Qlik Community

Qlik Sense Enterprise Documents

Documents for Qlik Sense related information.

QlikSense Sheet Level Security - QMC Security Rules

bef
New Contributor

QlikSense Sheet Level Security - QMC Security Rules

When utilizing QlikSense, Sheet Level Security can be achieved through Security Rules via the QMC.

Background:

My suggested approach to implementing Sheet Level Security is to create four new Security Rules after disabling the default rules.  It involves a User Directory with properties for the Company, Application, and Sheets.  Custom properties in the QMC will need to be created to contain the same User Directory property values.

Custom properties are created, in the QMC, and assigned to the individual Applications and Streams.  This allows for a general approach to handling an expanding list of Companies and their various Applications.  As the number of Applications and Companies grow, the User Directory Properties and Custom Properties will both need to be updated to grant access to the new applications and the application's sheets.

**Note** Please disable the default rules, please do not delete them.

Security Rule to Disable is the Stream rule...

Rule Name = Stream

Resource Filter = App*

In the example below, I am utilizing a user directory that has user properties.  It identifies an individual directory to apply the security rules to.  If you have multiple user directories, you will need to include them in the rule or create seperate rules for them.

Create four new rules for Streams, Applications, Sheets, and Non-Sheet Application Objects.

1) Rule for Streams

    1. Filter = Stream_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the stream.
      1. Users must below in an identified User Directory
      2. Users must have the user property of Company that matches the Custom Property (Company) assigned to the stream

((

user.userDirectory="Specific User Group"

and user.company=resource.@Company

))

2) Rule for Applications

    1. Filter = App_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the applications.
      1. Users must have the user property of Company that matches the Custom Property (Company) assigned to the application.
      2. Users must have the user property of applications that matches the Custom Property (Applications) assigned to the application
      3. User must have Read Permission to the stream the application is in

((

resource.resourcetype = "App"

and user.userDirectory="Specific User Group"

and user.company=resource.@Company

and user.applications=resource.@Applications

and resource.stream.HasPrivilege("read")

))

3) Rule for Sheets

    1. Filter = App.Object_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the sheets.
      1. The Object must be a sheet
      2. The Users must have the user property of sheets that matches the Sheet Name

((

user.userDirectory="Specific User Group"

and resource.objectType="sheet"

and user.sheets=resource.name

))


4) Rule for Non-Sheet Application Objects

    1. Filter = App.Object_*
    2. Suggested Logic = Identify a group of QlikSense Users who meet the criteria to access the other application objects.
      1. The Object Must not be a sheet (Explicitly exclude sheet to ensure Rule above will work)
      2. The Objects you want the user to access must be included in the 'or' section
      3. Excluding an Object Type will exclude access
      4. Using the 'resource.objectType!=' will also exclude Application Object

((

user.userDirectory="Specific User Group"

and resource.objectType!="sheet"

and resource.objectType="bookmark"

or resource.objectType="appprops"

or resource.objectType="bookmark"

or resource.objectType="dimension"

or resource.objectType="embeddedsnapshot"

or resource.objectType="GenericVariableEntry"

or resource.objectType="listbox"

or resource.objectType="masterobject"

or resource.objectType="measure"

or resource.objectType="snapshot"

or resource.objectType="story"

))

Comments
korsikov
Valued Contributor II

Nice and clear. Now try modify Rule for give access to sheet on diffirent apps

bef
New Contributor

Hi alexander korsikov,

For the written approach, I went a top down approach. 

Stream then App then Sheet then Non Sheet Application Object.

For your approach, I would go Bottom Up.

Sheet then App then Stream

The rules would establish application access based on the sheet name due to not knowing which exact application or streams those Sheets exist in.

Note: .HasPrivilege("read") on the Application and Stream would be removed or returned true when the Application contains one or more of the Sheets.

The following logic would be what determines the application and stream access.

resource.objectType="sheet"

and user.sheets=resource.name

mahitham
Contributor

Hi bef,

Could you please explain how many custom properties with what resource type need to create.

Is this user property  is the custom property name with values Company, Application, and Sheets?

What resource type need to select for this user property. Please let me know.


Thanks in advance.

Version history
Revision #:
1 of 1
Last update:
‎03-31-2017 03:43 PM
Updated by:
bef