Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mbespartochnyy
Creator III
Creator III
‎2021-09-10 02:15 PM

How to interpret SharedContent security rule?

Qlik has this documentation on topic of publishing QlikView app links to Qlik Sense hub. Title of the doc, "...allow users to publish a link to shared content", is a bit scary.

I don't want any user in the entire company directory to be able to publish links. I want specific service account that runs QlikView server to be able to publish links to QlikView documents section in the hub.

My question is, am I reading the rule correctly? Is the rule that's mentioned the doc:

  • Allows any user to somehow publish links to QlikView documents section in Qlik Sense hub OR
  • Allows QlikView service account to publish links to QlikView apps in QlikView documents section for any user?

Thanks,

Mikhail B.

641 Views
0 Likes
1 Solution

Accepted Solutions
mbespartochnyy
Creator III
Creator III
‎2021-09-13 06:03 PM
Author

In response to rubenmarin

THE ANSWER

Figured it out. The answer is, this rule, just like the document states, "allow users to publish a link to shared content". In the context of publishing QlikView document links to Qlik Sense hub that means that the rule allows any user to publish links to QlikView documents in Qlik Sense hub.

I find title of the document so darn confusing without extra context behind it and the content of the document doesn't actually add any useful context that explains what "allow users to publish a link to shared content" actually means. For those interested in "the extra context", read on.

 

ADDITIONAL CONTEXT

Best way to start is to point out that Qlik Sense hub consists primarily of two sections:

  • Personal
  • Streams
    • aka, public.
    • aka, not personal.

Notice that QlikView documents section, counterintuitively, is located in Personal space:

Location of QlikView documents sectionLocation of QlikView documents section

That implies that it works just like the Work stream and it also further implies that:

  1. Contents within QlikView documents belong to specific user and only to that specific user.
  2. Since contents within QlikView documents belong to specific user, they can only be "created" by that specific user in order to show up in that section for that user.

So when QlikView distribution service publishes a link to QlikView documents section for a user, it actually creates a record in Qlik Sense repository database, specifically in SharedContent table of QSR database, and assigns user listed in distribution list in QlikView task as the "owner" of the link. That, in turn, makes the link to QlikView document show up for specific user.

If you'd like to confirm that, run this query in your Qlik Sense repository database to see list of QlikView links published to Qlik Sense hub and the "owners" of each link:

 

 

SELECT sc."ID"
	 , sc."Name"
	 , "Type"
	 , "Value"						as "AccessPointCategory"
	 , "Uri"
	 , "Owner_ID"
	 , "UserId"						as "Owner_Name"
	 , sc."CreatedDate"
	 , sc."ModifiedDate"
	 , sc."ModifiedByUserName"
  FROM public."SharedContents" sc
  LEFT JOIN public."SharedContentMetaDatas" scmd
    ON sc."ID" = scmd."SharedContent_ID"
  LEFT JOIN public."Users" u
    ON sc."Owner_ID" = u."ID"
 WHERE "Type" = 'QlikView doc link'

 

 

Notice that if app is distributed to, say, three users, there will be three records in that table for that app, one for each user and users are set as "owners" of the links.

 

TESTING & CONFIRMATION

I've done some testing and confirmation of how security rule works. First test was to setup security rule as described in the document and distribute a QlikView app to Qlik Sense hub. That distribution was successful and user was able to see the link to the document in Qlik Sense hub.

Second test was to update the security rule to give Shared Content creation right only to the service account that's used to run QlikView:

Security rule modified to grant permission to service accountSecurity rule modified to grant permission to service account

When I reran the distribution task in QV QMC, I got warning message saying that distribution to intended user ws forbidden:

Warning message issued in QlikView QMC when service account is the only account that has Create shared content permissionWarning message issued in QlikView QMC when service account is the only account that has Create shared content permission

That implied that user must have create shared content permission in Qlik Sense in order for a link to QlikView document to be distributed to that user's personal space in the hub.

However, implication is not quite the same as confirmation. So I took it a step further and modified the security rule to allow Create permission specifically for that user to which the QlikView app is being distributed:

Security rule modified to allow creation of shared content for specific user to whom QlikView document is being distributedSecurity rule modified to allow creation of shared content for specific user to whom QlikView document is being distributed

 The idea is if I reload the distribution task in QMC with this security rule modified to be focused specifically on the user that's on the distribution list in QV QMC, the link to the QlikView app should be created for the user without any errors or warnings. That, in fact is what happened. I reloaded the task in QMC with this new rule in place, it reloaded successfully, and the user confirmed the app did show up in their QlikView documents section in the hub.

View solution in original post

572 Views
4 Replies
rubenmarin
MVP
MVP
‎2021-09-11 04:07 AM

Hi, the rule you have linked will only give permissions to users that belong to the group specified in UserGroupName.

You can also set this for specific users using UserId or UserName instead of UserDirectory. 

Another usual option is to use UserRole to give this permissions to users with specific roles on qlikSense, like the RootAdmin or the ContentAdmin.

598 Views
0 Likes
mbespartochnyy
Creator III
Creator III
‎2021-09-11 10:19 AM
Author

In response to rubenmarin

Hi @rubenmarin , thanks for the reply! I understand who the rule applies to. I’m more curious about what these users will now be able to do when they have this permission.

591 Views
0 Likes
rubenmarin
MVP
MVP
‎2021-09-12 03:27 AM

In response to mbespartochnyy

Hi, I haven't tested but I think this rule gives permission to publish links in qlik sense, this should be the service account of qlikView, the users who an actually see the document are set in QlikView Management Console.

I would try to give only permission to the srevice accounts, set the QV task to publish to a named user that is not an admin user, and check if the user sees the documento.

I don't have now an environment avaible to test myself.

586 Views
0 Likes
mbespartochnyy
Creator III
Creator III
‎2021-09-13 06:03 PM
Author

In response to rubenmarin

THE ANSWER

Figured it out. The answer is, this rule, just like the document states, "allow users to publish a link to shared content". In the context of publishing QlikView document links to Qlik Sense hub that means that the rule allows any user to publish links to QlikView documents in Qlik Sense hub.

I find title of the document so darn confusing without extra context behind it and the content of the document doesn't actually add any useful context that explains what "allow users to publish a link to shared content" actually means. For those interested in "the extra context", read on.

 

ADDITIONAL CONTEXT

Best way to start is to point out that Qlik Sense hub consists primarily of two sections:

  • Personal
  • Streams
    • aka, public.
    • aka, not personal.

Notice that QlikView documents section, counterintuitively, is located in Personal space:

Location of QlikView documents sectionLocation of QlikView documents section

That implies that it works just like the Work stream and it also further implies that:

  1. Contents within QlikView documents belong to specific user and only to that specific user.
  2. Since contents within QlikView documents belong to specific user, they can only be "created" by that specific user in order to show up in that section for that user.

So when QlikView distribution service publishes a link to QlikView documents section for a user, it actually creates a record in Qlik Sense repository database, specifically in SharedContent table of QSR database, and assigns user listed in distribution list in QlikView task as the "owner" of the link. That, in turn, makes the link to QlikView document show up for specific user.

If you'd like to confirm that, run this query in your Qlik Sense repository database to see list of QlikView links published to Qlik Sense hub and the "owners" of each link:

 

 

SELECT sc."ID"
	 , sc."Name"
	 , "Type"
	 , "Value"						as "AccessPointCategory"
	 , "Uri"
	 , "Owner_ID"
	 , "UserId"						as "Owner_Name"
	 , sc."CreatedDate"
	 , sc."ModifiedDate"
	 , sc."ModifiedByUserName"
  FROM public."SharedContents" sc
  LEFT JOIN public."SharedContentMetaDatas" scmd
    ON sc."ID" = scmd."SharedContent_ID"
  LEFT JOIN public."Users" u
    ON sc."Owner_ID" = u."ID"
 WHERE "Type" = 'QlikView doc link'

 

 

Notice that if app is distributed to, say, three users, there will be three records in that table for that app, one for each user and users are set as "owners" of the links.

 

TESTING & CONFIRMATION

I've done some testing and confirmation of how security rule works. First test was to setup security rule as described in the document and distribute a QlikView app to Qlik Sense hub. That distribution was successful and user was able to see the link to the document in Qlik Sense hub.

Second test was to update the security rule to give Shared Content creation right only to the service account that's used to run QlikView:

Security rule modified to grant permission to service accountSecurity rule modified to grant permission to service account

When I reran the distribution task in QV QMC, I got warning message saying that distribution to intended user ws forbidden:

Warning message issued in QlikView QMC when service account is the only account that has Create shared content permissionWarning message issued in QlikView QMC when service account is the only account that has Create shared content permission

That implied that user must have create shared content permission in Qlik Sense in order for a link to QlikView document to be distributed to that user's personal space in the hub.

However, implication is not quite the same as confirmation. So I took it a step further and modified the security rule to allow Create permission specifically for that user to which the QlikView app is being distributed:

Security rule modified to allow creation of shared content for specific user to whom QlikView document is being distributedSecurity rule modified to allow creation of shared content for specific user to whom QlikView document is being distributed

 The idea is if I reload the distribution task in QMC with this security rule modified to be focused specifically on the user that's on the distribution list in QV QMC, the link to the QlikView app should be created for the user without any errors or warnings. That, in fact is what happened. I reloaded the task in QMC with this new rule in place, it reloaded successfully, and the user confirmed the app did show up in their QlikView documents section in the hub.

573 Views