Qlik Community

Security & Governance

Discussion board where members can learn more about Qlik Sense deployments which are governed and self-service.

Announcements
Now Live: Qlik Sense SaaS Simplified Authoring – Analytics Creation for Everyone: READ DETAILS
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin22
Partner - Contributor III
Partner - Contributor III

Stream Security Rule

Hi there,

I am trying to implement something on Qlik Sense to help users, but I haven't find a solution yet : the goal is to create a stream where users can edit apps almost the same way they could in their personal work spaces.

I know that they are supposed to do so in their personal work spaces, and that there will always be things you can't do in published apps, but the objective here is to create a stream allowing multiple users to work (and back-up each other) on the same apps : they must be able to directly create and edit sheets, without the need to get the sheets approved by an admin.

I have read multiple posts on the subject, but I didn't find an exact answer to what I need :

I succeeded in allowing users to edit the apps by creating a security rule with the App_Objects (and create, read, update, publish, delete selected), but as a result I can edit the apps everywhere, and I would like to restrict this to only one stream.

Adding conditions such as : (resource.resourcetype = "Stream" and resource.name = "StreamName") doesn't work.

Can you please tell me what I'm missing ?

Regards,

Martin.

Labels (1)
1 Solution

Accepted Solutions
Martin22
Partner - Contributor III
Partner - Contributor III
Author

Hi,

It's finally working.

In the end, I had to create two rules :

-First rule with Stream_Id as resource filter, Read Update and Publish as selected, and user.role=AdminRole as condition (I switched name for role, to make it easier to manage users).

-I then created a second rule with both Stream_Id and App.Object_* as resource filters, Read Update and Publish as selected, and ((resource.App.stream.name="StreamName")) as condition.

The reason the test user couldn't see any sheets was because the security rule Stream had been disabled.

Regards,

Martin.

View solution in original post

6 Replies
rohitk1609
Master
Master

You should create three rules 

Stream, apps and app objects template and then try.

Update is the action you need for sure but please check Update won't enable any other object edit way.

You can try to use custom properties to simplyfy your rules

 

resource.resourcetype = "Stream"  rule won't affect on HUB. You have to deal with Apps objects rule with stream name. 

 

Regards,
Rohit

 

Sivapriya_d
Creator
Creator

you can try creating one rule for Stream and one for Appobjects.
Stream Security Rule
In the resource filter you can give Stream_<StreamID>
For Appobject rule , In condition you can mention something like 
resource.App.stream.name = "StreamName"

Martin22
Partner - Contributor III
Partner - Contributor III
Author

Hi,

Thx for the replies, here is what I did :

-I created a first rule with Stream_Id as resource filter, Read Update and Publish as selected, and user.name=UserName as condition.

-I then created a second rule with App.Object_* as resource filter, Read Update and Publish as selected, and ((resource.App.stream.name="StreamName")) as condition.

I got what I wanted on the SharedWorkStream, my test user can create and edit sheets in the apps.

However, in the other streams, where users should only be able to read apps, the test user can't see the sheets in the apps anymore. The test user is also able to create and edit new sheets in these apps, where he shouldn't be able to.

I guess I'm still missing a part in my rules, do I need to create a new rule limiting to "read" for apps outside of the ShareWorkStream, or should I edit the two rules with something else ?

Regards,

Martin.

Sivapriya_d
Creator
Creator

Did you check the associated security rules for the other streams? 

Martin22
Partner - Contributor III
Partner - Contributor III
Author

Yes, there is nothing special on the other stream : the default rules (OwnerPublishDuplicate, SecurityAdmin, ContentAdmin), and a "read" rule I put for my test user.

Regards,

Martin.

Martin22
Partner - Contributor III
Partner - Contributor III
Author

Hi,

It's finally working.

In the end, I had to create two rules :

-First rule with Stream_Id as resource filter, Read Update and Publish as selected, and user.role=AdminRole as condition (I switched name for role, to make it easier to manage users).

-I then created a second rule with both Stream_Id and App.Object_* as resource filters, Read Update and Publish as selected, and ((resource.App.stream.name="StreamName")) as condition.

The reason the test user couldn't see any sheets was because the security rule Stream had been disabled.

Regards,

Martin.