Limited QMC Access - Qlik Community

swapnilrodge · ‎2019-07-03

Hi All,

We would like to give limited access to few users to QMC. Below is the requirement.

1. Users can see only Apps section in QMC

2. They can see those apps which are present under the stream on which they have access. Example: User has access to streams 'ABC' and 'XYZ'. Both the streams have 5 apps saved under them. Thus users can see total 10 apps from QMC.

3. Users can publish, import, export, duplicate and change the owner of these 10 appsfrom QMC.

How can we achieve this from QMC? I don't want to give them Root admin or Content admin access as it gives almost complete access of QMC.

Thanks !!!

jwjackso · ‎2019-07-03

The first part is easy, create a security rule with:

Resource filter: QmcSection_App

Actions: Read

Conditions:Assign users or group

Context: Only in QMC

This gives the users access to the App menu in the QMC. At this point they should only see apps that they have access. If they own an app and have appropriate access to streams, they can do everything you want except change owner.

To have all the requests that you want for applications that they don't own, will require more security rules. We have tested using the custom properties and are waiting for permission to migrate our new security rules to our development and production environments.

Changing the owner is a bit tricky because they will need access to the user directory. A simpler solution is to duplicate the app and publish over the existing app.

swapnilrodge · ‎2019-07-04

Hi,

Thanks for quick reply.

Could you please explain how you have implemented the below part in your environment?

"To have all the requests that you want for applications that they don't own, will require more security rules. We have tested using the custom properties and are waiting for permission to migrate our new security rules to our development and production environments."

Thanks !!!

jwjackso · ‎2019-07-05

Our goal evolved. Initially it was to grant access using custom properties. Then we also wanted to restrict access to which application a user could view within a stream. We use Active Directory for authentication and these rules were created in a Feb 2019 environment.

Custom properties:

ADGroup (Apps,Streams) - the values are the names of the AD groups that are used to grant access to Qlik. If we want to just limit access to a stream, the custom property is added to the stream. If we want to limit access to an application within a stream, the custom property is added to the stream and the application.

Developer (Users) - the values are the AD groups that are used to grant access to Qlik. These are added to the users that are developers. The combination of developer custom property and stream/app custom property determines which apps you can edit/delete/duplicate/export and which streams you can publish to.

UserType (Users) - Only 1 value right now, Scheduler. We have some developer that we allow to create tasks

Security Rules:

Disable the delivered rule: Stream

New Security Rules: I found it easier to audit and validate the rules when I separated some rules by Context. The *Default rules control access to applications that do not have a custom property. The *Exception rules control access to applications that have a custom property assigned.

NEWRULE_AppLimiteUserDefault:

Resource Filter: App*

Actions: Read

Conditions:

(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())

Context: Only in hub

NEWRULE_AppLimitedUseException:

Resource Filter: App*

Actions: Read

Conditions:

(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())

Context: Only in hub

NEWRULE_AppLimitedUseQMCDefault:

Resource Filter: App*

Actions: Read

Conditions:

(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())

Context: Only in QMC

NEWRULE_AppLimitedUseQMCException:

Resource Filter: App*

Actions: Read

Conditions:

(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())

Context: Only in QMC

NEWRULE_AppObjectAccess:

Resource Filter: App.Object_*

Actions: Read

Conditions:

(resource.resourcetype = "App.Object" or

resource.objectType = "app_appscript" or

resource.objectType = "loadmodel") and

resource.published ="true"

Context: Both in hub and QMC

NEWRULE_CreateTask:

Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*

Actions: Create

Conditions: ((user.@UserType="Scheduler"))

Context: Only in QMC

NEWRULE_DeleteExport:

Resource Filter: App*

Actions: Delete, Export, Export data

Conditions: ((user.@Developer=resource.stream.@ADGroup))

Context: Both in hub and QMC

NEWRULE_DeveloperQmcAppsMenu:

Resource Filter: QmcSection_App

Conditions: ((user.group like "001EDW_*Developer"))

Context: Only in QMC

NEWRULE_DuplicateAppDefault:

Resource Filter: App*

Actions: Publish, Duplicate

Conditions:

((resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and resource.@ADGroup.empty()))

Context: Both in hub and QMC

NEWRULE_DuplicateAppException:

Resource Filter: App*

Actions: Publish, Duplicate

Conditions:

((resource.@ADGroup=user.@Developer and resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and !resource.@ADGroup.empty()))

Context: Both in hub and QMC

NEWRULE_ReloadTaskDefault:

Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*

Actions: Read, Update, Delete

Conditions:

((user.@UserType="Scheduler")) and

((resource.resourcetype="ReloadTask" and

resource.app.stream.@ADGroup=user.@Developer and

resource.app.@ADGroup.Empty()) or

(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))

Context: Only in QMC

NEWRULE_ReloadTaskException:

Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*

Actions: Read, Update, Delete

Conditions:

((user.@UserType="Scheduler"))

and

((resource.resourcetype="ReloadTask" and

resource.app.stream.@ADGroup=user.@Developer and

!resource.app.@ADGroup.Empty() and resource.app.@ADGroup = user.@Developer) or

(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))

Context: Only in QMC

NEWRULE_SchedulerQMCTasksMenu:

Resource Filter: QmcSection_Task,QmcSection_ReloadTask,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent

Actions: Read

Conditions: !user.IsAnonymous() and ((user.@UserType="Scheduler"))

Context: Only in QMC

NEWRULE_Stream:

Resource Filter: Stream_*

Actions; Read

Conditions: ((user.group=resource.@ADGroup))

Context: Only in hub

NEWRULE_StreamPublish:

Resource Filter: Stream_*

Actions: Publish

Conditions: ((resource.@ADGroup=user.@Developer))

Context: Both in hub and QMC

NEWRULE_StreamQMC:

Resource Filter: Stream_*

Actions: Read

Conditions: ((resource.@ADGroup=user.@Developer))

Context: Only in QMC

NEWRULE_UpdateAppDefault:

Resource Filter: App*

Actions: Update

Conditions:

((resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer and !resource.stream.empty()))

Context: Both in hub and QMC

NEWRULE_UpdateAppException:

Resource Filter: App*

Actions: Update

Conditions:

((resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer and !resource.stream.empty()) )

Context: Both in hub and QMC