12 Replies Latest reply: Feb 8, 2017 10:36 AM by Sean Smith RSS

    Security Access to Specific App Objects

    Donish Nasim

      Hello,

       

      I am currently exploring the security rule section of the QMC, and I am having trouble with App Object Access Rules. I was curious as to

       

      1) Whether it was possible to create a rule allowing access to a specific sheet or bookmark? If so how am I able to identify that specific object in the advanced security rule?

      2) How do I create a Security Rule that states only people of a specific group can create Sheets. (essentially the problem I have is how do I refer to all sheets)

       

       

      Thanks

        • Re: Security Access to Specific App Objects
          Jeffrey Goldberg

          Hi, so I can answer #2.

           

          There are two default rules in the QMC, CreateAppObjectsPublishedApp and CreateAppObjectsUnPublishedApp.  These are your templates for what you want to do.

           

          Make copies of these rules and then you can go through playing around with access.  Basically what you can do is add to the end of this rule to state and user.%attribute% = "something" and it will limit access to creating sheets and other objects to users with that attribute name and value.  If you want to limit to just sheets, take out all of the resource.objectType entries except for the one referencing "sheet".

           

          For example, CreateAppObjectsPublishedApp has conditions set: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()

           

          What this is saying is if the stream is NOT empty AND the resource has read privileges and the user is NOT anonymous and give access to userstate, sheets, stories, bookmarks, snapshots, embedded snapshots, and hiddenbookmarks.

           

          What is missing here is the limitation to a particular user or group of users based on an attribute.  Start by testing removing the !user.IsAnonymous with user.%attribute% = "something" where %attribute% may be group and something may be executives.

           

          Reference to security rules here with samples: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG_ConfiguringSecurity_AccessRules_Examples.htm

           

          Here is another that answers your #2 question: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG_ConfiguringSecurity_Environment_AccessControl_UserRoles_Example1.htm

            • Re: Security Access to Specific App Objects
              Nirmal Anilet

              Hi ,

              I have two different apps which have sheets with same name like below, and two users say user1 and user2

              App1-->SH1,SH2

              App2-->SH1,SH3

              Now I want to restrict the user access at sheet level.So, user1 can access SH1 of App1 but not the SH1 of App2.Currently I am using the below 2 rules

               

              Rule1:

              Resource Filter: App_App1,App_App2

              Condition: ((user.name="user1")) or ((user.name="user2"))

              Rule2:

              Resource Filter:  App.Object_*

              Condition:  ((user.name="user1") and (resource.name !="SH1")) or

              ((user.name="user2") and (resource.name !="SH2"))

              using this condition the SH1 in both the apps are hidden. But I want only the SH1 of App2 be hidden. Kindly help.

                • Re: Security Access to Specific App Objects
                  Jeffrey Goldberg

                  Anilet, I think your issue is that you need to have rule 2 be more specific.  So for the resource you would specify APP_%GUIDforApp2%,App.Object_*.

                  This sets the resource to only apply to that specifc app and ALL app Objects regardless of APP.  If you want to narrow the resource to a specific sheet then find the guid for that sheet and have App.Object_%GUIDforSH1% that is the guid for sheet1 of app2.

                   

                  As for your condition, your condition needs to specify the resource type along with the name because resource.name!="SH1" does not indicate to the rules interpretor what type of object to look for that resource name.

                   

                  Consider this condition (specifically the bold part):

                  user.roles = "Stream1Admin" and ((resource.resourcetype="Stream" and resource.name="Stream 1") or (resource.resourcetype="App" and resource.stream.name="Stream 1") or (resource.resourcetype="App.Object" and resource.objectType="sheet" and resource.app.stream.name="Stream 1") or (resource.resourcetype="ReloadTask" and resource.app.stream.name="Stream 1"))


                  I'd use the bold bit with the reference to the sheet name and see if that helps meet your goal.


                  jg

                    • Re: Security Access to Specific App Objects
                      Nirmal Anilet

                      Thank you Jeffrey.

                      For some reason the resource filter App.Object_%GUIDforSH1% isn't working and the rule is highlighted as red. So, I have changed Rule 2 as below and results are coming as expected.

                      Resource Filter:      App*

                      Condition:              ((user.name="user1") and ((resource.app.name="App1") and (resource.name !="Sheet1")) or                                                                    (resource.app.name="App2")) or

                                                   ((user.name="user1") and ((resource.app.name="App1") and (resource.name !="Sheet2")) or                                (resource.app.name="App2")  )

                       

                      Any other simpler method will be greatly appreciated. And one more question while auditing a resource what does a pink color in a rule mean???


                      Regards,

                      Anilet

                  • Re: Security Access to Specific App Objects
                    omar bensalem

                    Hi Jeffrey,

                     

                    I have a question, I have a stream in which I have 2 apps.

                    I have a user who can access that stream; now I want him to just be able to see only one application of the 2 that exist.

                     

                    I should then create a security rule, but I haven't figured out yet how to create it. This what I've done so far:

                     

                    Capture.PNG

                     

                    I should also mention that there is a security rule associated to the stream which permits to this user the full access to the stream (create, update, read etc)
                    how would Qlik Sense interpret these 2 rules which are "in conflict"?
                    And is the rule I just made correct or should I change it? if yes, how?
                    Thanks,

                    Omar,

                      • Re: Security Access to Specific App Objects
                        Jeffrey Goldberg

                        Hi Omar,

                         

                        I recommend watching this video: Qlik Sense Stream Management Security Rules and Exception Management

                         

                        It goes through how to set up an app level visibility rule within a stream.

                         

                        Cheers,

                         

                        Jeff G

                          • Re: Security Access to Specific App Objects
                            omar bensalem

                            Hi Jeffrey,

                             

                            Thanks for the reply, it was a great video !
                            I followed every step and all went good BUT, with the new customised security rules, I can control the which app is showed depending on your custom property BUT when I open an Application, It appears as if it is Empty :

                            Capture.PNG

                             

                            Here are the 2 security rules as configured by Marcus:

                             

                            1) AppAccess:

                            (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and

                            resource.@AppLevelManagement.empty())

                            or ((resource.resourcetype = "App.Object" and resource.published ="true"

                            and resource.app.stream.HasPrivilege("read"))

                             

                            2)AppAccessException :

                            resource.stream.HasPrivilege("read") and ((user.@AppLevelManagement=resource.@AppLevelManagement))

                             

                            With those 2 rules, I can manage which user can view which app(s), but the apps are EMPTY.

                             

                            Now If I go back to the original security rule which permits every user to see every app in the stream if they are authorized to view the stream (the rule is called Stream), I notice that there is a line like this:

                             

                            resource.objectType != "app_appscript" and resource.objectType != "loadmodel"

                             

                            I tried to change my new customised rule and add that line:

                             

                            But still, the app is empty:

                             

                            (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and

                            resource.@AppLevelManagement.empty())

                             

                             

                            or ((resource.resourcetype = "App.Object" and resource.published ="true"

                            and resource.objectType != "app_appscript" and resource.objectType != "loadmodel")

                            and resource.app.stream.HasPrivilege("read"))

                             

                            I can't figure out what's happening, can you help please? Or tag Marcus to do so? Thanks !

                              • Re: Security Access to Specific App Objects
                                omar bensalem

                                I just added App.Object_* as a ressource filter.

                                with on only App_* as a resource filter, we can't see any sheet !

                                with App_*,App.Object_* or App* as a resource filter we can see the sheet.

                                Originally, when we select as a template for building our rule 'app access', the default resource filter is App_*

                                With App_* as a resource filter, you won't be able to see the sheets