Qlik Community

Qlik Sense Documents & Videos

Documents & videos about Qlik Sense.

Announcements
Qlik Analytics Tour 2020 Online. Begins August 10th. Register Today

Using Rules to segregate Consumption from Development

Employee
Employee

Using Rules to segregate Consumption from Development

Goal:

The goal for this guide will be to use the rules capability in Qlik Sense Enterprise on Windows to segregate consumption of published Qlik apps (production activities) from ad-hoc development in the Hub. This guide will use both Load Balancing Rules in the first example. In the second example, we will use Security Rules in order "hide" the Streams when accessing the Development Virtual Proxy.

 

Example 1: Basic Segregation

For this example, we will review basic segregation of Qlik apps across multiple virtual proxies. In order to be successful with basic segregation the Engine(s) which will host the Qlik apps need to not include the Central Node. This is due to some un-modifiable rules in Qlik Sense Enterprise on Windows which will interfere with things [1].

To achieve basic segregation, the administrator will need to:

  • Create a Custom Property named NodeType, which is applied to Nodes and has the possible values of Production and Development.

seg-1.png

  • Apply the Production value to the production only node(s) and ensure that the Node purpose for that node(s) is set to "Production" [2]

seg-2.png

  • Apply the Development value to the ad-hoc development only node(s) and ensure that the Node purpose for that node(s) is set to "Both" or "Development".

seg-3.png

  • Disable the default Load Balancing Rule ResourcesOnNonCentralNodes

seg-4.png

  • Create a new Load Balancing Rule.
    • Name: Separate Production from Development
    • Resource Filter: App_*
    • Actions: Load balancing
    • Conditions: ((node.@NodeType="Production" and !resource.stream.Empty()) or (node.@NodeType = "Development" and resource.stream.Empty()))
    • Context: Both in Hub and QMC

seg-5.png

  • Create a virtual proxy for the consumption of production apps. In this example it will have a prefix of prod, but this is not required. Use of the default virtual proxy is possible for this. Select the Server Node which is a production node.
    • Not shown: Configure any needed host white list values (Virtual Proxy > Edit > Advanced > Host white list)

seg-6.png

  • Attach to the desired Proxy (if needed)

seg-7.png

  • Create a virtual proxy for ad-hoc development. In this example it will have a prefix of dev, but this is not required. Use of the default virtual proxy is possible for this. Select the Server Node which is a development node.
    • Not shown: Configure any needed host white list values (Virtual Proxy > Edit > Advanced > Host white list)seg-8.png
  • Attach to the desired Proxy 

seg-7.png

  • Open up the Hub on each virtual proxy to validate
  • Dev:

seg-9.png

  • Production:

seg-10.png

 

Limitations of Example 1

This approach does isolate the availability of apps between Qlik Engine nodes. Since there is no inherent relationship between the virtual proxy which the user used and the evaluation of the streams that the user has access to, then this approach will result in empty streams when accessing Qlik Sense Enterprise using the dev virtual proxy:

seg-11.png

For most organizations this is an acceptable solution. For those who want to further customize the experience, if they are using a supported authentication mechanism (e.g. SAML), then they can implement Example 2 (see below).

 

Example 2: Advanced Segregation

Building off of the configuration done in Example 1 (above), we can further customize the experience by "hiding" the streams when the user accesses Qlik Sense Enterprise using the dev virtual proxy. This approach uses SAML for authentication due to the ability to pass static attributes on a per virtual proxy basis. Not covered but this approach can be adapted to any authentication type which allows the passing of session attributes. This includes JWT and Web Ticketing. Both of those mechanisms can have customized authentication modules which pass a session attribute which specifies a value which can be further used in the site's security rules.

To implement this approach:

  • Edit the Dev virtual proxy and specify a static attribute to be passed like so:

seg-12.png

  • Customize all security rules which provide stream access to include the clause: and user.environment.access.Empty()[3] 
    • Note: In this example, I am have only a single custom security rule which grants access to my custom streams based on matching a user's group from a User Directory Connector to a custom property assigned to the stream. In your environment, you may have many rules which apply to streams which need adjustment.
    • Note 2: In this example I have likewise adjusted the default security rules StreamMonitoringAppsRead (which governs access to the Monitoring Apps stream) and StreamEveryone (which provides access to the Everyone stream)

seg-13.png

  • Open the dev Virtual Proxy to validate:

seg-15.png

Extending Example 2

This guide shows how to segregate consumption from development using static attributes on a SAML virtual proxy. A similar approach could be done which applies different values for the Access static attribute on each virtual proxy. This would allow segregating both apps and streams:

  • across business units 
  • between internal and external access

 

[1]  These rules are the ResourcesOnCentralNode Load Balancing Rule and the OwnerRead Security Rule. ResourcesOnCentralNode ensures that all applications are load balanced to the Central node's Engine. This rule cannot be modified due to architectural assumptions in the design of Qlik Sense Enterprise. For example that apps which need to be migrated will be migrated by the Central node's Engine. The OwnerRead security rule ensures that the owner of some entity (e.g. app, stream, extension, sheet, etc) can see that entity. ResourcesOnCentralNode's consequence is that if the Central node's Engine is used for load balancing then all applications will be available to the user in the Hub. OwnerRead's consequence is that the owners of unpublished apps will be able to see those apps if the Central node's Engine is used for load balancing.

[2]  The Node Purpose value of Production disables the Create App button in the Hub over and above any security rules or license assignments (i.e. a Professional license) which would otherwise grant the ability to create an app.

[3]  Also ensure that all streams are owned by an internal account. As with note [1] above, if a user is the owner of a stream then they will see that stream despite the configuration in Example 2.

seg-14.png

Comments
Partner
Partner

Thank you Levi!!

Version history
Revision #:
2 of 2
Last update:
‎2020-03-23 02:03 PM
Updated by: