Solved: Re: Security rule for reloading app without edit r... - Qlik Community

cpfefferkorn · ‎2022-12-05

Hello community,

I am struggeling right now to define a correct security rule for my costumers.
They should be allowed to reload an app without the permission to edit/delete it.

For testing purpose I created a new security rule and tried it with the ready only rights.
The User is allowed to see: App, App Objects, Stream, Tasks and Users. I have created the following security rule:

Security rules overview

Resource Filter : QmcSection_App, QmcSection_ReloadTask, QmcSection_Task, QmcSection_App.Object,QmcSection_Stream,QmcSection_User,App_*, ReloadTask_*,App.Object_*,Stream_*,User_*

My problem is now, the user can see the tasks from QMC, but can't reload it. As soon as the user starts the reload task the following error message appears:

error occurred

I tried to modify the security rule: If I enable the function "Update" in Actions, the task is starting but now the user can also edit it.

How can I set the security rule that the user can only start the tasks but without having the edit option for it?

Or · ‎2022-12-05

Your user needs to have a Professional license for this (or no license at all, but it can't be an Analyzer license).

I'm not entirely sure, but I think you will need to grant read access to the tasks (ReloadTask_*) and tasks section (QmcSection_Task), and update to the app itself (QMC only, so the user can't actually do any harm since they don't have access to the Apps section in QMC). I'm not entirely sure about the last part but I do think it's necessary.

View solution in original post

Or · ‎2022-12-05

Your user needs to have a Professional license for this (or no license at all, but it can't be an Analyzer license).

I'm not entirely sure, but I think you will need to grant read access to the tasks (ReloadTask_*) and tasks section (QmcSection_Task), and update to the app itself (QMC only, so the user can't actually do any harm since they don't have access to the Apps section in QMC). I'm not entirely sure about the last part but I do think it's necessary.

cpfefferkorn · ‎2022-12-12

Hello Or,

thanks for your advice.
As far as I know it is not important to give the user a license. At least it tested it without any license and it did not change my results.

I tried several options and made some additional testing.
In my opinion the best option is to do it as you adviced. I also wanted to give the user the right to view some additional sections like user, stream and app objects (only in QMC):

Create a security rule to Read/Update all Apps (App_*)
Create another security rules for only Reading the QmcSections (QmcSection_Task,ReloadTask_*,QmcSection_App.Object,QmcSection_Stream,QmcSection_User,ExecutionResult*,ExecutionSession*,App.Object_*,Stream_*,User_*)

RadovanOresky · ‎2022-12-12

Hi, you could use Inphinity Flow (or Forms) extension, that allows also Analyzer users to trigger a reload task.

https://youtu.be/ajkAGj8OvoY?t=108

Or · ‎2022-12-12

As per my original post, the user needs either a professional license, or no license. You just can't use this on someone with an Analyzer license. Quirky, but that was the case last time I checked, anyway.

Insofar as giving users more sections in QMC, just keep in mind that you need to avoid giving them anything where those update permissions on the app might result in the ability to edit things you didn't plan for.

Security rule for reloading app without edit rights

Security