1 Reply Latest reply: Jun 26, 2017 2:57 PM by Levi Turner RSS

    Restricting user access to specific sheets

    Ryan Fry

      I'm attempting to get sheet level security working.

       

      I'm following this:

      Sheet or App Object Level Security Qlik Sense

       

      sort of...

      I've disabled the default Streams rule, and created my own, which specifically excludes a user group based on a custom property.

       

      When I view associated rules to the sheet in particular for a member of the group for whom I am attempting to restrict access, I see that the disabled rule is still associated, but when I edit it, the disabled check is still there.

       

      My custom rule is the only other rule that shows up in the list of associated rules.

       

      I am attempting to remove access to all sheets with the word 'Admin' in them. I've tried various permutations of resource.name Like, =, !=, "Admin*", etc etc.

       

      I gave up, and am now attempting to restrict access to the TWO sheets that specifically exist.

       

      I have created the rule for:

       

      App.Object_*

       

      read is the only checked box

       

      Conditions:

      ((user.@UserType="MyGroup") and (resource.name!="Admin: Issued Reward Details" or resource.name!="Admin: Issued Rewards Summary"))

       

      Which I interpret to mean ALL app objects that are NOT these two named sheets, and it gives read access.

       

      when I audit the rule, I still see that I can access these sheets. For good measure, I attempted to log in, and with a test user, I can still see the sheets that I should not be able to see.

       

      Any guidance would be fantastic.

        • Re: Restricting user access to specific sheets
          Levi Turner

          01135579.png

           

          For this particular implementation this style of rule is working with success:

          • Disable Stream
          • New rule:
            • Name: Stream (Sheet Exception)
            • Filter: App*
            • Action: Read
            • Condition: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or (((resource.resourcetype = "App.Object" and (resource.published ="true" and resource.name != "Exclusion Test")) and resource.app.stream.HasPrivilege("read")))
            • Context: Both

          The bolded portion can be ported over to be customized or expanded (e.g. (resource.name != "1" and resource.name!="2"). The method of using a custom property will unfortunately not work since custom properties cannot be applied to app.objects. Likewise, there is no NOT LIKE operator so wildcards will not be able to be leveraged.