1 Reply Latest reply: Jun 26, 2017 2:57 PM by Levi Turner RSS

    Restricting user access to specific sheets

    Ryan Fry

      I'm attempting to get sheet level security working.


      I'm following this:

      Sheet or App Object Level Security Qlik Sense


      sort of...

      I've disabled the default Streams rule, and created my own, which specifically excludes a user group based on a custom property.


      When I view associated rules to the sheet in particular for a member of the group for whom I am attempting to restrict access, I see that the disabled rule is still associated, but when I edit it, the disabled check is still there.


      My custom rule is the only other rule that shows up in the list of associated rules.


      I am attempting to remove access to all sheets with the word 'Admin' in them. I've tried various permutations of resource.name Like, =, !=, "Admin*", etc etc.


      I gave up, and am now attempting to restrict access to the TWO sheets that specifically exist.


      I have created the rule for:




      read is the only checked box



      ((user.@UserType="MyGroup") and (resource.name!="Admin: Issued Reward Details" or resource.name!="Admin: Issued Rewards Summary"))


      Which I interpret to mean ALL app objects that are NOT these two named sheets, and it gives read access.


      when I audit the rule, I still see that I can access these sheets. For good measure, I attempted to log in, and with a test user, I can still see the sheets that I should not be able to see.


      Any guidance would be fantastic.

        • Re: Restricting user access to specific sheets
          Levi Turner



          For this particular implementation this style of rule is working with success:

          • Disable Stream
          • New rule:
            • Name: Stream (Sheet Exception)
            • Filter: App*
            • Action: Read
            • Condition: (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or (((resource.resourcetype = "App.Object" and (resource.published ="true" and resource.name != "Exclusion Test")) and resource.app.stream.HasPrivilege("read")))
            • Context: Both

          The bolded portion can be ported over to be customized or expanded (e.g. (resource.name != "1" and resource.name!="2"). The method of using a custom property will unfortunately not work since custom properties cannot be applied to app.objects. Likewise, there is no NOT LIKE operator so wildcards will not be able to be leveraged.