Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
analienx
Contributor III
Contributor III

Task owner in security rules

Hello,

how can one grant privileges to the task owner only? It seems that ReloadTask resource does not have an owner at all (resource.owner=user never matches)

resource.app.owner also does not work (obviously task does not have security relation, it is only for application objects) so is there any good way how to implement security the way that the owner only could see/modify the created task (similarly to apps?)

Is there something like resource.creator or so?

THank you!

1 Solution

Accepted Solutions
Levi_Turner
Employee
Employee

I am still not following the use case of why you'd want a user to only see reload tasks that they own (which isn't possible). Wouldn't you want the user to see reload tasks associated with apps which they can see? Otherwise you'd likely get multiple tasks for the same app.

For the use case of reload tasks associated with apps that the user can see, you can inherit from the app to the task, e.g. (from https://github.com/levi-turner/Qonnections2018-Rules#backend-rules😞

  • ReloadTask*
  • Read + Update + Delete
  • ((user.role="Developer") and resource.App.HasPrivilege("read"))
  • QMC
  • This rule will provide the rights to read, modify, or delete tasks in the QMC so long as the task is associated with apps which the user has read rights on for users who have the Developer role from the configured User Directory Connector.

This rule is demoed here: https://www.youtube.com/watch?v=h5nBdt969XI

Hope that helps.

View solution in original post

9 Replies
analienx
Contributor III
Contributor III
Author

Thank you yet it really does not help at all

Appreciate your response though!

Sent from my iPhone

Levi_Turner
Employee
Employee

Hey Jakub,

What exactly is the end goal here?

MK9885
Master II
Master II

As far as I know all the tasks run in Qlik Sense is by Scheduler account which is a 'Service Account'

Same for Qlik view.

sa_scheduler is the user ID in Qlik Sense.

A root admin would have full privilege to edit/modify/delete the task unless you disable the Root Admin rules and create a Custom Admin role by not giving access to Tasks Section in QMC

analienx
Contributor III
Contributor III
Author

Hello experts,

we have a Self service environment where power users have the privilege to create task. The issue here is to allow only the task creator to see the task because onlike the objects (apps,streams,data connections..) there is no task owner.

I was thinking about automatically updated UserRead CP with userid that user would need to assign while creating the task yet it is everything but user friendly not to speaking about additional maintenance workhead...

Thanks you!    

MK9885
Master II
Master II

I do not have access to Security Rules in QMC but you should probably look for a rule assigned for Self Service where remove the QmcSection_Task for all the general users in that rule and create a new rule by giving only an individual user access to QmcSection_Task.

Not sure if you understood..

You need to provide more information on what you mean by 'Only the task creator'...

Who is this task creator? Is it an individual or a group?

Whoever that is please provide a security rule associated to your self service 

Levi_Turner
Employee
Employee

I am still not following the use case of why you'd want a user to only see reload tasks that they own (which isn't possible). Wouldn't you want the user to see reload tasks associated with apps which they can see? Otherwise you'd likely get multiple tasks for the same app.

For the use case of reload tasks associated with apps that the user can see, you can inherit from the app to the task, e.g. (from https://github.com/levi-turner/Qonnections2018-Rules#backend-rules😞

  • ReloadTask*
  • Read + Update + Delete
  • ((user.role="Developer") and resource.App.HasPrivilege("read"))
  • QMC
  • This rule will provide the rights to read, modify, or delete tasks in the QMC so long as the task is associated with apps which the user has read rights on for users who have the Developer role from the configured User Directory Connector.

This rule is demoed here: https://www.youtube.com/watch?v=h5nBdt969XI

Hope that helps.

analienx
Contributor III
Contributor III
Author

Hello Levi,

thank you for this suggestion. I think we have already tried resource.App.owner and without specifying App* in resource filter we did not get any positive results. I see iti s part of Qonnections 2018, is this functionality specific to some of the 2018 releases or is it available in sooner releases as well (= behavior the same?). We will try it again with some modifications though. THank you for the suggestion,

Levi_Turner
Employee
Employee

No worries. None of the functionality that I used in writing of those rules depends on product functionality of any particular build. The core concepts should scope back from at least 3.x and likely before.

There are some added work-flows in 2018-04 / 2018-06 which aren't covered but which have security rule consequences. Primarily:

  • Publishing from the Hub (2018-04+)
    • Requires publish rights + potential access to custom properties if you want to see them
  • Approving app objects (2018-06+)
    • Requires the net new action Approve
  • Duplicating apps (2018-06+)
    • Requires the net new action Duplicate