27 Replies Latest reply: Mar 1, 2017 4:01 PM by Aehman K RSS

    help in security rule

    Ali Hijazi

      Hello

      I'm working on Qlik sense 3.2

      I need to accomplish the following:

      I need to enable the Edit button on top right for only the users who got a specific value of a custom property

       

      please advise

        • Re: help in security rule
          omar bensalem

          Try this;

           

          There a security rule called CreateAppObjectsPublishedApp

           

          disable it and create a new; UDR_EditApp : (UDR stands for User defined rule)

          resource filter : App Object_*

          basic: for the users with a specific custom property

            • Re: help in security rule
              Ali Hijazi

              thank you for your prompt reply

              just a question on resource filter what does it stand for

              I'm new to Qlik sense

                • Re: help in security rule
                  omar bensalem

                  That means on what do you want your new rule to work on; in our case, we want to applicate a security rule on the app objects.

                   

                  you can find a link in each security rule editting interface that will guide into a help for filter resources

                  juste click on a "?" icon you'll find somewhere in the buttom of the rule

                   

                  The rule worked?

                    • Re: help in security rule
                      Ali Hijazi

                      App Object_* or App.Object_*


                      • Re: help in security rule
                        Ali Hijazi

                        please help in the syntax
                        i'm unable to continue!!

                        security_rule.png

                          • Re: help in security rule
                            omar bensalem

                            First, have disabled the security rule CreateAppObjectsPublishedApp?

                             

                            Once done,

                            -choose create rule from template (first line) and choose app access.

                            -Check create

                            user : @brims_users...

                            value : yes? depends on what you want? click on the blank in front of value, it will show you the existing values; hopes that helps

                            • Re: help in security rule
                              Aehman K

                              I gave access to 3 sheets for this user, you can add more than 1 though and you can uncheck publish in Actions and just read option checked.

                              In Template, select Create App Object Access

                              In resource Filter Select App.Object_*

                              Capture.PNG

                                • Re: help in security rule
                                  Ali Hijazi

                                  this is not what I want
                                  I want to enable the EDIT button only for users who got the value YES for a custom property called users_can_edit_content

                                    • Re: help in security rule
                                      Aehman K

                                      Stream Level Access

                                      ((user.name="YOURUSERNAME" and resource.@users_can_edit_content="YES" ))


                                      And check Create, Publish and Update

                                        • Re: help in security rule
                                          Ali Hijazi

                                          why do I have to select stream level access?

                                          is the Edit button related to stream level access?

                                          what do you mean by resource in this "script";

                                          users are already assigned another custom property to access the stream that have the same custom property brims_access_type

                                           

                                          let's forget about it

                                          I quit

                                          these security rules are hell

                                            • Re: help in security rule
                                              Aehman K

                                              You want a user able to EDIT the app in hub without duplicating it and also publish it?


                                              What actually you want? Please break it down with bullet points... Will try to help you more on this.

                                              Want stream level or app level or sheet level?

                                              What Custom property and value you have?

                                              You doing individual user or adding users to group?

                                                • Re: help in security rule
                                                  Ali Hijazi

                                                  I have a published app

                                                  by default users can Edit a sheet ; Duplicate the sheet

                                                  I want this option to be available for ONLY users who got a custom property value YES

                                                  let's say the custom property is called user_can_edit_content

                                                  if I give the user this custom property value then enable the EDIT button

                                                  otherwise disable it

                                                    • Re: help in security rule
                                                      Aehman K

                                                      thank you, that's much easy to understand...
                                                      I'll see what I can do for your scenario and update it here.

                                                      • Re: help in security rule
                                                        Aehman K

                                                        So I've found answer to your question, after a long struggle...

                                                         

                                                        1. Disable 'CreateAppObjectsPublishedApp' in security rule (which will disable Create for all users)

                                                        2. Create a New Security rule as following Image

                                                        Edit Enable for stream.PNG

                                                         

                                                        When you Disable 'CreateAppObjectsPublishedApp' and 'Default Stream_*', other users will loose access to their apps and you'd need to create new rules for all other users/groups.

                                                        It worked for and it should work for you if you follow the above steps.

                                                          • Re: help in security rule
                                                            Ali Hijazi

                                                            I really appreciate your research

                                                            But may you please explain to me what you have here

                                                            What is the purpose of edit stream custom property?

                                                            And what security rules should be added to avoid other users lose access to their apps

                                                             

                                                            As I told you before these security rules are so complicated

                                                              • Re: help in security rule
                                                                Aehman K

                                                                Edit Stream is just a random name I gave to my Custom property for my stream and users and Edit is Custom property for my Apps and Users.

                                                                 

                                                                In your case it can be

                                                                User = user_can_edit_content

                                                                Value = Yes and check create mark and try what it does?

                                                                Disabling the default App_ rule will disable apps to other users. First try without disabling default App  stream and just disable CreateAppObjectsPublishedApp security rule.



                                                                Disable Edit button in Qlik Sense

                                                                More on the above link


                                                                  • Re: help in security rule
                                                                    Ali Hijazi

                                                                    same here

                                                                    I disabled the CreateAppObjectsPublishedApp

                                                                     

                                                                    I created a security rule as above and ALL USERS can edit and duplicate sheets

                                                                     

                                                                    SECURITY RULES ARE SO COMPLICATED

                                                                    We had a client who switched to QlikView because of these security rules that we couldn't fullfill

                                                                    Why in the hell sake Qlik doesn't put an option (check box) User can edit ??

                                                                     

                                                                    I hate these security rules they are making my life like hell

                                                                     

                                                                    BTW create a rule on Streams and put True in the advanced editor and all users will see everything

                                                                      • Re: help in security rule
                                                                        Aehman K

                                                                        Ali, please check my reply below to Omar.

                                                                        Hope this time you can create the rule, thanks.

                                                                          • Re: help in security rule
                                                                            Ali Hijazi

                                                                            Hello Aeham

                                                                            thank you for not giving up!!

                                                                            I finally was able to accomplish this by doing the following; and I think is similar to what you did

                                                                            • I disabled the default Stream security rule; at this stage users can't see any stream
                                                                            • I created a custom property called Users_Access_Type which took several values depending on the streams that were available; the scope of this custom property is Stream, and User
                                                                            • Now each user who wants to access or see a specific stream then I gave that user the same value of the custom property as the stream to be accessed
                                                                            • at this stage users can see the streams in the hub but cannot see any app inside
                                                                            • I created another custom property and called it User_Access_To_Apps and as above I gave each app a value from this custom property and each user should have the same value as the app to be able to see it
                                                                            • and the same is applied for the sheets
                                                                            • finally I modified CreateAppObjectsPublishedApps and added the following conditions in the advanced editor:user.@brims_users_can_edit_content="Yes" and user.@brims_access_type=resource.app.@brims_access_type

                                                                            and finally it works

                                                                             

                                                                            but don't tell me security rules are straight forward

                                                                              • Re: help in security rule
                                                                                Aehman K

                                                                                Glad it worked out for you!

                                                                                I believe you can close this post by marking your own answer as correct!

                                                                                 

                                                                                Yes the security rules are quite complex. I'm currently working on disabling the default Stream/App.

                                                                                And creating my own rules for users (it is really painful).....

                                                                                There should be a video from Qlik Sense to explain in more detail, not just overview. If it is there then hopefully someone can post a link of that video here.

                                                                                 

                                                                                Thanks.

                                                                      • Re: help in security rule
                                                                        omar bensalem

                                                                        Hi Aehman,

                                                                         

                                                                        I already done as you,

                                                                        1) disabled the CreateAppObjectsPublishedApp security rule

                                                                         

                                                                        2) created a new like this :

                                                                        Capture.PNG

                                                                         

                                                                        That didn't prohibit other users from editing published apps !

                                                                         

                                                                        I also tried this :

                                                                         

                                                                        I disabled the rule called: CreateAppObjectsPublishedApp

                                                                         

                                                                        copied it and created a new rule :

                                                                         

                                                                        filter : App.Object_*

                                                                        create- update

                                                                         

                                                                        rule:

                                                                        !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and user.name="Administrator"

                                                                         

                                                                         

                                                                        But nothing happens, all of the users still can edit and create sheets in published apps.

                                                                          • Re: help in security rule
                                                                            Aehman K

                                                                            Ok, the part here is very tricky. It got me confused as well but finally got the result we wanted.

                                                                            Thanks to Ali for raising this issue, I didn't know we could do this and will be helpful for my future projects.

                                                                             

                                                                            1. Disable CreateAppObjectsPublishedApp security rule

                                                                            2. Custom property created for users and added to the to a Stream

                                                                                 -Edit Stream consists of values 'Stream' and 'Users'

                                                                                 -Edit consists of values 'App' and 'Users'

                                                                            Then add the above custom properties to your required users and required stream.

                                                                            Edit Stream.PNG

                                                                            3. Sheet access to users (sometimes in group the users won't get sheet access, they will have app access but not sheet)

                                                                            so follow the below rule ONLY IF they cannot see sheet.

                                                                            Sheet Access to user.PNG

                                                                             

                                                                            4. App Access to User group, IF there are more than 1 app then create separate custom property for each app

                                                                            App Access to Group.PNG

                                                                            6. Now the answer to the question which we've been asking since 3 days....

                                                                            If you see, I checked READ in actions and no other box.

                                                                            Added Stream (Edit Stream) and App group (Edit). This will disable Edit for all users in this stream ONLY.

                                                                            Edit Stream.PNG

                                                                             

                                                                            7. Edit only for 1 user in below rule.

                                                                            I check CREATE in Actions box. Added the Edit Stream, user name and App custom property (Edit),

                                                                            You can group users too instead of individual names.

                                                                            Edit only for 1 user.PNG

                                                                             

                                                                            8. Finally the result will be as below.... No Edit for one of the user and edit for other user.

                                                                            No Edit.PNG

                                                    • Re: help in security rule
                                                      omar bensalem

                                                      jog

                                                      Hi Jeffrey,

                                                       

                                                      I'm currently trying to prevent all the users I have from editing or creating sheets in a published app !

                                                      Only the Administrator is able to do so;

                                                       

                                                      Here's what I did :

                                                      I disabled a rule called: CreateAppObjectsPublishedApp

                                                       

                                                      copied it and created a new rule :

                                                       

                                                      filter : App.Object_*

                                                      create- update

                                                       

                                                      rule:

                                                      !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and user.name="Administrator"

                                                       

                                                       

                                                      But nothing happens, all of the users still can edit and create sheets in published apps.

                                                       

                                                      what am I missing?

                                                       

                                                      The same process could be applied on Ali's case; just replace the user.name by user@hiscustomproperty

                                                       

                                                      Thank you,