Hi Qlik Team

The improvements regarding Hub Access in combination with many apps, security rules etc. in Nov. 18 SP3

Is this already part of Feb. 2019 release or will this be part of Feb. 2019 SP1?

Thanks for your feedback.

Alex

data/\bridge solutions

Hi @alexhausmannzur 

Those fixes are not in February 2019 but they will be included in February 2019 Patch 1. 

Thanks,

Global Support

Hello @Pamela_Whitney , we have tested out the P3 and we have found out  that no-one including the one who has all the privileges for HUB (all the objects in hub by default content admin) is able to see  the apps in Work stream (HUB) if it is not the owner.

• We had only default security rules and saw in auditing that the user should see it (one node only, so no special load balancing in place)
• With Patch 2 no issues at all. 
• For us Patch 3 is definitely a "no go" and we would ask for fixing the bug, we cannot consider it as a feature.

Also, changing a logic of security rules evaluation is not exactly something that we would expect to be part of patch release, more like major release since it can introduce new level of re-testing everything

Also we would greatly appreciate if this type of change was mentioned in the Version information PDF as limitation/feature. It would save us lot of time.

HI Qlik Team,

We recently upgraded to November 2018 Patch 4 and we are also facing the same issue.

I created 2 security rules to enable the access to a specific AD group for all the work stream apps. By this way the members of the AD group can view all the apps in Work Stream irrespective of whoever created the apps.

It was working fine in Patch 2 but not in Patch 4. Can this issue be sorted out?

Regards,

Vinoth

Hi @Vinothkumar  / @Pamela_Whitney  - This is new "designed behavior" since November P3 - three where such Security rules evaluation was introduced. Just to give you more insight: 

• Not only you cannot make others being able to see (in hub) the apps you created regardless of any security rule (which means they are ignored no matter of what)
• You can neither apply restrictions to the apps created by specific user - if he is an owner of the application he would be able to modify it in any case

Since we are dealing with the same situation here my suggestion is as follows:

• for projects create "work-stream" for each project and allow the same level of privileges there as if it was personal work meaning users would be able to mdoify even the base sheets there with data load script
• Good thing is you can set it up at stream level and no need to assign CPs to apps
• Once the app is ready you can "move" the app from one stream to another. This approach has one big caveat though - it will work for the first time. for additional attempt obviously you would need the functionality "move and replace" which does not exist. You cant simply delete the target app, not just different id but you would also lose the community sheets there. So if the app already exists in target stream you have to duplicate the app in the project work stream and republish it with overwrite option.

I sincerely wish Qlik focused on the features to be implemented fully and well designed , we would really appreciate at least some level of maturity. Unfortunately this types of fixes, non-clear specification of what it does regarding security changes in P3 (its kind of generic "security improvement not detailed at all"), sheets approval "randomness"  and security vulnerabilities really represent huge room for improvement

The problem is even bigger since to be able to fix the security vulnerability discovered you need to apply Patch 4 and since the patches are cumulative this is becoming kind of "implement or have security risk".

UPDATE: There seems to be an option to revert the security concept for non-published apps, is it applicable to February and November releases (P4) - https://support.qlik.com/articles/000068297

Thanks @analienx for pointing out that article. It's not really what I hoped to hear for a Patch but indeed it's a good thing to have an official response behind a change.

Riccardo

@analienx I understand your frustration with the developer workflow. I am not sure a common Work area is the best general solution for all our customers, as it makes it very easy for developers to accidentally overwrite each others work by simultaneous auto-save on the same physical file. The recommendation is to define a collaboration process through streams and Work area as described in the online Help.

It does not immediately solve your concerns in Qlik Sense for Windows, but we have redesigned the collaboration concept in Qlik Sense for Kubernetes. It applies role based access control and enables a simpler way to organize work in the Hub, which I think will resolve many of your collaboration needs. I would recommend that you catch-up on our release details when the April release comes out in a few weeks time. 

Hi @ToniKautto , 

Thank you for the insight. Do you think you could elaborate more about the concept with QS for Kubernetes? How that would work? The thing is if we knew it now we could prepare and change processes accordingly only this time and not multiple times. As you well know these types of changes are not generally accepted with ease since it means a lot of training and explanation behind to both Devs and business power users.

@analienx it is a fairly wide discussion, which does not really fit in comments thread. I would suggest looking out for Kubernetes related updated from Qlik the coming month, especially around Qonnections. 

https://www.youtube.com/watch?v=dhQowB_Q9xU might be starting point ot be introduced to the Kubernets part of Qlik Sense.