Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi All,
We would like to give limited access to few users to QMC. Below is the requirement.
1. Users can see only Apps section in QMC
2. They can see those apps which are present under the stream on which they have access. Example: User has access to streams 'ABC' and 'XYZ'. Both the streams have 5 apps saved under them. Thus users can see total 10 apps from QMC.
3. Users can publish, import, export, duplicate and change the owner of these 10 appsfrom QMC.
How can we achieve this from QMC? I don't want to give them Root admin or Content admin access as it gives almost complete access of QMC.
Thanks !!!
The first part is easy, create a security rule with:
Resource filter: QmcSection_App
Actions: Read
Conditions:Assign users or group
Context: Only in QMC
This gives the users access to the App menu in the QMC. At this point they should only see apps that they have access. If they own an app and have appropriate access to streams, they can do everything you want except change owner.
To have all the requests that you want for applications that they don't own, will require more security rules. We have tested using the custom properties and are waiting for permission to migrate our new security rules to our development and production environments.
Changing the owner is a bit tricky because they will need access to the user directory. A simpler solution is to duplicate the app and publish over the existing app.
Hi,
Thanks for quick reply.
Could you please explain how you have implemented the below part in your environment?
"To have all the requests that you want for applications that they don't own, will require more security rules. We have tested using the custom properties and are waiting for permission to migrate our new security rules to our development and production environments."
Thanks !!!
Our goal evolved. Initially it was to grant access using custom properties. Then we also wanted to restrict access to which application a user could view within a stream. We use Active Directory for authentication and these rules were created in a Feb 2019 environment.
Custom properties:
ADGroup (Apps,Streams) - the values are the names of the AD groups that are used to grant access to Qlik. If we want to just limit access to a stream, the custom property is added to the stream. If we want to limit access to an application within a stream, the custom property is added to the stream and the application.
Developer (Users) - the values are the AD groups that are used to grant access to Qlik. These are added to the users that are developers. The combination of developer custom property and stream/app custom property determines which apps you can edit/delete/duplicate/export and which streams you can publish to.
UserType (Users) - Only 1 value right now, Scheduler. We have some developer that we allow to create tasks
Security Rules:
Disable the delivered rule: Stream
New Security Rules: I found it easier to audit and validate the rules when I separated some rules by Context. The *Default rules control access to applications that do not have a custom property. The *Exception rules control access to applications that have a custom property assigned.
NEWRULE_AppLimiteUserDefault:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in hub
NEWRULE_AppLimitedUseException:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in hub
NEWRULE_AppLimitedUseQMCDefault:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in QMC
NEWRULE_AppLimitedUseQMCException:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in QMC
NEWRULE_AppObjectAccess:
Resource Filter: App.Object_*
Actions: Read
Conditions:
(resource.resourcetype = "App.Object" or
resource.objectType = "app_appscript" or
resource.objectType = "loadmodel") and
resource.published ="true"
Context: Both in hub and QMC
NEWRULE_CreateTask:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*
Actions: Create
Conditions: ((user.@UserType="Scheduler"))
Context: Only in QMC
NEWRULE_DeleteExport:
Resource Filter: App*
Actions: Delete, Export, Export data
Conditions: ((user.@Developer=resource.stream.@ADGroup))
Context: Both in hub and QMC
NEWRULE_DeveloperQmcAppsMenu:
Resource Filter: QmcSection_App
Conditions: ((user.group like "001EDW_*Developer"))
Context: Only in QMC
NEWRULE_DuplicateAppDefault:
Resource Filter: App*
Actions: Publish, Duplicate
Conditions:
((resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and resource.@ADGroup.empty()))
Context: Both in hub and QMC
NEWRULE_DuplicateAppException:
Resource Filter: App*
Actions: Publish, Duplicate
Conditions:
((resource.@ADGroup=user.@Developer and resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and !resource.@ADGroup.empty()))
Context: Both in hub and QMC
NEWRULE_ReloadTaskDefault:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read, Update, Delete
Conditions:
((user.@UserType="Scheduler")) and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
resource.app.@ADGroup.Empty()) or
(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))
Context: Only in QMC
NEWRULE_ReloadTaskException:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read, Update, Delete
Conditions:
((user.@UserType="Scheduler"))
and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
!resource.app.@ADGroup.Empty() and resource.app.@ADGroup = user.@Developer) or
(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))
Context: Only in QMC
NEWRULE_SchedulerQMCTasksMenu:
Resource Filter: QmcSection_Task,QmcSection_ReloadTask,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent
Actions: Read
Conditions: !user.IsAnonymous() and ((user.@UserType="Scheduler"))
Context: Only in QMC
NEWRULE_Stream:
Resource Filter: Stream_*
Actions; Read
Conditions: ((user.group=resource.@ADGroup))
Context: Only in hub
NEWRULE_StreamPublish:
Resource Filter: Stream_*
Actions: Publish
Conditions: ((resource.@ADGroup=user.@Developer))
Context: Both in hub and QMC
NEWRULE_StreamQMC:
Resource Filter: Stream_*
Actions: Read
Conditions: ((resource.@ADGroup=user.@Developer))
Context: Only in QMC
NEWRULE_UpdateAppDefault:
Resource Filter: App*
Actions: Update
Conditions:
((resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer and !resource.stream.empty()))
Context: Both in hub and QMC
NEWRULE_UpdateAppException:
Resource Filter: App*
Actions: Update
Conditions:
((resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer and !resource.stream.empty()) )
Context: Both in hub and QMC