0 Replies Latest reply: Aug 14, 2015 10:43 AM by Sean Smith RSS

    Security Bug with User Types?

    Sean Smith

      Has anyone experienced this?  I believe it to be a bug.

       

      In the help file it describes how to create user types and then apply security rules to them.  For Example, I created one called developer and this type was the only one I allowed to create an Application, (I disabled the default create app rule and created a new one).  I allocated 1 token to the user I assigned this type.  I have a stream called, Sales, (I assigned 1 Token to this stream), I set the security on the stream to only Read and assigned the AD Group called Sales to it.  In the Sales AD group is a user called, User, and they do not have a Token assigned to them but since the Stream Sales has one assigned, this user will be able to access the stream.  However, this user was not assigned a User Type and once in the stream they should not be able to see the My Work area or be able to create an app but they can.  Qlik is allowing them full access.  Now, if I modify the security rule to exclude user without a type, i.e. ((user.@UserTypes!="")) it will not wok in conjunction with including the user type developer, ie ((user.@UserTypes="Developer")). Even if I use the AND condition or the OR condition is fails to render the desired results.

       

      I would have expected Sense to not allow the user without a user type to be able to create an app since I originally built the rule that user type developers are the only users who can (outside of Admins).

       

      Any thoughts or experience with this?  Am I missing something?

       

      Kind Regards,

      Sean