps, Streams and Users

On the Security Rules side, you'll need to deactivate the default Stream rule and create a new one that forces the match user.@CP = resource.@CP

You can choose to have a single rule o multiple rules to govern Stream access, but basically you'll need to have the condition stream.@CP = user.@CP

Finally, you'll need to apply the @CP to the users

Due to its nature, I believe this CP should have 'app' value (so you should apply the same value only to a single app, not many)

The "pitfall" in this case is that Section Access can't guide the visibility, so you'll still need to manage it to restrict app access/data visibility

Hope this helps,

Riccardo

thkarner
Contributor III

Re: Security rule to drive stream access based on app access

Hi Riccardo,

you wrote to create a security rule like user.@CP = resource.@CP.

In my case I don´t want to have @CP assigned to the stream but to (some) apps of the steam.

Does the security rule (with resource.@CP) really work on the stream ressource although the the steam has no @CP assigned?

Maybe you can confirm. For sure I´ll try to check it on my own.

Thanks, Thomas

riccardozenere
Contributor III

Re: Security rule to drive stream access based on app access

Hi Thomas,

sorry, I didn't explain myself enough.

The @CP on the Stream helps you to have a single rule for all the Streams instead a single rule for each Stream

So yes, you can avoid using the @CP on the Stream but you'll need to manage N-rules

Riccardo

thkarner
Contributor III

Re: Security rule to drive stream access based on app access

Hi Riccardo,

maybe there is a misunderstanding. Let me give you an example.

I´ve a stream "Stream 1" which contains App A1 with @CP_App="Finance" and A2 with @CP_App="Sales" and A3 with @CP_All = "Finance" and "Sales" (both).

In "Stream 2" there is App A4 with @CP_App = "Finance". Users are also assigend to same @CP_App.

I have a security rule which defines app read access with user.@CP_App = app.@CP_app. But this alone doesn´t give access to the stream.

Now I want to have a security rule which gives read-permission in case a users has access to at least one app of the stream.

In the give example finance users should have access to "Stream 1" and "Stream 2", sales users to "Stream 2" only. The point is, I don´t want to maintain a separate @CP for stream access, because it should be inherited from apps.

I don´t think this possible. I couldn´t find a way. Do you think this could be realised?

Regards, Thomas