Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello,
I'm in the process of learning more about security rules, and wanted to confirm my understanding of the hierarchical nature of them, but I couldn't find this particular scenario being implemented, so please correct me if I'm wrong.
For example:
The default stream rule is : 'allow users to see everything in the stream if they have been assigned to that stream, either by hardcoding the user to the access rule or by setting up custom properties'.
I have 9 streams right now, each stream with its own security rule to access it, we have one rule for each because soon each rule will pull from a different security group in AD, but its not implemented yet (otherwise I would've made one rule). This works fine, I created custom properties and users can see the streams (and everything in them) that they are assigned to.
This means if you meet the condition of the rule for one particular stream, you'll see the stream (thanks to the stream specific rule I created) and you'll see every app in that stream (thanks to the default stream rule). So this means that both rules are working, and the custom one rides on top of the default one in order to be functional and working.
My main question is the following: I created a new 10th stream 'Testing', that should operate differently than the others, what I want is to apply app level security on this stream only, without breaking any of the other rules, so I want a rule for this stream that basically says everyone can access this stream only when there are apps in it assigned to you (through custom properties) and in the stream you can see those apps only.
Since this stream rule will also work on top of the default stream rule, that means it wont actually work because they are contradicting each other, and the default rule will win because its granting access while the custom rule is trying to revoke that same access?
so then how do I write this rule and make it work as an exception to the default rule without changing the default rule?
Sorry for the long post, I appreciate any help and I'll be happy to elaborate if something isn't clear 🙂
In your default rule, you need to exclude the 'Testing' stream.
... and resource.name!="Testing"
That way the defualt rule will not apply to that stream, and you can create other rules specifically for the Testing stream.
In your default rule, you need to exclude the 'Testing' stream.
... and resource.name!="Testing"
That way the defualt rule will not apply to that stream, and you can create other rules specifically for the Testing stream.
Hello Henrik, thanks so much for pointing me in the right direction, I was testing with this, but I'm facing an issue.
I started by creating a duplicate of the default stream security rule (best practices and all that), then I disabled the original and enabled the custom new one. After this, Users stopped seeing App Objects in their apps, and when I audit the access to a specific sheet of an app, the new rule isn't in the associated rules list, and I can only see the disabled rule in that list. which means the custom rule its not even being applied, even though its an identical copy, and so I was forced to re-enable the original rule. Did I miss a step after duplicating? I appreciate your help 🙂
Hard to say what has happened. Is it possible that you post images of both rules so we can see them?
Hello Henrik, please check the attached, they look identical, but for some reason when I audit access to a sheet in one of the published apps, I only see the default rule in the associated rules list, and when I disable it and enable the custom rule, the associated rules stays the same except the stream rule is disabled then.
In the Custom Rule.png the resource filter is "App_*" but in the default rule it is "App*". Try changing your custom rule's resource filter so that it is the same as in the default rule.
Hi Henrik, I didn't even notice that, it works now!! Thanks so much for your time! 🙂