I am building a mashup page which will be on the public web site and which will communicate with some app exposed through an anonymous proxy. Because the QS services will be accessed from the client browser directly we need to embed the server url and the app id. So basically any one with the proper knowledge of JS and Qlik APIs can build his own mash-up and use the same QS server endpoint.
I want to avoid giving potential users to give the ability to connect to the QS server and use APIs from their own JS environment be it another web page or JS console in the browser. So basically we want to the users only seeing Lists and Hypercubes from the master library dimensions and measures and also embed the master objects into html placeholders. We would like to prohibit access to individual fields in the data model and also expression definitions.
What security measures do I have in my tool box? Ones I can think off are
1. Obfuscating the code. Not 100% secure, but good as an additional layer on top.
2. Security Rules in QS QMC. Can I limit API exposure to only the particular set of objects? Does anyone have a real experience?