Qlik Community

Qlik Sense Integration, Extensions, & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

d_pranskus
Contributor III

Limiting the App Object data Mashup can access

Hi Experts

I am building a mashup page which will be on the public web site and which will communicate with some app exposed through an anonymous proxy. Because the QS services will be accessed from the client browser directly we need to embed the server url and the app id. So basically any one with the proper knowledge of JS and Qlik APIs can build his own mash-up and use the same QS server endpoint.

I want to avoid giving potential users to give the ability to connect to the QS server and use APIs from their own JS environment be it another web page or JS console in the browser. So basically we want to the users only seeing Lists and Hypercubes from the master library dimensions and measures and also embed the master objects into html placeholders. We would like to prohibit access to individual fields in the data model and also expression definitions.

What security measures do I have in my tool box? Ones I can think off are

1. Obfuscating the code. Not 100% secure, but good as an additional layer on top.

2. Security Rules in QS QMC. Can I limit API exposure to only the particular set of objects? Does anyone have a real experience?

Could anyone advise please

Many Thanks

Tags (2)
1 Reply
erik_wetterberg
Valued Contributor III

Re: Limiting the App Object data Mashup can access

Hi,

basically the same security rules apply in a mashup as in the built-in client, so section access can be applied. I would also remove everything that is not needed from the data model.

Note that the web socket whitelist means that users can't really build their own web pages and use the Engine API. Console access would probably be possible.

Erik Wetterberg

Erik Wetterberg
https://extendingqlik.upper88.com/
Community Browser