Qlik Community

Qlik Sense Governed Self-Service

Discussion board where members can learn more about Qlik Sense deployments which are governed and self-service.

Vegar
Valued Contributor

Allow TeamAdmin to publish and replace apps in QlikGroup-streams

How should I go forward to allow the Team Admin to publish application to replace an existing app.

When my TeamAdmin tries to do that she gets  "The operation failed due to insuffient privleges.

My guess is that there is something wiht the: user.group=resource.@QlikGroup

in the rule:_gss – TeamAdmin Read Rights

That is causing the trouble.

Any suggestions?

Tags (2)
6 Replies
Vegar
Valued Contributor

Re: Allow TeamAdmin to publish and replace apps in QlikGroup-streams

I get the impression that it is the App.Objects that causes this issue. App objects do not have custom properties attached to them.

What do you guys think about this rule?

Resource filter: App.Object_*

Actions: Update

Condition:

(

  user.group ="Qlik_Role_TeamAdmin") and

  (

    user.group=resource.app.stream.@QlikGroup and

    user.@QlikGroup=resource.app.@QlikGroup

  )

)

What I am trying to do is to allow updates to all App.Objects where the object lies in a app and stream with the correct QlikGroup custom property.

Not applicable

Re: Allow TeamAdmin to publish and replace apps in QlikGroup-streams

@vegar, Apps or app objects?  Making it possible to publish apps for a team admin is a function of clicking the publish action in a security rule. You are correct that app objects do not get to use custom props.  What kind of app objects are you trying to publish?  Sheets, Stories, dims and measures?  Have you looked at QMC Utilities? https://github.com/eapowertools/QlikSenseQMCUtility

Vegar
Valued Contributor

Re: Allow TeamAdmin to publish and replace apps in QlikGroup-streams

Thank you for the reply jog

No I have only briefly been able to look into the QMC Utilities, but I don't think the QMC utilities will affect this issue.

My team admin have no problems publishing new apps to a stream, the problem occur when trying to re-publish an app into a stream.

Example:

  1. The developer creates a new app called MyHR
  2. The TeamAdmin publish the app to the HR stream. No problem
  3. The TeamAdmin publish the app to replace the recently published MyHR app in the HR stream. The operation failed due to insuffient privleges.


My guess/impression is that you need to update App.Objects in order to republish an app.


The TeamAdmin Read Rights rule found in the iPortal-project is defined as below.

_gss – TeamAdmin Read Rights

  • Actions: Create, Read, Update, Delete, Export, Publish
  • Resource filter: Stream*, App*, ReloadTask*, SchemaEvent*, Tag*, CompositeEvent*, ExecutionResult*, CustomProperty*
  • Conditions:  user.group="QlikTeamAdmin" and user.group=resource.@QlikGroup
  • Context: Only in QMC
  • Tags: Custom Rule


It do include both the Update-action and the App* resource filter, but the condition, user.group=resource.@QlikGroup, wont be valid for any App.Object because App.Objects do not have any QlikGroup custom property associated values. Thats why it is impossible to Re-publish an application as a team admin.


To solve this I believe we need to add a special rule for TeamAdmin handling App.Objects. The security rule I wrote in my previous comment i an attempt to write a complementary rule that should work together with both the TeamAdmin Read Righs, TeamAdmin QMC Sections and TeamAdmin Create Rights activated.


Is the TeamAdmin in your GSS setup allowed to republish apps? If so, do you use a different security rule setup than the iPortal- setup?


Cheers

Vegar


Not applicable

Re: Allow TeamAdmin to publish and replace apps in QlikGroup-streams

@Vegar, Sorry for the late reply.  This is a good catch.  Let's ask bpn‌ and rtz‌ and see what they say.

Not applicable

Re: Allow TeamAdmin to publish and replace apps in QlikGroup-streams

Hi Vegar

I'm dealing with the same issue Have you found a solution?

Not applicable

Re: Allow TeamAdmin to publish and replace apps in QlikGroup-streams

Ariel,

I do want to point out the GSS rules are a guideline and not the solution.  If you want to enable a user to have publish capabilities in specific streams that is totally possible.  That said, we do need to have a look at the rule and see if we can provide better guidance.