Qlik Community

Qlik Sense Documents

Documents about Qlik Sense.

Announcements
BI & Data Trends 2021. Discover the top 10 trends emerging in today. Join us on Dec. 8th REGISTER

QlikSense Sheet Level Security - QMC Security Rules

Employee
Employee

QlikSense Sheet Level Security - QMC Security Rules

When utilizing QlikSense, Sheet Level Security can be achieved through Security Rules via the QMC.

Background:

My suggested approach to implementing Sheet Level Security is to create four new Security Rules after disabling the default rules.  It involves a User Directory with properties for the Company, Application, and Sheets.  Custom properties in the QMC will need to be created to contain the same User Directory property values.

Custom properties are created, in the QMC, and assigned to the individual Applications and Streams.  This allows for a general approach to handling an expanding list of Companies and their various Applications.  As the number of Applications and Companies grow, the User Directory Properties and Custom Properties will both need to be updated to grant access to the new applications and the application's sheets.

**Note** Please disable the default rules, please do not delete them.

Security Rule to Disable is the Stream rule...

Rule Name = Stream

Resource Filter = App*

In the example below, I am utilizing a user directory that has user properties.  It identifies an individual directory to apply the security rules to.  If you have multiple user directories, you will need to include them in the rule or create seperate rules for them.

Create four new rules for Streams, Applications, Sheets, and Non-Sheet Application Objects.

1) Rule for Streams

    1. Filter = Stream_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the stream.
      1. Users must below in an identified User Directory
      2. Users must have the user property of Company that matches the Custom Property (Company) assigned to the stream

((

user.userDirectory="Specific User Group"

and user.company=resource.@Company

))

2) Rule for Applications

    1. Filter = App_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the applications.
      1. Users must have the user property of Company that matches the Custom Property (Company) assigned to the application.
      2. Users must have the user property of applications that matches the Custom Property (Applications) assigned to the application
      3. User must have Read Permission to the stream the application is in

((

resource.resourcetype = "App"

and user.userDirectory="Specific User Group"

and user.company=resource.@Company

and user.applications=resource.@Applications

and resource.stream.HasPrivilege("read")

))

3) Rule for Sheets

    1. Filter = App.Object_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the sheets.
      1. The Object must be a sheet
      2. The Users must have the user property of sheets that matches the Sheet Name

((

user.userDirectory="Specific User Group"

and resource.objectType="sheet"

and user.sheets=resource.name

))


4) Rule for Non-Sheet Application Objects

    1. Filter = App.Object_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the other application objects.
      1. The Object Must not be a sheet (Explicitly exclude sheet to ensure Rule above will work)
      2. The Objects you want the user to access must be included in the 'or' section
      3. Excluding an Object Type will exclude access
      4. Using the 'resource.objectType!=' will also exclude Application Object

((

user.userDirectory="Specific User Group"

and resource.objectType!="sheet"

and resource.objectType="bookmark"

or resource.objectType="appprops"

or resource.objectType="bookmark"

or resource.objectType="dimension"

or resource.objectType="embeddedsnapshot"

or resource.objectType="GenericVariableEntry"

or resource.objectType="listbox"

or resource.objectType="masterobject"

or resource.objectType="measure"

or resource.objectType="snapshot"

or resource.objectType="story"

))

Comments
Partner
Partner

Nice and clear. Now try modify Rule for give access to sheet on diffirent apps

Employee
Employee

Hi alexander korsikov,

For the written approach, I went a top down approach. 

Stream then App then Sheet then Non Sheet Application Object.

For your approach, I would go Bottom Up.

Sheet then App then Stream

The rules would establish application access based on the sheet name due to not knowing which exact application or streams those Sheets exist in.

Note: .HasPrivilege("read") on the Application and Stream would be removed or returned true when the Application contains one or more of the Sheets.

The following logic would be what determines the application and stream access.

resource.objectType="sheet"

and user.sheets=resource.name

0 Likes
Creator II
Creator II

Hi bef,

Could you please explain how many custom properties with what resource type need to create.

Is this user property  is the custom property name with values Company, Application, and Sheets?

What resource type need to select for this user property. Please let me know.


Thanks in advance.

Contributor III
Contributor III

Hi Bef,

If we have an app and user's are able to create sheets, how can we secure the sheets so that just the creator of those sheets sees them? In our case, when users create their sheets under an APP and save it. All of those sheets are visible to everyone under the My Sheets section. How can I set this up in such a way personal sheets are accessible to the creators only?

Appreciate your help.

Thank you,

Ilyas

0 Likes
Contributor
Contributor

Hi Bef,

Very clear explanation. I have created mysheet and published. However, other users cannot see mysheet in Community. They can only see Public sheets and My sheets, but not Community sheets. Any idea?

0 Likes
Employee
Employee

@kabir_rab recently published a great post with clear demonstration of how to secure specific sheets within applications. He walks through how security levels work and how to enhance the standard out of the box rules to add sheet level security. If democratizing data across the organization is your goal then this level of security granularity is going to be a must. Be sure to check his post out. 

 http://dataonthe.rocks/sheet-restrictions-with-security-rules/

 

0 Likes
Version history
Revision #:
1 of 1
Last update:
‎2017-03-31 03:43 PM
Updated by:
Employee