That should be possible in both by creating custom security rules for those action - resource type combinations. See the online help for more information: http://help.qlik.com/sense/2.0/en-US/online/#../Subsystems/ManagementConsole/Content/security-rules-overview.htm%3FTocPa…
Hi Vladimir, I'm not an expert in sense security yet but take care with already active rules.
In example there is a rule CreateAppObjectsPublishedApp wich gives permission to create sheets to all user that can read the app.
You should disable or make more restrictive this rule in example adding a custom property or admin role to users and adding this restriction to the rule: and (user.@role="Admin")
This way the rule only applies if the user has its custom property "role" with the value "Admin"
Again, I'm not an expert in this, still learning.
Thank you for reply. Have tried it, but this option does not seems to work.
Here is the code:
!resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and (user.@role="RootAdmin" or user.@role="ContentAdmin")
And the "Create New Sheet" option is still available on published stream...
I've cleared the Browser History and Cookies, just to make sure, but still no changes...
hey do you speak in Russian?
I recently solved a similar question now find examples of its safety regulations.
Я уверен что проблема в том что не отключено правило безопасности по умолчанию отвечающее за создание новых приложений.Называется "CreateApp" его необходимо для начала выключить, а потом создать свое правило определяющее группу пользователей которые могут создавать приложения.
вот пример взял из хелпа
resorce filter App_*,FileReference_*
condition ((user.@Usertype="Developer")) and !user.IsAnonymous()
only in hub
Action : create
Если есть какие то еще вопросы по правилам безопасности пишите, это моя любимая тема для исследований.
Еще как говорю!
Разбираться с новым продуктом без Русского мата иногда тяжело...
Будет хоть с кем поделится...
I did exactly that, have created custom rules, disabling "standard" ones (based on https://help.qlik.com/sense/1.1/en-US/online/Subsystems/ManagementConsole/Content/ServerUserGuide/SUG_ConfiguringSecurit… info).
But still having few issues, primarily in handling consequences of these new rules activation. I will try to submit the list of issue a later today.
Спасибо, надеюсь на Ваши советы:
Few initial questions (seems to be related to Ruben's post, so I am keeping them here):
1. Why do we need a Custom security rule if we do have "default" one (CreateAppObjectsPublishedApp):
It contains the condition for resource.objectType = "sheet", and is seems to allow it's creation for (user.@role="RootAdmin" or user.@role="ContentAdmin") only.
Did not work in my case. All users, who were not set as Admins were able to create a new sheet and other objects
2. I've created my custom rule in order to restrict users from creating the new sheet in the specific stream of Published apps only using the following:
App_*, App.stream.name="Brand #1".
I've left the [App_*] there initially.
Does this mean that it applies to all Apps and ignores Apps located in "Brand #1" stream? It looks like it based on my testing...
1. Order of rules execution: How QS is handling "similar" rules - applicable to the same resource, for example? Is it executing the system rules first and custom later?
Or they are excluding each other. Just trying to understand why we need to disable a "default" rule when we are creating a custom one?
Appreciate your help. Looking forward to your reply.
I've found this article on QS help site ():
A bit complicated approach, but seems to work for my case.
Thank you for suggestions!