Hi!

We have several departments that shall not see each other streams or apps. 

Each department has a PowerUser that is allowed to run and create reload tasks for apps in their own stream.

We've got most working. The PowerUser can create the task, and for their own apps only.  BUT, when creating the Trigger, I get the error message: 'The operation failed due to insufficient privileges'.

(Failing on: POST https://qlik.company.com/dev/qrs/ReloadTask/update)

The same POST works a litte earlier, but with a different content. 'schemaEvents' is empty, and 'task' has content.

The setup

The developers get publish access to their stream, with a SAML attribute (similar to an  AD-group).

One PowerUser get a Qlik Role 'PowerUser'.

What have we done?

In addition to the QMC rule: Resouree: 'QMCSection_App, QMCSection_Task', Condition: ((user.roles="PowerUser"))
We created the security rule:

Resource: ReloadTask_*,SchemaEvent*
Action: Create, Read, Update, Delete
Condition:

   ((user.roles="PowerUser"
   and resource.app.stream.HasPrivilege("publish")
   ))

Context: QMC Only

I think maybe it is the  'resource.app.stream.HasPrivilege("publish")' that breaks the rule, when we are saving the task trigger (the SchemaEvent ? ). Is seems to be working when saving the reload task itself.

But what is inside the 'resource' object, when 'resource.resourcetype' is "SchemaEvent"?

The GitHub - levi-turner/Qonnections2018-Rules is great for existing examples.  But I cannot find any resources telling me the hierarchy within the 'resource'.

A very similar rule works very well for letting the PowerUser delete, import, export app, that the normal developers can only publish:    Condition: ((user.roles="PowerUser"  and resource.stream.HasPrivilege("publish")))

Any nice xmas helpers out there...? 🙂