Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
Katie_Davis
Digital Support
Digital Support

The Access Evaluator is a comprehensive dashboard to analyze user roles, access, and permissions across a Qlik Sense tenant.

Introducing our fourth monitoring app for Qlik Cloud, the Access Evaluator! The Access Evaluator is a comprehensive dashboard to analyze user roles, access, and permissions across a Qlik Sense tenant. As a Qlik Cloud tenant becomes densely populated with spaces, apps, users, and groups, it is crucial to be able to quickly answer questions such as:

  • “What users and groups have access to space <X>?” 
  • “What users and groups have access to app <X>?”
  • “How does a user have access to app <X>; via direct assignment, group, or app share?”
  • “Are there redundancies in policies? E.g., do users have the same access to a space via a direct assignment as well as a group?”
  • “Who has what roles across the tenant?”

 

Katie_Davis_0-1657572847637.png

 

The Access Evaluator app provides insights on: 

  • User and group access to spaces
  • User, group, and share access to apps
  • User roles and associated role permissions
  • Group assignments to roles
  • And more! 

 

Katie_Davis_1-1657572955376.png

(Available Sheets)

The Access Evaluator uses Qlik’s RESTful APIs to fetch all the required data from the tenant.

Items to note: 

  • This app evaluates what a user and/or group has the potential to access, not what they have accessed. As such, it cannot be used to audit user activity. It simply evaluates the current access policies in the tenant.
  • This app is provided as-is and is not supported by Qlik Support.
  • It is recommended to always use the latest app.
  • Information is not collected by Qlik when using this app.

 

The app as well as the configuration guide are available via GitHub, linked below. 

 

Any issues or enhancement requests should be opened on the Issues page within the app’s GitHub repository.

Be sure to subscribe to the Qlik Support Updates Blog by clicking the green Subscribe button to stay up to date with the latest Qlik Support announcements. Please give this post a like if you found it helpful! 

 

Kind regards, 

Qlik Platform Architects

 

Additional Resources:

Our other monitoring apps for Qlik Cloud can be found below.

14 Comments
jpjust
Specialist
Specialist

 

Thanks Katie for this.

Do we have such an app for Qliksense enterprise version?

6,794 Views
Daniel_Pilla
Employee
Employee

Hi @jpjust ,

A version of this application is not available for Qlik Sense Enterprise Client-Managed as the audit rules matrix is an extraordinarily heavy call, and can have negative impacts on the repository if run at scale and without filtering. Meaning, if you have complex security rules with thousands of apps, dozens of streams, and thousands of users, evaluating the resolution of everything in the site can take a very long time and dramatically affect the performance of the site. The benefit of Qlik Sense Enterprise Client-Managed, though, is that an audit capability is built into the QMC in a controlled manner, where filtering is required before executing, as opposed to trying to resolve everything without any filtering. An application has been built, but it was decided that the impact was not worth the value that it brought, given that the built-in functionality solves most customer's needs. (my personal experience and findings)

 

I hope this helps-

Cheers,

6,624 Views
jpjust
Specialist
Specialist

Thanks Daniel for the detailed explanation. Really make sense.

Is it possible to get the application that has been built just to try out in an test environment?

Thanks

6,580 Views
agherbert4
Partner - Contributor III
Partner - Contributor III

@Daniel_Pilla An issue we run into with QMC in Qlik Sense Enterprise is that there is no functionality to export results from Audit (or the other screens) into Excel or csv. So there's no way to easily compare who has access (in QMC) vs. who has actually used the app (in Operations Monitor), which is really the question we're trying to answer much of the time.

6,537 Views
Levi_Turner
Employee
Employee

@agherbert4 : Getting audit data out of Qlik Sense Enterprise Client Managed is possible (but a bit tricky) via the QRS API layer. Here's an example PowerShell script built off of Qlik-Cli-Windows which will extract the needed data (this script will support auditing the read right):

# Script to audit user access to: apps, streams, and data connections
# The script will dump the extracts into the ArchivedLogs folder

################
## Parameters ##
################

# Assumes default credentials are used for the Qlik CLI Connection

# machine name
$computerName = '<machine-name>'
# leave empty if windows auth is on default VP
$virtualProxyPrefix = '/default'
# audit streams? $true or $false
$auditStreams = $true
# audit apps? $true or $false
$auditApps = $true
# audit data connections? $true or $false
$auditDataConnections = $true

################
##### Main #####
################

# set the computer name for the Qlik connection call
$computerNameFull = ($computerName + $virtualProxyPrefix).ToString()

# connect to Qlik
Connect-Qlik -ComputerName $computerNameFull -UseDefaultCredentials -TrustAllCerts

# Get the Archived Logs folder
$rootFolder = (Get-QlikServiceCluster -full).settings.sharedPersistenceProperties.archivedLogsRootFolder

# Check for the store folder, create if needed
$storeDir = $rootFolder + '\qs-security-audit-csv'
if (!(Test-Path $storeDir)){
    Set-Location $rootFolder
    New-Item -path $storeDir -type directory | Out-Null
}

if ($auditStreams -eq $true){
    $streamAuditBody = '{"resourceType":"Stream","resourceRef":{},"subjectRef":{"resourceFilter":""},"actions":2,"environmentAttributes":"context=AppAccess;","subjectProperties":["id","name","userId","userDirectory"],"auditLimit":100000,"outputObjectsPrivileges":4,"resourceProperties":["name"]}'
    $streamAudit = Invoke-QlikPost -path /qrs/systemrule/security/audit/matrix -body $streamAuditBody
    $streamAudit.matrix | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\streamsAudit.csv" -NoTypeInformation
    $streams = Get-QlikStream
    $streams | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\streams.csv" -NoTypeInformation
}


if ($auditApps-eq $true){
    $appAuditBody = '{"resourceType":"App","resourceRef":{},"subjectRef":{"resourceFilter":""},"actions":2,"environmentAttributes":"context=AppAccess;","subjectProperties":["id","name","userId","userDirectory"],"auditLimit":100000,"outputObjectsPrivileges":4,"resourceProperties":["name"]}'
    $appAudit = Invoke-QlikPost -path /qrs/systemrule/security/audit/matrix -body $appAuditBody
    $appAudit.matrix | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\appsAudit.csv" -NoTypeInformation
    $apps = Get-QlikApp
    $apps | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\apps.csv" -NoTypeInformation
}

if ($auditDataConnections-eq $true){
    $dataConnectionAuditBody = '{"resourceType":"DataConnection","resourceRef":{},"subjectRef":{"resourceFilter":""},"actions":2,"environmentAttributes":"context=AppAccess;","subjectProperties":["id","name","userId","userDirectory"],"auditLimit":100000,"outputObjectsPrivileges":4,"resourceProperties":["name"]}'
    $dataConnectionAudit = Invoke-QlikPost -path /qrs/systemrule/security/audit/matrix -body $dataConnectionAuditBody
    $dataConnectionAudit.matrix | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\dataConnectionsAudit.csv" -NoTypeInformation
    $dataConnections = Get-QlikDataConnection
    $dataConnections | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\dataConnections.csv" -NoTypeInformation
}

$user = Get-QlikUser
$user | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\users.csv" -NoTypeInformation

 

This should accomplish the job but it's been ages since I've dug in at this layer. From the resulting CSVs, here's a simple load script to visualize the results:

[apps]:
LOAD
    id AS app_id,
    name AS app_name,
    IF(Len(stream)<1, 'Unpublished',TextBetween(stream, 'id=',';')) AS app_stream_id
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/apps.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

LEFT JOIN([apps])
LOAD
    id AS app_stream_id,
    name AS app_stream_name
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/streams.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[app_audit]:
LOAD
    subjectId AS user_id,
    resourceId AS app_id,
    IF(audit='@{access=2}','Read',null()) AS [app_access]
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/appsAudit.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[users]:
LOAD
    name AS user_name,
    userDirectory AS user_directory,
    "userId" AS user_userid,
    id AS user_id
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/users.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[data_connections]:
LOAD
    id AS dataconnection_id,
    name AS dataconnection_name
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/dataConnections.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[data_connection_audit]:
LOAD
    subjectId AS user_id,
    resourceId AS dataconnection_id,
    IF(audit='@{access=2}','Read',null()) AS [data_connection_access]
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/dataConnectionsAudit.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[streams]:
LOAD
    id AS stream_id,
    name AS stream_name
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/streams.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[stream_audit]:
LOAD
    subjectId AS user_id,
    resourceId AS stream_id,
    IF(audit='@{access=2}','Read',null()) AS [stream_access]
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/streamsAudit.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

 

(yes this could be modeled quite a bit better but I don't have cycles to write out a clean model at the moment).

Hope that helps

6,472 Views
Daniel_Pilla
Employee
Employee

@agherbert4 If you need to export the data, I suggest using @Levi_Turner 's approach which uses the same REST call as the app did to fetch that information.  If you want to alter the audits to make them more specific, you can alter the appAuditBody payload (he also included the ability to audit data connections and streams as well). A simple way to do this is to build the audit that you would like to export in the QMC and trace the payload. You can then take that payload and inject it into the PowerShell script. Be aware of the "auditLimit" parameter as well which could truncate the results.

audit trace.png

6,449 Views
Sorin39
Contributor II
Contributor II

Hello, 

Is the link broken, I cannot download the app. 🙂

Thx,

Sorin 

5,424 Views
Daniel_Pilla
Employee
Employee

Hi @Sorin39  - I just tried the links to the Access Evaluator and the Install Guide, and both downloaded just fine. Have you tried again today?

 

links.png

5,342 Views
Sorin39
Contributor II
Contributor II

hey, they work fine 🙂 was in issue from Chrome.

Thx,

Sorin

5,315 Views
SFJake84
Partner - Contributor
Partner - Contributor
4,952 Views