Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hello,
I am currently exploring the security rule section of the QMC, and I am having trouble with App Object Access Rules. I was curious as to
1) Whether it was possible to create a rule allowing access to a specific sheet or bookmark? If so how am I able to identify that specific object in the advanced security rule?
2) How do I create a Security Rule that states only people of a specific group can create Sheets. (essentially the problem I have is how do I refer to all sheets)
Thanks
Hi, so I can answer #2.
There are two default rules in the QMC, CreateAppObjectsPublishedApp and CreateAppObjectsUnPublishedApp. These are your templates for what you want to do.
Make copies of these rules and then you can go through playing around with access. Basically what you can do is add to the end of this rule to state and user.%attribute% = "something" and it will limit access to creating sheets and other objects to users with that attribute name and value. If you want to limit to just sheets, take out all of the resource.objectType entries except for the one referencing "sheet".
For example, CreateAppObjectsPublishedApp has conditions set: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()
What this is saying is if the stream is NOT empty AND the resource has read privileges and the user is NOT anonymous and give access to userstate, sheets, stories, bookmarks, snapshots, embedded snapshots, and hiddenbookmarks.
What is missing here is the limitation to a particular user or group of users based on an attribute. Start by testing removing the !user.IsAnonymous with user.%attribute% = "something" where %attribute% may be group and something may be executives.
Reference to security rules here with samples: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...
Here is another that answers your #2 question: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...
Hi, so I can answer #2.
There are two default rules in the QMC, CreateAppObjectsPublishedApp and CreateAppObjectsUnPublishedApp. These are your templates for what you want to do.
Make copies of these rules and then you can go through playing around with access. Basically what you can do is add to the end of this rule to state and user.%attribute% = "something" and it will limit access to creating sheets and other objects to users with that attribute name and value. If you want to limit to just sheets, take out all of the resource.objectType entries except for the one referencing "sheet".
For example, CreateAppObjectsPublishedApp has conditions set: !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()
What this is saying is if the stream is NOT empty AND the resource has read privileges and the user is NOT anonymous and give access to userstate, sheets, stories, bookmarks, snapshots, embedded snapshots, and hiddenbookmarks.
What is missing here is the limitation to a particular user or group of users based on an attribute. Start by testing removing the !user.IsAnonymous with user.%attribute% = "something" where %attribute% may be group and something may be executives.
Reference to security rules here with samples: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...
Here is another that answers your #2 question: http://help.qlik.com/sense/en-US/online/#../Subsystems/ManagementConsole/Content/ServerUserGuide/SUG...
Hi ,
I have two different apps which have sheets with same name like below, and two users say user1 and user2
App1-->SH1,SH2
App2-->SH1,SH3
Now I want to restrict the user access at sheet level.So, user1 can access SH1 of App1 but not the SH1 of App2.Currently I am using the below 2 rules
Rule1:
Resource Filter: App_App1,App_App2
Condition: ((user.name="user1")) or ((user.name="user2"))
Rule2:
Resource Filter: App.Object_*
Condition: ((user.name="user1") and (resource.name !="SH1")) or
((user.name="user2") and (resource.name !="SH2"))
using this condition the SH1 in both the apps are hidden. But I want only the SH1 of App2 be hidden. Kindly help.
Anilet, I think your issue is that you need to have rule 2 be more specific. So for the resource you would specify APP_%GUIDforApp2%,App.Object_*.
This sets the resource to only apply to that specifc app and ALL app Objects regardless of APP. If you want to narrow the resource to a specific sheet then find the guid for that sheet and have App.Object_%GUIDforSH1% that is the guid for sheet1 of app2.
As for your condition, your condition needs to specify the resource type along with the name because resource.name!="SH1" does not indicate to the rules interpretor what type of object to look for that resource name.
Consider this condition (specifically the bold part):
user.roles = "Stream1Admin" and ((resource.resourcetype="Stream" and resource.name="Stream 1") or (resource.resourcetype="App" and resource.stream.name="Stream 1") or (resource.resourcetype="App.Object" and resource.objectType="sheet" and resource.app.stream.name="Stream 1") or (resource.resourcetype="ReloadTask" and resource.app.stream.name="Stream 1"))
I'd use the bold bit with the reference to the sheet name and see if that helps meet your goal.
jg
Thank you Jeffrey.
For some reason the resource filter App.Object_%GUIDforSH1% isn't working and the rule is highlighted as red. So, I have changed Rule 2 as below and results are coming as expected.
Resource Filter: App*
Condition: ((user.name="user1") and ((resource.app.name="App1") and (resource.name !="Sheet1")) or (resource.app.name="App2")) or
((user.name="user1") and ((resource.app.name="App1") and (resource.name !="Sheet2")) or (resource.app.name="App2") )
Any other simpler method will be greatly appreciated. And one more question while auditing a resource what does a pink color in a rule mean???
Regards,
Anilet
hi,
I tired with the above rule but i am not getting as excepted. I want to hide the sheet for specific user.
Just want to know these rules are applicable on published or unpublished apps,
Regards,
Tanvi Madan
Hi All,
I have created a role called USERGROUP and I want to give the access to specific apps based on the department like (finance, sales and etc.. ).
For example : I have a stream called Dashboard in that I have around 20 applications. I want to provide a access to only 5 Apps (App05,App07,App10,App02,App30) ) for the role which I created (USERGROUP).Please assist me how to create a rules for this scenario.
Simply, I want to manage all the things in Roles Level and I will assign the roles to user based on the department.
Please assist me to achieve this.
Thanks .....!
Hi anilet123 ,
Did you disable any default rule before creating this rules?
Hi Jeffrey,
I have a question, I have a stream in which I have 2 apps.
I have a user who can access that stream; now I want him to just be able to see only one application of the 2 that exist.
I should then create a security rule, but I haven't figured out yet how to create it. This what I've done so far:
I should also mention that there is a security rule associated to the stream which permits to this user the full access to the stream (create, update, read etc)
how would Qlik Sense interpret these 2 rules which are "in conflict"?
And is the rule I just made correct or should I change it? if yes, how?
Thanks,
Omar,
Hi Omar,
I recommend watching this video: Video Link : 3762
It goes through how to set up an app level visibility rule within a stream.
Cheers,
Jeff G