Solved: Re: Security Rule for ExecutionResult_* and Execut... - Qlik Community

lblancher · ‎2021-06-24

Hi Qlik Community,

I am trying to use the community extension Reload Task Button (https://developer.qlik.com/garden/5eb3c41379935d00114df863) in my Qlik Sense application. In the setup, there is a configuration to add Security Rules for ExecutionResult* and ExecutionSession* resources. It looks like most help about these resources seems to only limit access by user. With these, any member of the specified group is able to see any ExecutionResult_* and ExecutionSession_*. I would like to restrict this a bit more so that a user is only able to see the ExecutionResult_* and ExecutionSession_* resources for a specific app and/or task.

I've tried using (user.userId="qlikuser1" and resource.resourcetype="ExecutionResult" and resource.app.name = "App Name") in my security rules, but they don't seam to work.

Is there any documentation that could tell me what properties the resource object has when they are of type ExecutionResult or ExecutionSession and being executed by the security rule system?

Thanks,

Lucas

Levi_Turner · ‎2021-06-29

Hey there,

Unfortunately there is no hierarchical relationship between an ExecutionResult and Task. This can be confirmed calling GET /qrs/about/api/relations which enumerates the hierarchical relationships at the QRS layer (https://help.qlik.com/en-US/sense-developer/May2021/Subsystems/RepositoryServiceAPI/Content/Sense_Re...). The response on my May 2021 installation is as follows:

[
  "App.owner > User",
  "App.stream > Stream",
  "App.tags > Tag",
  "App.Content.app > App",
  "App.Content.references > StaticContentReference",
  "App.Content.whiteList > FileExtensionWhiteList",
  "App.DataSegment.app > App",
  "App.DataSegment.file > FileReference",
  "App.DataSegment.owner > User",
  "App.Internal.app > App",
  "App.Internal.file > FileReference",
  "App.Object.app > App",
  "App.Object.file > FileReference",
  "App.Object.owner > User",
  "App.Object.tags > Tag",
  "AppSeedInfo.app > App",
  "AppStatus.app > App",
  "CompositeEvent.externalProgramTask > ExternalProgramTask",
  "CompositeEvent.operational > CompositeEventOperational",
  "CompositeEvent.reloadTask > ReloadTask",
  "CompositeEvent.userSyncTask > UserSyncTask",
  "CompositeEvent.Rule.externalProgramTask > ExternalProgramTask",
  "CompositeEvent.Rule.operational > CompositeEventRuleOperational",
  "CompositeEvent.Rule.reloadTask > ReloadTask",
  "CompositeEvent.Rule.userSyncTask > UserSyncTask",
  "ContentLibrary.owner > User",
  "ContentLibrary.references > StaticContentReference",
  "ContentLibrary.tags > Tag",
  "ContentLibrary.whiteList > FileExtensionWhiteList",
  "CustomPropertyValue.definition > CustomPropertyDefinition",
  "DataConnection.owner > User",
  "DataConnection.tags > Tag",
  "EngineService.serverNodeConfiguration > ServerNodeConfiguration",
  "EngineService.tags > Tag",
  "ExecutionResult.details > ExecutionResult.Detail",
  "ExecutionSession.app > App",
  "ExecutionSession.executingNode > SchedulerService",
  "ExecutionSession.executionResult > ExecutionResult",
  "ExecutionSession.externalProgramTask > ExternalProgramTask",
  "ExecutionSession.reloadTask > ReloadTask",
  "ExecutionSession.userSyncTask > UserSyncTask",
  "Extension.owner > User",
  "Extension.references > StaticContentReference",
  "Extension.tags > Tag",
  "Extension.whiteList > FileExtensionWhiteList",
  "ExternalProgramTask.operational > ExternalProgramTaskOperational",
  "ExternalProgramTask.qlikUser > User",
  "ExternalProgramTask.tags > Tag",
  "ExternalProgramTaskOperational.lastExecutionResult > ExecutionResult",
  "FileExtension.mimeType > MimeType",
  "FileExtensionWhiteList.fileExtensions > FileExtension",
  "License.AnalyzerAccessType.user > User",
  "License.AnalyzerAccessUsage.analyzerAccessType > License.AnalyzerAccessType",
  "License.AnalyzerTimeAccessUsage.analyzerTimeAccessType > License.AnalyzerTimeAccessType",
  "License.AnalyzerTimeAccessUsage.user > User",
  "License.LoginAccessUsage.loginAccessType > License.LoginAccessType",
  "License.LoginAccessUsage.user > User",
  "License.ProfessionalAccessType.user > User",
  "License.ProfessionalAccessUsage.professionalAccessType > License.ProfessionalAccessType",
  "License.UserAccessType.user > User",
  "License.UserAccessUsage.userAccessType > License.UserAccessType",
  "OdagEngineGroup.owner > User",
  "OdagLink.modelGroups > OdagModelGroup",
  "OdagLink.owner > User",
  "OdagLink.templateApp > App",
  "OdagLinkUsage.link > OdagLink",
  "OdagLinkUsage.selectionApp > App",
  "OdagModelGroup.owner > User",
  "OdagRequest.engineGroup > OdagEngineGroup",
  "OdagRequest.generatedApp > App",
  "OdagRequest.link > OdagLink",
  "OdagRequest.owner > User",
  "OdagService.Settings.anonymousProxyUser > User",
  "PrintingService.serverNodeConfiguration > ServerNodeConfiguration",
  "PrintingService.tags > Tag",
  "ProxyService.serverNodeConfiguration > ServerNodeConfiguration",
  "ProxyService.tags > Tag",
  "ProxyServiceCertificate.proxyService > ProxyService",
  "ProxyService.Settings.virtualProxies > VirtualProxyConfig",
  "ReloadTask.app > App",
  "ReloadTask.operational > ReloadTaskOperational",
  "ReloadTask.tags > Tag",
  "ReloadTaskOperational.lastExecutionResult > ExecutionResult",
  "RepositoryService.serverNodeConfiguration > ServerNodeConfiguration",
  "RepositoryService.tags > Tag",
  "SchedulerService.serverNodeConfiguration > ServerNodeConfiguration",
  "SchedulerService.tags > Tag",
  "SchemaEvent.externalProgramTask > ExternalProgramTask",
  "SchemaEvent.operational > SchemaEventOperational",
  "SchemaEvent.reloadTask > ReloadTask",
  "SchemaEvent.userSyncTask > UserSyncTask",
  "ServerNodeConfiguration.roles > ServerNodeRole",
  "ServerNodeConfiguration.serviceCluster > ServiceCluster",
  "ServerNodeConfiguration.tags > Tag",
  "ServerNodeHeartbeat.serverNodeConfiguration > ServerNodeConfiguration",
  "ServiceStatus.serverNodeConfiguration > ServerNodeConfiguration",
  "SharedContent.owner > User",
  "SharedContent.references > StaticContentReference",
  "SharedContent.tags > Tag",
  "SharedContent.whiteList > FileExtensionWhiteList",
  "StaticContentReference.files > FileReference",
  "Stream.owner > User",
  "Stream.tags > Tag",
  "SyncSession.serverNodeConfiguration > ServerNodeConfiguration",
  "SystemNotification.reloadTasks > ReloadTask",
  "SystemNotification.targetUsers > User",
  "SystemRule.tags > Tag",
  "TempContent.owner > User",
  "TermsAcceptance.user > User",
  "User.tags > Tag",
  "UserDirectory.tags > Tag",
  "UserSyncTask.operational > UserSyncTaskOperational",
  "UserSyncTask.tags > Tag",
  "UserSyncTask.userDirectory > UserDirectory",
  "UserSyncTaskOperational.lastExecutionResult > ExecutionResult",
  "VirtualProxyConfig.loadBalancingServerNodes > ServerNodeConfiguration",
  "VirtualProxyConfig.tags > Tag",
  "WebExtensionLibrary.owner > User",
  "WebExtensionLibrary.tags > Tag",
  "Widget.extensionType > WebExtensionType",
  "Widget.library > WebExtensionLibrary",
  "Widget.owner > User",
  "Widget.tags > Tag"
]

From a security perspective, the only sensitive information contained in an executionResult is the hostname of the server running the task. Example:

{
  "id": "bc2befd1-0c62-4621-bd73-e87d3ab6e08c",
  "createdDate": "2018-01-02T12:40:27.641Z",
  "modifiedDate": "2018-01-02T18:26:54.374Z",
  "modifiedByUserName": "INTERNAL\\sa_scheduler",
  "taskID": "00000000-0000-0000-0000-000000000000",
  "executionID": "1e03d598-4ab0-4f33-8675-9eb2847f3fc6",
  "appID": "00000000-0000-0000-0000-000000000000",
  "executingNodeID": "00000000-0000-0000-0000-000000000000",
  "executingNodeName": "usral-ltv.qliktech.com",
  "status": 12,
  "startTime": "2018-01-02T12:40:27.551Z",
  "stopTime": "2018-01-02T18:26:52.347Z",
  "duration": 20784796,
  "fileReferenceID": "00000000-0000-0000-0000-000000000000",
  "scriptLogAvailable": false,
  "details": [
    {
      "id": "1df00a60-048b-4729-a12b-4b81108ecece",
      "detailsType": 2,
      "message": "Changing task state from Triggered to Started",
      "detailCreatedDate": "2018-01-02T12:40:28.635Z",
      "privileges": null
    },
    {
      "id": "5f8edcda-244d-43b8-b43a-c6d58a611673",
      "detailsType": 2,
      "message": "Changing task state to Triggered",
      "detailCreatedDate": "2018-01-02T12:40:27.573Z",
      "privileges": null
    },
    {
      "id": "b6423b06-c958-4136-bab4-3c4975195c6a",
      "detailsType": 2,
      "message": "Changing task state from Started to Error",
      "detailCreatedDate": "2018-01-02T18:26:52.333Z",
      "privileges": null
    },
    {
      "id": "e90c899a-d6e1-4d31-a4ad-6cb46659672f",
      "detailsType": 1,
      "message": "Execution session found but task not running in the slave scheduler, session deleted",
      "detailCreatedDate": "2018-01-02T18:26:52.343Z",
      "privileges": null
    },
    {
      "id": "10a14917-6ff3-403a-bf8f-979489e1d94f",
      "detailsType": 2,
      "message": "Changing task state from Error to Reset",
      "detailCreatedDate": "2018-01-02T18:26:53.393Z",
      "privileges": null
    },
    {
      "id": "f4815dd3-5e80-44cc-97cb-7c8081e0e2a3",
      "detailsType": 2,
      "message": "Trying to start task. Sending task to slave scheduler usral-ltv.qliktech.com",
      "detailCreatedDate": "2018-01-02T12:40:27.879Z",
      "privileges": null
    }
  ],
  "scriptLogLocation": null,
  "scriptLogSize": 0,
  "privileges": null,
  "schemaPath": "ExecutionResult"
}

Since this would be present on even narrowly scoped executionResults (if this were possible) then there isn't an obvious informational exposure, at least in my view.

Cheers

View solution in original post

Levi_Turner · ‎2021-06-29

Hey there,

Unfortunately there is no hierarchical relationship between an ExecutionResult and Task. This can be confirmed calling GET /qrs/about/api/relations which enumerates the hierarchical relationships at the QRS layer (https://help.qlik.com/en-US/sense-developer/May2021/Subsystems/RepositoryServiceAPI/Content/Sense_Re...). The response on my May 2021 installation is as follows:

[
  "App.owner > User",
  "App.stream > Stream",
  "App.tags > Tag",
  "App.Content.app > App",
  "App.Content.references > StaticContentReference",
  "App.Content.whiteList > FileExtensionWhiteList",
  "App.DataSegment.app > App",
  "App.DataSegment.file > FileReference",
  "App.DataSegment.owner > User",
  "App.Internal.app > App",
  "App.Internal.file > FileReference",
  "App.Object.app > App",
  "App.Object.file > FileReference",
  "App.Object.owner > User",
  "App.Object.tags > Tag",
  "AppSeedInfo.app > App",
  "AppStatus.app > App",
  "CompositeEvent.externalProgramTask > ExternalProgramTask",
  "CompositeEvent.operational > CompositeEventOperational",
  "CompositeEvent.reloadTask > ReloadTask",
  "CompositeEvent.userSyncTask > UserSyncTask",
  "CompositeEvent.Rule.externalProgramTask > ExternalProgramTask",
  "CompositeEvent.Rule.operational > CompositeEventRuleOperational",
  "CompositeEvent.Rule.reloadTask > ReloadTask",
  "CompositeEvent.Rule.userSyncTask > UserSyncTask",
  "ContentLibrary.owner > User",
  "ContentLibrary.references > StaticContentReference",
  "ContentLibrary.tags > Tag",
  "ContentLibrary.whiteList > FileExtensionWhiteList",
  "CustomPropertyValue.definition > CustomPropertyDefinition",
  "DataConnection.owner > User",
  "DataConnection.tags > Tag",
  "EngineService.serverNodeConfiguration > ServerNodeConfiguration",
  "EngineService.tags > Tag",
  "ExecutionResult.details > ExecutionResult.Detail",
  "ExecutionSession.app > App",
  "ExecutionSession.executingNode > SchedulerService",
  "ExecutionSession.executionResult > ExecutionResult",
  "ExecutionSession.externalProgramTask > ExternalProgramTask",
  "ExecutionSession.reloadTask > ReloadTask",
  "ExecutionSession.userSyncTask > UserSyncTask",
  "Extension.owner > User",
  "Extension.references > StaticContentReference",
  "Extension.tags > Tag",
  "Extension.whiteList > FileExtensionWhiteList",
  "ExternalProgramTask.operational > ExternalProgramTaskOperational",
  "ExternalProgramTask.qlikUser > User",
  "ExternalProgramTask.tags > Tag",
  "ExternalProgramTaskOperational.lastExecutionResult > ExecutionResult",
  "FileExtension.mimeType > MimeType",
  "FileExtensionWhiteList.fileExtensions > FileExtension",
  "License.AnalyzerAccessType.user > User",
  "License.AnalyzerAccessUsage.analyzerAccessType > License.AnalyzerAccessType",
  "License.AnalyzerTimeAccessUsage.analyzerTimeAccessType > License.AnalyzerTimeAccessType",
  "License.AnalyzerTimeAccessUsage.user > User",
  "License.LoginAccessUsage.loginAccessType > License.LoginAccessType",
  "License.LoginAccessUsage.user > User",
  "License.ProfessionalAccessType.user > User",
  "License.ProfessionalAccessUsage.professionalAccessType > License.ProfessionalAccessType",
  "License.UserAccessType.user > User",
  "License.UserAccessUsage.userAccessType > License.UserAccessType",
  "OdagEngineGroup.owner > User",
  "OdagLink.modelGroups > OdagModelGroup",
  "OdagLink.owner > User",
  "OdagLink.templateApp > App",
  "OdagLinkUsage.link > OdagLink",
  "OdagLinkUsage.selectionApp > App",
  "OdagModelGroup.owner > User",
  "OdagRequest.engineGroup > OdagEngineGroup",
  "OdagRequest.generatedApp > App",
  "OdagRequest.link > OdagLink",
  "OdagRequest.owner > User",
  "OdagService.Settings.anonymousProxyUser > User",
  "PrintingService.serverNodeConfiguration > ServerNodeConfiguration",
  "PrintingService.tags > Tag",
  "ProxyService.serverNodeConfiguration > ServerNodeConfiguration",
  "ProxyService.tags > Tag",
  "ProxyServiceCertificate.proxyService > ProxyService",
  "ProxyService.Settings.virtualProxies > VirtualProxyConfig",
  "ReloadTask.app > App",
  "ReloadTask.operational > ReloadTaskOperational",
  "ReloadTask.tags > Tag",
  "ReloadTaskOperational.lastExecutionResult > ExecutionResult",
  "RepositoryService.serverNodeConfiguration > ServerNodeConfiguration",
  "RepositoryService.tags > Tag",
  "SchedulerService.serverNodeConfiguration > ServerNodeConfiguration",
  "SchedulerService.tags > Tag",
  "SchemaEvent.externalProgramTask > ExternalProgramTask",
  "SchemaEvent.operational > SchemaEventOperational",
  "SchemaEvent.reloadTask > ReloadTask",
  "SchemaEvent.userSyncTask > UserSyncTask",
  "ServerNodeConfiguration.roles > ServerNodeRole",
  "ServerNodeConfiguration.serviceCluster > ServiceCluster",
  "ServerNodeConfiguration.tags > Tag",
  "ServerNodeHeartbeat.serverNodeConfiguration > ServerNodeConfiguration",
  "ServiceStatus.serverNodeConfiguration > ServerNodeConfiguration",
  "SharedContent.owner > User",
  "SharedContent.references > StaticContentReference",
  "SharedContent.tags > Tag",
  "SharedContent.whiteList > FileExtensionWhiteList",
  "StaticContentReference.files > FileReference",
  "Stream.owner > User",
  "Stream.tags > Tag",
  "SyncSession.serverNodeConfiguration > ServerNodeConfiguration",
  "SystemNotification.reloadTasks > ReloadTask",
  "SystemNotification.targetUsers > User",
  "SystemRule.tags > Tag",
  "TempContent.owner > User",
  "TermsAcceptance.user > User",
  "User.tags > Tag",
  "UserDirectory.tags > Tag",
  "UserSyncTask.operational > UserSyncTaskOperational",
  "UserSyncTask.tags > Tag",
  "UserSyncTask.userDirectory > UserDirectory",
  "UserSyncTaskOperational.lastExecutionResult > ExecutionResult",
  "VirtualProxyConfig.loadBalancingServerNodes > ServerNodeConfiguration",
  "VirtualProxyConfig.tags > Tag",
  "WebExtensionLibrary.owner > User",
  "WebExtensionLibrary.tags > Tag",
  "Widget.extensionType > WebExtensionType",
  "Widget.library > WebExtensionLibrary",
  "Widget.owner > User",
  "Widget.tags > Tag"
]

From a security perspective, the only sensitive information contained in an executionResult is the hostname of the server running the task. Example:

{
  "id": "bc2befd1-0c62-4621-bd73-e87d3ab6e08c",
  "createdDate": "2018-01-02T12:40:27.641Z",
  "modifiedDate": "2018-01-02T18:26:54.374Z",
  "modifiedByUserName": "INTERNAL\\sa_scheduler",
  "taskID": "00000000-0000-0000-0000-000000000000",
  "executionID": "1e03d598-4ab0-4f33-8675-9eb2847f3fc6",
  "appID": "00000000-0000-0000-0000-000000000000",
  "executingNodeID": "00000000-0000-0000-0000-000000000000",
  "executingNodeName": "usral-ltv.qliktech.com",
  "status": 12,
  "startTime": "2018-01-02T12:40:27.551Z",
  "stopTime": "2018-01-02T18:26:52.347Z",
  "duration": 20784796,
  "fileReferenceID": "00000000-0000-0000-0000-000000000000",
  "scriptLogAvailable": false,
  "details": [
    {
      "id": "1df00a60-048b-4729-a12b-4b81108ecece",
      "detailsType": 2,
      "message": "Changing task state from Triggered to Started",
      "detailCreatedDate": "2018-01-02T12:40:28.635Z",
      "privileges": null
    },
    {
      "id": "5f8edcda-244d-43b8-b43a-c6d58a611673",
      "detailsType": 2,
      "message": "Changing task state to Triggered",
      "detailCreatedDate": "2018-01-02T12:40:27.573Z",
      "privileges": null
    },
    {
      "id": "b6423b06-c958-4136-bab4-3c4975195c6a",
      "detailsType": 2,
      "message": "Changing task state from Started to Error",
      "detailCreatedDate": "2018-01-02T18:26:52.333Z",
      "privileges": null
    },
    {
      "id": "e90c899a-d6e1-4d31-a4ad-6cb46659672f",
      "detailsType": 1,
      "message": "Execution session found but task not running in the slave scheduler, session deleted",
      "detailCreatedDate": "2018-01-02T18:26:52.343Z",
      "privileges": null
    },
    {
      "id": "10a14917-6ff3-403a-bf8f-979489e1d94f",
      "detailsType": 2,
      "message": "Changing task state from Error to Reset",
      "detailCreatedDate": "2018-01-02T18:26:53.393Z",
      "privileges": null
    },
    {
      "id": "f4815dd3-5e80-44cc-97cb-7c8081e0e2a3",
      "detailsType": 2,
      "message": "Trying to start task. Sending task to slave scheduler usral-ltv.qliktech.com",
      "detailCreatedDate": "2018-01-02T12:40:27.879Z",
      "privileges": null
    }
  ],
  "scriptLogLocation": null,
  "scriptLogSize": 0,
  "privileges": null,
  "schemaPath": "ExecutionResult"
}

Since this would be present on even narrowly scoped executionResults (if this were possible) then there isn't an obvious informational exposure, at least in my view.

Cheers

lblancher · ‎2021-06-29

Thank you Levi! This gave me what I needed to lock down the ExecutionSession and you are right the ExecutionResult doesn't leak any useful information.

Regards,

Lucas

Security Rule for ExecutionResult_* and ExecutionSession_* Resource Filters