Qlik Community

Qlik Sense Documents

Documents about Qlik Sense.

Announcements
See why BI users voted Qlik #1 in 11 categories. GET REPORT

Sheet or App Object Level Security Qlik Sense

Specialist III
Specialist III

Sheet or App Object Level Security Qlik Sense

Hi Techies,

 

Qlik Sense QMC has great feature of QMC resource security where resource is like stream, application and master items(sheets, field, bookmarks, story etc) could be hidden from user or group of users. This document will guide you how to implement resource security in Qlik Sense from QMC to the deepest level which is app objects.

 

Qlik Sense security hierarchy: Stream => Application => App Objects (sheet, chart, dimension and measure)

 

My goal is to restrict an user to a particular Stream => application => sheet =>Chart( set of charts).

 

Note: There is nothing hard coded in Qlik Sense server, you can modify it anyhow by disabling the default rules and write your own custom rules.

Please avoid alter or deletion of any default security rule in QMC. Disable concern security rule and make a new one for testing or production use.

 

Security to MasterObject or AppObject is the deepest or bottom level security.

.

There are some names I am taking for this exercise:

User: JARVIS

Stream: Jarvis to Stream

Application: Consumer_Sales (Default application comes with installation of Qlik Sense Desktop) which has 5 sheets.

Sheet: Budget Analysis (This sheet which will be visible to our user or set of users only)

AppObject: charts, dimensions, measures, stories etc.

For next step:  =>

 

Implementation Steps:

1.    Install Qlik Sense server on your machine(Use a dedicated user as service user). Verify its prerequisites and enable it  license then  you will find two desktop shortcuts which are QMC and HUB. Please use local administrator account for installation.

 

1.    Open QMC with service account(by which you installed QSE) and go to User Directory Connector and create a new connector, if Active directory is there in network, select add path of AD (active directory), => remove checked sign from sync user data from existing users => click okay and click on SYNC button. You will see all the user will show in USERS tab. If you want to add local server users to Qlik, just hit the MachineName/HUB URL from the concern user and the same user name with machine name as USER DIRECTORY will appear to USER TAB in QMC.

 

3. Go to Apps tab import your any application (.qvf file), I am importing Consumer Sales(which comes by default with installation of Qlik Sense Desktop and quite famous across everyone ).

 

4.1 Go to security tab and disable default STREAM rule, This stream says The user should see the resource if he/she has read access to the stream it is published to  means if any user or group of user has READ access to the stream then user will see all the Application and AppObjects(All resources) so if we try to restrict any user to any particular application or App Object ,it will always let user to see everything which comes in the stream. So by disabling it we are taking all the access from user to see anything in stream by default.

 

4.2.   Create a new stream with name "Stream for Jarvis" then click on apply => It will give you a warning in yellow color for  not to  basic securities then click on cancel for not to apply any security rule or user at this time.(Please verify in Security Rule tab that no custom stream security rule is not built automatically )

 

5. Go back to Apps tab, make a duplicate of your application(We generally first make duplicate then publish to any stream because once we publish we can’t do any changes or development on the same application ).We will use the same application which was duplicated to new one for reload, Here I am making duplicate of Consumer_Sales app and renaming it to Consumer_Sales to Jarvis and publish it to stream Stream or Jarvis.

 

6 Now login with JARVIS (with the concern user), you will see there is no stream with name Stream for Jarvis. So, what is the problem. Problem is, User JARVIS doesn't have connection with Stream for Jarvis. So, we will use custom properties to associate a user to resource(Stream) or I can say we need to write a security rule which will say JARVIS can see the stream Stream for Jarvis. For basic knowledge of custom properties

https://help.qlik.com/en-US/sense/3.1/Subsystems/ManagementConsole/Content/custom-properties-overvie...

 

7. Go to Custom Properties tab, Create new  with name StreamLevelManagment with resource type Stream and User and give any  sample  value like  Assistant to it and assign to concern user(JARVIS)  by going to USERS tab , select JARVIS and on right side you will find custom property option , click on it and  then click on the space bar and you will see that sample value or what I took Assistant is appearing there select it  and do the same exercise for stream(Stream for Jarvis) by going to stream tab.

 

Custom Property.PNG

8 Now our task is to map Stream for Jarvis to user JARVIS by creating new security rule (Stream Template) as :

 

((user.@StreamLevelManagement=resource.@StreamLevelManagement))

 

I am describing security rules in Basic and Advance mode both to be sure you will not confuse how to make rule in both of Modes.

 

Now login with user JARVIS, you will find Stream for Jarvis.

  stream.PNG

I am describing security rules in Basic and Advance mode both to be sure you will not confuse how to make rule in both of Modes.

 

Now login with user JARVIS, you will find Stream for Jarvis.

 

9. Go back to Administrator, create a new custom property AppLevelManagment with resource type User and Apps then give a sample value to it and assigned this custom property to concern Users and Apps which you have been created for this exercise to make JARVIS can see the concern application as:

 

((user.@AppLevelManagment=resource.@AppLevelManagment))

 

Note: In this document, I am not focusing on ACTIONS under security rules such create, delete, publish, change owner etc. You need to concern for actions when client ask for it like my first set of user ca edit or duplicate sheet and do self service and another set of user can't.

 

10. Now you will see Jarvis Can see particular application but with all the sheets, but our goal is, to restrict JARVIS to only one sheet, for that create another security rule with App.object template and configure as:

 

((user.name="Jarvis" ) and resource.name="Budget Analysis")

Above rues says , user JARVIS can see Sheet type object and object is Budget Analysis. Now, login with JARVIS, you will see Jarvis see "Budget Analysis" sheet only.

Important point: Above security rule will disable all the sheets and you will see only "Budget Analysis" sheet, it means those sheet which will be published by your Qlik site member in same application under community section will not be visible to you.

 

Now if you wana your user see only see "Budget Analysis" sheet and those sheets which is shared by other users(when any user has rights to edit and publish a base sheet ) so here you need to write just opposite condition of what is written above as:

((user.name="Jarvis" ) and resource.name != "KPI Dashboard" and and resource.name != "Sales & Margin Analysis" and resource.name != "Sales Analysis" and resource.name != "Sales Rep Performance" and  resource.published="true")

 

Don't be so happy on this stage, JARVIS is restricted to only one sheet out of 5 sheets but when you open "Budget Analysis" sheet, JARVIS can't see any charts or objects and invalid object error message will be coming on the place of charts.

 

Here, you have two ways,

1. All the charts will be visible on that restricted sheet("Budget Analysis").

2. You want to restrict your user to any chart particular chart and hide other charts to user(JARVIS).

 

1. All CHARTS VISIBLE TO USER ON RESTRICTED SHEET

Let’s take all the objects (charts, filters) are supposed be visible on the "Budget Analysis" Sheet.

Create a new security rule:

 

1. ((user.name="Jarvis" or resource.name="*" and resource.objectType!="sheet"))

 

Then

 

2. ((user.name="User1" and resource.objectType="sheet"))

 

By above set of two security rule this User1  or JARVIS will see all the sheets on which he has access.

 

Here you need to write the above rule every time for each user to say user can see all the objects rather sheet its better to go with below instruction:

 

Important Note: Create a new rule with AppObject as resource type:

 

((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.objectType != "sheet" and resource.app.stream.HasPrivilege("read"))

 

Now, user can see all the charts are visible. First mile stone has been achieved.

Above rule says , anyone who has access to stream and published application, he can view all the application objects except sheet and for sheet you may use POINT NO 10 instruction. This rule will work for all the users , you just need to tell which user can see which sheet and lets say there are other users who can see all the sheets , then you may write one more rule here :

 

 

Now, the complex one, what if your client say, I wana my user will restrict to a sheet or set of sheets but he or she can see only one chart on the sheet and rest of the chart will be invisible.

 

ONLY ONE CHART WILL BE VISIBLE:

After step 10, next step :

Write security rule which grant access of App Objects of this sheet to JARVIS, Create a new security rule and configure it as JARVIS will see only one chart present in BUDGET ANALYSIS, by writing the code as:

((resource.objectType="masterobject" or resource.name="Sales $ by Product Group (sorted by Budget $)" or resource.name="Sales $" or resource.name="Product"))

 

If you can notice, Now I have taken concern all object Chart Name, Measure and Dimension which made that concern chart as resource.name.

Now you can see JARVIS can view only Sales $ by Product Group (sorted by Budget $) chart and rest are coming as Invalid Objects.

 

Jarvis.PNG

Important Note: Once you configured a Qlik Site for security every time whenever you add new user you have to give access for stream, application and objects(Sheets or Charts) in short need to update the custom security rules in QMC. New user by default can't see anything except STREAM if you add it to any stream as we do generally.

 

JARVIS stands for Just A Rather Very Intelligent System

 

After finishing Qlik Sense Enterpise , QAP(Qlik Analytical Platform) comes in picture which is for external users where number of users are in hundred and your client doesn't  want buy hundred of token so QAP is the right solution which has core base licencing.

You may get all the information step wise on the following document: QAP (Qlik Analytical Platform)

 

For Dynamic Sheet Exception please refer below documents:

Dynamic Sheet Exception

Dynamic Sheet Exception With Stream and App Level Security

 

Reach to me if there is need of any clarification or need assistance with kumar.rohit1609@gmail.com

Add me on LinkedIn https://in.linkedin.com/pub/rohit-kumar/2b/a15/67b,  

Reach to me on Facebook at https://www.facebook.com/QlikIntellectuals

When applicable please mark the appropriate replies as ACCEPT AS SOLUTION and LIKE it. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads as LIKE if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads as LIKE if you feel additional info is useful to others.

Labels (1)
Comments
Not applicable

Hi

The below link will answer your question

https://qlikcommunity.qliktech.com/thread/241157

Partner
Partner

I tried it but all users can EDIT

please advise

0 Likes
Specialist III
Specialist III

Hi Ali,

Here is your solution,

Yes you must disable CreateAppObjectsPublishedApp

First create a new custom property with value User_Can_Edit_Content then assign two values , Yes and NO. and resource type is User only and create a new security rule with App Object template and then create new security rule as:

check the CREATE in action selection box with least Read.

((user.@User_Can_Edit_Content="Yes" or resource.objectType="sh

eet" and resource.name="Budget Analysis"))

Assign YES to all user who need to CREATE new sheets.

See I have just updated above document rule just to show you how to do it. Document is to restrict a user to one single sheet out of all. Now your user can create sheet and who donot have YES he or she can't.

Specialist III
Specialist III

Please mark the appropriate replies as CORRECT / HELPFUL so our team and other members know that your question(s) has been answered to your satisfaction.

0 Likes
Not applicable

Hi Rohit Kumar,

Thanks for your post and this is so helpful.

I am facing some sheet level control issues.

As we are having a lot of people under different user groups, is it possible to control a group instead of a person's name to see a specific sheet?

For example:

People under group 'Research' can see all 10 sheets,

while people under group 'General' can only see 9 sheets without 'sheet a'.

So in this case,  does it mean I need to write a default app.object security rule:

1.

user.@Group=resource.app.@Group or resource.objectType="sheet" and resource.name!="sheet a"

Then,

2. add another app.object security rule:

user.@Group="Research" or resource.objectType="sheet" and resource.name!="sheet a"

3. Add another app.object rule to enable all the measures and charts on "sheet a" ?

Looking forward to your reply.

Thank you!

Best Regatds,

Allison

0 Likes
Specialist III
Specialist III

HI Alison,

Yes it is very Easy I believe,

You may use now USER DIRECTORY while defining which user can see which App Object() , Lets say users comes under User directory INTERNAL can't see only BUDGET SHEET apart of other sheets only so it will be like:

((user.userDirectory="INTERNAL" or resource.objectType="sheet" and resource.name!="Budget Analysis"))

You can know the group of users by USER tab. Here is no group. Its Directory is the group.

See , You can use custom property too as

((user.@AccesstoSheet="First" or resource.objectType="sheet" and resource.name!="Budget Analysis"))

and assign AccesstoSheet="First" to those user which you want to restrict.

Please let me know if this not work so I will give you step wise solution.

Please mark the appropriate replies as CORRECT / HELPFUL so our team and other members know that your question(s) has been answered to your satisfaction.

Contributor
Contributor

Hi Rohit,

I managed to get sheet restricted to one group of users. However, the master objects are invalid thus the charts won't show. I've added resource.objectType="masterobject" but still it wouldn't show. Please help.


user in marketing team can only see Customer Analysis sheet while user in category team can see all sheets.

Resource filter: App.Object*

(resource.resourcetype="App" and resource.stream.HasPrivilege("read")) or

((resource.resourcetype = "App.Object") and

(resource.objectType="masterobject" or

(resource.objectType="sheet" and resource.name="Customer Analysis")) and

resource.app.stream.HasPrivilege("read") and (user.@Team="Marketing")) or

(user.@Team="Category" and resource.app.name="Sales & Inventory")

Many thanks.

0 Likes
Specialist III
Specialist III

Hi Strange Name person,

I try to understand you mentioned security rule.First, I don't know why you need to write so much complex security rule secondly I got your intention and you were trying:

Your sheet name is Customer Analysis.

Try it with a simple way as mentioned in document:

first write a App Object template rule as to restrict your marketing user to Customer Analysis :

((user.@Team="Marketing") or resource.objectType="sheet" and resource.name="Customer Analysis")

Now your marketing group can only see one sheet only now when you open it all the charts as INVALID

so again create one more App Object rule as:

Lets say ,your Customer Analysis sheet has 5 charts and one particular is ABC and this ABC charts has one dimension A1 and one measure B1

((resource.objectType="masterobject" or resource.name="ABC" or resource.name="A1" or resource.name="B1"))

See you can't make a chart visible by using chart name as master object , you must allow your user or group to access the dimension and measure

Now lets say you want your marketing group will see all the charts on sheet then write security rules as :

((resource.objectType="masterobject" or resource.name="*"))


Now I have put "*" to give access to all the charts.

Donot copy these rule and paste , try to write it on your server.

Whatever I have mentioned is written in document. Please take help by it and let me know there is any concern.

Please mark the appropriate replies as CORRECT / HELPFUL so our team and other members know that your question(s) has been answered to your satisfaction.

0 Likes
Partner
Partner

Hi,

please take a look at my thread here Qlik Sense security rule problem

It looks correctly but it doesn't works as expected.

how can I disable create app objects for all users except only one or two of them ?

many thanks in advance.

BR

Andrea

0 Likes
Partner
Partner
0 Likes
Version history
Revision #:
6 of 6
Last update:
‎2019-11-25 08:39 AM
Updated by: