Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
tschullo
Creator III
Creator III

Sheet Level Security holes

Hello QS experts.  I have implemented sheet level security by AD groups. All the groups that have access to the sheet called "Utilization" are granted access explicitly and the ones that don't are explicitly denied access by object name.

At first I wanted to do it by object ID, but I thought, what if a developer deleted the sheet and recreates it? What if he copies the whole app? Does it get as new ID?  So I decided to go with Name but obviously, we could rename the sheet as well. I even included the App name in the rule, but even the App can change names/IDs.

My question is, what is the right way to implement this without the risk of inadvertently making the sheet visible to those that should not have access to it?  How does one maintain the solution going forward?

Thanks!

Labels (3)
1 Solution

Accepted Solutions
gaidamichal
Partner - Contributor III
Partner - Contributor III

Hello,

In our practice we tend to stick to Sheet ID as this is the most persistent solution:

  • Duplicating the app for development purposes changes the sheet IDs but the app retains target ID so when republished on top of the original the Sheet IDs are not changed.
  • Removing the app and republishing new copy of course will change the IDs
  • Also removing the sheet and recreating can also break the sheet ID persistance.

This is still much better than relying on names as the name can be changed in a copy and the ID will remain after republish. The key is to keep App ID - Target ID relation.

The solution you can try is reversing the rule (splitting in two rules) - specify all sheets with "public" access and then set another rule for the "restricted" access sheet to AD group you have. This way if a new ID will somehow be generated for the sheet no one will have access (till you verify and add it to the list or replace the now "obsolete" one).

The downside is that you need to keep adding "new" sheets to the public rule and this adds some manual labor,  but it will prevent any unwanted access in any circumstances.

View solution in original post

3 Replies
gaidamichal
Partner - Contributor III
Partner - Contributor III

Hello,

In our practice we tend to stick to Sheet ID as this is the most persistent solution:

  • Duplicating the app for development purposes changes the sheet IDs but the app retains target ID so when republished on top of the original the Sheet IDs are not changed.
  • Removing the app and republishing new copy of course will change the IDs
  • Also removing the sheet and recreating can also break the sheet ID persistance.

This is still much better than relying on names as the name can be changed in a copy and the ID will remain after republish. The key is to keep App ID - Target ID relation.

The solution you can try is reversing the rule (splitting in two rules) - specify all sheets with "public" access and then set another rule for the "restricted" access sheet to AD group you have. This way if a new ID will somehow be generated for the sheet no one will have access (till you verify and add it to the list or replace the now "obsolete" one).

The downside is that you need to keep adding "new" sheets to the public rule and this adds some manual labor,  but it will prevent any unwanted access in any circumstances.

tschullo
Creator III
Creator III
Author

This makes sense,  but definitely needs attention from Qlik. In my scenario, I will be publishing the app to two streams.  If I understand correctly.  Only the primary published stream will keep the same IDs.

The one that I have to copy will always get new IDs everytime I revise the dashboard. 

I'm almost better off sticking with these names and splitting the rule as you mentioned. 

Thanks fore you're help! 

vegard_bakke
Partner - Creator III
Partner - Creator III

May I ask what the purpose of hiding a sheet in your app is?

 

If it is for a better user experience, then all is good. 

 

But if it is for security, then remember that the Qlik API let's the user create any chart they want.  So "hiding" a sheet will not help much. In the sense of security, that is.

Just by pressing Selections or Insight, the user will get access to the data, that has not been restricted by section access (by row or by column).