0 Replies Latest reply: Oct 5, 2016 9:28 AM by Erik Gustafsson RSS

    Full access only on specific streams for developers

    Erik Gustafsson



      I want to be able to have a "Publish Admin" role, where the developers can only publish new versions of apps they are allowed to develop on. There are other apps which they can see, but shouldn't be able to duplicate. Any idea how to do this?


      User: .\test1

      Streams: Newstream, Secondstream

      Read, Publish-rights on both streams.


      First a custom property:

      Name: CanPublish

      Resource types: Users, Streams

      Values: [e.g.stream name - doesn't have to be identical to the actual stream name, as long as the value is identical on user and stream], ex. Newss


      We add this custom property on:

      User: ”test1” with value ”Newss”

      Stream: ”NewStream” with value ”Newss”


      Two rules is needed:

      One for what you can see in the QMC

      Name: _LocalAdmin QMC

      Resource filter: QmcSection_App

      Actions: Read

      Conditions: user.roles="LocalAdmin"

      Context: Only in QMC


      One for what you should be able to do with the apps:

      Name: _LocalAdmin apps

      Resource filter: Stream_*,App_*,App.Object_*,Tag_*

      Actions: all

      Conditions: user.roles="LocalAdmin" and  (

      (resource.resourcetype="App" or resource.resourcetype="App.Object" or resource.resourcetype="Stream" or resource.resourcetype="Tag") and

      (resource.stream.@CanPublish=user.@CanPublish or resource.app.stream.@CanPublish=user.@CanPublish ) or

      (resource.IsOwned()  and resource.owner = user)


      Context: Only in QMC


      First question:

      The result is that users can duplicate all apps he can see, and he can replace all apps in streams where both he and the stream has the same custom property value on "CanPublish" (see attached yes.png). How can I deny him access on "SecondStream" (see attached no.png) ?

      Without the (resource.IsOwned()  and resource.owner = user) the user can't duplicate his own apps, nor duplicate or replace apps that are present in the streams he should be "LocalAdmin" to.



      Second question:

      With these added conditions (+ QMC sections rules), he can add tasks under the QMC sections, but for some reason the "Create new reload task" under the Apps section of QMC is grayed out. Any idea how to allow this directly under Apps section of QMC?


      Resource filter: Stream_*,App_*,App.Object_*,Tag_*, ReloadTask_*,SchemaEvent_*,CompositeEvent_*

      Actions: all

      Conditions: user.roles="LocalAdmin" and (

      (resource.resourcetype="App" or resource.resourcetype="App.Object" or resource.resourcetype="Stream" or resource.resourcetype="ReloadTask" or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag")  and

      (resource.stream.@CanPublish=user.@CanPublish or resource.app.stream.@CanPublish=user.@CanPublish) or

      (resource.IsOwned()  and resource.owner = user)


      Context: Only in QMC