8 Replies Latest reply: Jan 29, 2018 4:00 AM by Angel Tomov RSS

    Security rules

    Angel Tomov

      Hello guys, So basically I have a lot of work into copying my Client's database security rules into qliksense.


      So far I have managed to write section access on a Country level, but I also have securities based on certain Measures.


      I have made the measures as Objects into the Application.

      The name of the app is "Sales Report".

      My measure name is Margin.



      I thought to make a group in the QMC, which is called MARGIN, and then add all users, which can see this measure.


      and After that I have to write a Security rule, which gives access to this measure to the specific users, and the other users must NOT see this measure.


      for example something like each user part of the user group MARGIN, can see the measure Margin, which is inside Sales Report.



      I have never written security rules, except some basic ones which gives users access to streams.







      Any thoughts?  I have 6 different measures,  which has to be restricted to the specific usergroup. Since I can't include this in my section access statement i thought security rules might help me build the full security database into QlikSense.


      THANKS !

        • Re: Security rules
          Sarah Sullivan

          This document goes step by step through implementing security rules at the app object level:

          Sheet or App Object Level Security Qlik Sense


          I know that sheets and charts are "app objects".  I don't know if master measures will be considered app objects or not.  Even if the master measure is considered an app object and you can use this method for restricting access, the field would still be in the data model and the user could hypothetically write a measure on that field themselves.  I'm not sure how to restrict access to entire fields (column level security) or if security rules can accomplish this.



          • Re: Security rules
            Shahbaz Khan Mohammed

            doesn't disabling the measure disable the chart if it is based on single measure?

            Yo may have to save those measure as Master Measures, not sure... but

            resource.objectType="measure" or resource.objectType="masterobject"  ???

              • Re: Security rules
                Angel Tomov

                I have got some sensitive data, like Margins, Consolidated currency and etc. I am using them in KPI's only, and not in real charts, I am currently reading all the docs based on security rules and trying to get to know the logic behind them better .


                And Yes, I have saved those measures as Master Items(Measures)

                • Re: Security rules
                  Angel Tomov

                  Hello guys, this post is for future people who come here !


                  IF you are reading this, You must have a basic knowledge on Custom Properties, and how to apply them to map users with apps and streams.


                  After I made Custom properties for my groups of users, and then I applied this properties to the corresponding Streams and Apps, I had to write security rules .


                  1. Disable default stream rule

                  2. Write rule that specifies Streams with the custom property of the groups

                  3. Write rule for App Access with the corresponding groups ( ex. Group1 can see Group1, Group2 can see Group2 etc.)

                  4. AND last, but not least you must specify rule for App object .


                  this is my rule

                  ((user.@AppLevelManagement="Sales") and (resource.objectType!="measure" or resource.name="SalesSum" or resource.name="RegionsCount"))


                  BASICALLY this rule says, that IF   a user is part of the AppLevelManagement - Sales, he CAN'T see resource.objectType!="measures", and after that we specify which measures, this users can see, in our example the users which are part of the Sales group, can see the measures - "SalesSum" and "RegionsCount".


                  PS: The measures have to be saved  like Master Measures.
                  PS2: I am using this rule as part of my section access to restrict which users can see which measures.
                  PS3: If you have questions comment here and I will try to help you



                  Thanks to S Khan

                • Re: Security rules
                  Alex Timofeyev



                  why are you saying that you cannot restrict it via section access? Do all users need access to all fields that are used in calculating your measure? If not, just restrict access to at least one underlying field, and the measure will be calculated as <null> for unauthorized users.