Qlik Community

Qlik Sense Enterprise Documents

Documents for Qlik Sense related information.

Sheet or App Object Level Security Qlik Sense

rohitk1609
Valued Contributor II

Sheet or App Object Level Security Qlik Sense

Hi Techies,

Qlik Sense comes with lots of resources security features like Stream and Application securities for user or group of users but when it comes to sheet security there is no document on community which will guide you to do resource security implementation step by step from scratch to end.

Furthermore, Qlik Sense security hierarchy: Stream => Application => App Object (sheet, chart, dimension and measure)

My goal is to restrict an user to a particular Stream => application => sheet =>Chart( set of charts).


There is nothing hard coded in Qlik Sense server, you can modify it anyhow by disabling the default rules and write your own custom rules.

Security to MasterObject or AppObject is the deepest or bottom level security.

.

There are some names I am taking for this exercise:

User: JARVIS

Stream: Jarvis to Stream

Application: Consumer_Sales (Default application comes with installation of Qlik Sense Desktop) which has 5 sheets.

Sheet: Budget Analysis (This sheet which will be visible to our user or set of users only)

AppObject: charts, dimensions, measures, stories etc.

For next step:  =>

Implementation Steps:

1.    1. Install Qlik Sense server on your machine(Use a dedicated user as service user). Enable it with Qlik Sense Enterprise license, you will find two desktop shortcuts which are QMC and HUB. Please use local administrator account for installation. Avoid any other account which has administrator rights but not a local administrator because when you provide administrator privileges to any user, it will act like administrator but not become full administrator (some of the property remains pending).

1.    2. Open QMC with administrator (account you have used for installation) credentials and go to User Directory Connector and create a new connector, if there is Active directory is there in network, select add path of AD (active directory), => remove check sign from sync user data from existing users => click okay and click on SYNC button. You will see all the user will show in USERS tab. If you want to add local server users to Qlik, just hit the MachineName/HUB URL from the concern user and the same user name with machine name as USER DIRECTORY will appear to USER TAB in QMC.

1.    3. Go to Apps tab import your any application (.qvf file), I am importing Consumer_Sales(which comes by default with installation of Qlik Sense Desktop and quite familiar with everyone ).


4.1 Go to security tab and disable default STREAM rule, This stream says The user should see the resource if he/she has read access to the stream it is published to  means if any user or group of user has READ access to the stream then user will see all the Application and AppObjects(All resources) so if we try to restrict any user to any particular application or App Object ,it will always let user to see everything which comes in the stream. So by disabling it we are taking all the access from user to see anything in stream by default.


2.    4.2 Create a new stream with name "Stream for Jarvis" then click on apply => It will give you a warning in yellow color for basic securities then click on cancel for not to apply any security rule or user at this time.

1.    5. Go back to Apps tab, make a duplicate of your application(We generally first make duplicate then publish to any stream because once we publish we can’t do any changes or development on the same application ).We will use the same application which was duplicated to new one for reload, Here I am making duplicate of Consumer_Sales app and renaming it to Consumer_Sales to Jarvis and publish it to stream Stream or Jarvis.

6 Now login with JARVIS (with the concern user), you will see there is no stream with name Stream for Jarvis. So, what is the problem. Problem is, User JARVIS doesn't have connection with Stream for Jarvis. So, we will use custom properties to associate a user to resource(Stream) or I can say we need to write a security rule which will say JARVIS can see the stream Stream for Jarvis. For basic knowledge of custom properties

https://help.qlik.com/en-US/sense/3.1/Subsystems/ManagementConsole/Content/custom-properties-overvie...

7. Go to Custom Properties tab, Create new  with name StreamLevelManagment with resource type Stream and User and give any  sample  value like  Assistant to it and assign to concern user(JARVIS)  by going to USERS tab , select JARVIS and on right side you will find custom property option , click on it and  then click on the space bar and you will see that sample value or what I took Assistant is appearing there select it  and do the same exercise for stream(Stream for Jarvis) by going to stream tab.

Custom Property.PNG

8 Now our task is to map Stream for Jarvis to user JARVIS by creating new security rule (Stream Template) as :


((user.@StreamLevelManagement=resource.@StreamLevelManagement))

 

I am describing security rules in Basic and Advance mode both to be sure you will not confuse how to make rule in both of Modes.

Now login with user JARVIS, you will find Stream for Jarvis.

  stream.PNG

I am describing security rules in Basic and Advance mode both to be sure you will not confuse how to make rule in both of Modes.

Now login with user JARVIS, you will find Stream for Jarvis.

9. Go back to Administrator, create a new custom property AppLevelManagment with resource type User and Apps then give a sample value to it and assigned this custom property to concern Users and Apps which you have been created for this exercise to make JARVIS can see the concern application as:

((user.@AppLevelManagment=resource.@AppLevelManagment))

Note: In this document, I am not focusing on ACTIONS under security rules such create, delete, publish, change owner etc. You need to concern for actions when client ask for it like my first set of user ca edit or duplicate sheet and do self service and another set of user can't.

10. Now you will see Jarvis Can see particular application but with all the sheets, but our goal is, to restrict JARVIS to only one sheet, for that create another security rule with App.object template and configure as:

((user.name="Jarvis" ) and resource.name="Budget Analysis")

Above rues says , user JARVIS can see Sheet type object and object is Budget Analysis. Now, login with JARVIS, you will see Jarvis see "Budget Analysis" sheet only.

Important point: Above security rule will disable all the sheets and you will see only "Budget Analysis" sheet, it means those sheet which will be published by your Qlik site member in same application under community section will not be visible to you.


Now if you wana your user see only see "Budget Analysis" sheet and those sheets which is shared by other users(when any user has rights to edit and publish a base sheet ) so here you need to write just opposite condition of what is written above as:

((user.name="Jarvis" ) and resource.name != "KPI Dashboard" and and resource.name != "Sales & Margin Analysis" and resource.name != "Sales Analysis" and resource.name != "Sales Rep Performance" and  resource.published="true")

Don't be so happy on this stage, JARVIS is restricted to only one sheet out of 5 sheets but when you open "Budget Analysis" sheet, JARVIS can't see any charts or objects and invalid object error message will be coming on the place of charts.

Here, you have two ways,

1. All the charts will be visible on that restricted sheet("Budget Analysis").

2. You want to restrict your user to any chart particular chart and hide other charts to user(JARVIS).

1. All CHARTS VISIBLE TO USER ON RESTRICTED SHEET

Let’s take all the objects (charts, filters) are supposed be visible on the "Budget Analysis" Sheet.

Create a new security rule:


1. ((user.name="Jarvis" or resource.name="*" and resource.objectType!="sheet"))


Then


2. ((user.name="User1" and resource.objectType="sheet"))


By above set of two security rule this User1  or JARVIS will see all the sheets on which he has access.


Here you need to write the above rule every time for each user to say user can see all the objects rather sheet its better to go with below instruction:


Important Note: Create a new rule with AppObject as resource type:


((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.objectType != "sheet" and resource.app.stream.HasPrivilege("read"))


Now, user can see all the charts are visible. First mile stone has been achieved.

Above rule says , anyone who has access to stream and published application, he can view all the application objects except sheet and for sheet you may use POINT NO 10 instruction. This rule will work for all the users , you just need to tell which user can see which sheet and lets say there are other users who can see all the sheets , then you may write one more rule here :



Now, the complex one, what if your client say, I wana my user will restrict to a sheet or set of sheets but he or she can see only one chart on the sheet and rest of the chart will be invisible.


ONLY ONE CHART WILL BE VISIBLE:

After step 10, next step :

Write security rule which grant access of App Objects of this sheet to JARVIS, Create a new security rule and configure it as JARVIS will see only one chart present in BUDGET ANALYSIS, by writing the code as:

((resource.objectType="masterobject" or resource.name="Sales $ by Product Group (sorted by Budget $)" or resource.name="Sales $" or resource.name="Product"))

If you can notice, Now I have taken concern all object Chart Name, Measure and Dimension which made that concern chart as resource.name.

Now you can see JARVIS can view only Sales $ by Product Group (sorted by Budget $) chart and rest are coming as Invalid Objects.

Jarvis.PNG

Important Note: Once you configured a Qlik Site for security every time whenever you add new user you have to give access for stream, application and objects(Sheets or Charts) in short need to update the custom security rules in QMC. New user by default can't see anything except STREAM if you add it to any stream as we do generally.

JARVIS stands for Just A Rather Very Intelligent System

After finishing Qlik Sense Enterpise , QAP(Qlik Analytical Platform) comes in picture which is for external users where number of users are in hundred and your client doesn't  want buy hundred of token so QAP is the right solution which has core base licencing.

You may get all the information step wise on the following document: QAP (Qlik Analytical Platform)

For Dynamic Sheet Exception please refer below documents:

Dynamic Sheet Exception

Dynamic Sheet Exception With Stream and App Level Security

Reach to me if there is need of any clarification or need assistance with kumar.rohit1609@gmail.com

Follow me on Qlik Community https://community.qlik.com/reputation.jspa?username=rohitk1609  for more Qlik or BI related important documents. Follow my profile on LinkedIn https://in.linkedin.com/pub/rohit-kumar/2b/a15/67b,

For chat to discuss any problem follow me here which enable me to initiate the chat option where I can understand your use case better and provide solution instantly.

Please add your Ratings, Suggestions, Compliments and questions which make me know how my document is helping you and by that we can improve the quality of the document.

Comments
zssmith1
New Contributor

RE: https://qlikcommunity.qliktech.com/docs/DOC-18066

In your post where you have already given Jarvis access to the sheet but there are no objects on it, you then modify the security rule to be:

((user.name="Jarvis" or resource.objectType="sheet" and resource.name="Budget Analysis") or (user.name="Jarvis" or resource.objectType="masterobject" orresource.name="*"))


My question is, doesn't the 1st part of the rule, say just access sheet Budget Analysis, see underlined portion:

((user.name="Jarvis" or resource.objectType="sheet" and resource.name="Budget Analysis")


And then the 2nd part, seems to counteract the 1st rule by saying Jarvis can have access to all sheets, see underlined portion:

user.name="Jarvis" or resource.objectType="masterobject" or resource.name="*"


This is where I am confused here.  Also, if you have 2 security rules where 1 says grant access and the other says don't grant access, is it still the default of Sense to use the the rule that grants the access?


Thanks,

rohitk1609
Valued Contributor II

Hi Sean,

Your both questions are very logical , I am answering one with one and start with your second question:

I believe If you create one security rule to grant access and one is for restrict the access to any particular object then Grant access rule will be the acting security rule or on Top will come as the grant access security rule.

Now,

Yes, You are right, Second statement was contradicting the first one , So I updated the blog and now I am restricting JARVIS to one application to one sheet to one chart. Point here is , You can show or view a chart by writing only resource.name ="Chart Name" , You must write code or rule for Chart's Measures and Dimension unless chart will not visible.

I really appreciate you came with question. Please keep posting your views and Questions , It will lead me to improve the quality of the document.

zssmith1
New Contributor

Thanks for the update.  Are you able to restrict 1 sheet in an app so it is not visible to all users?  For example, we have a sheet called, “Config” and the only users who could see that sheet had a custom property of “Developer” associated to their user id and / or their role was Root Admin.  Please let me know your thoughts here and thank you!

rohitk1609
Valued Contributor II

Hi Sean,

In published Document I have done almost same thing, Here I have restricted one sheet to one user , and what you concern is, Hide one sheet to one user or one set of user , So what you need to do , make a group of those users as Executives in active directory and write the security rule as :

(user.name="Executives" or resource.objectType="sheet" and resource.name!="Config")

Now Executives group won't view Config named Sheet. I have used != to restrict user or group to restrict sheet.

Sheet level restriction can't possible with Custom property only as you can see when you create custom property you don't see Apps Object or Sheet there, so you may create a new security rule , Apps Object has sheet type resource type and then you write rule 

Now talking about Roles, Role only works for QMC not Hub, confused, You would find different type of roles , roles restrict user to QMC not on HUB. So no matter your concern user is root admin ,He or she won't see anything except monitoring apps. You may do all the my doc exercise for root admin too.

ali_hijazi
Honored Contributor

so now I got a dashboard with section access

there are two sheets (sheet 1 and sheet 2)

a group of users is supposed to see sheet 1

another group is supposed to see sheet 2

no one can see both sheets

what is the easiest configuration?

those security rules are too complicated

please advise as the QVF file is to be published to a stream that is seen only by the users defined in the section access

rohitk1609
Valued Contributor II

Hi Ali,

I appreciate you raised your question to me.

First of all , in the above document you have to follow 1 to 9 step to achieve your goal.

What you need to change in 9th step as when you create custom property AppLevelManagment as per step 9, add two values there when you create custom property lets say Manager and Associate then assign Manager to first user and first application and Associate to second user and second application with following steps mentioned under document. You will achieve your goal easily.

ali_hijazi
Honored Contributor

so you mean I give the App the two values of the customer property and assign one value of this same custom property to each group of users?

ali_hijazi
Honored Contributor

and what about the rest of the sheets that both group of users can see ; do they need to have custom properties?

rohitk1609
Valued Contributor II

Hi Ali,

let say there is any user who need to see both of the application so assign both of the value of custom property to that user by going to USERS then double click on the USER NAME then on the right side you will find the custom property option , when you click on it , you will find the same custom property name AppLevelManagment which you have been created for applications and users. then select both of the value from drop down, here both value are , one you assigned to app1 and other you assigned to app2 and keep following the step 1 to 9 carefully. Every step is mandatory. Here, you are defining which user will see which app and by following this comment , you defined you concern user will see both application.

ali_hijazi
Honored Contributor

Hello

I'm having another challenge but i'm unable to accomplish

the requirement says that the EDIT button should be disabled to all users except for those who got the value YES for the custom property User_Can_Edit_Content

I disabled the default security rule CreateAppObjectsPublishedApp

and now no one can see the EDIT button on a published app

now how can I enable this button for only users who got YES for User_Can_Edit_Content custom property?

Please advise

Version history
Revision #:
1 of 1
Last update:
‎02-02-2017 02:16 AM
Updated by: