3 Replies Latest reply: Feb 21, 2018 10:29 AM by Marcos Herrera RSS

    QlikSense Security Rule - Update published apps to some users

    Marcos Herrera

      Hi Dear Qlik Community

       

      I'm triyong to create  a Security Rule to grant access to update published apps to some users (Like to executive users) , i copied the Stream Defaul Security rule to make the new rule but not works

       

      The rule has the following properties

      Resorce filter: App*

      Actions: read, update

      Condition:

      (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and user.@UserGroup = "Admin"

      ) or ((resource.resourcetype = "App.Object" and resource.published ="true"

      and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

       

      Additionally, i cretaed an adtional rule for normal users (Onlye read)

      Resorce filter: App*

      Actions: read

      Condition:

      (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and user.@UserGroup != "Admin"

      ) or ((resource.resourcetype = "App.Object" and resource.published ="true"

      and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

       

       

      Additional info:

       

      1) The standar Stream Security Rule was disabled

      2) I created a Custom Property for user and apps, with values "Admin"

      3) The users that need update the published apps has the custom property "Admin"

      4) One o the "Admin" user is the owner app

       

      The problem is that all users can update the published apps

        • Re: QlikSense Security Rule - Update published apps to some users
          Youssef Belloum

          Hi,

           

          I'll try to redo all this and see what's the problem here

          • Re: QlikSense Security Rule - Update published apps to some users
            Levi Turner

            I'd break out your selection criteria into logical parts. Example:

             

            Before:

            (resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and user.@UserGroup = "Admin" ) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

             

            After:

            ((resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))) and user.@UserGroup = "Admin"


            Or you could just separate out the update functionality to a separate rule. Since rules are additive then it will add on to the previously configured permissions. That's generally easier than managing two different rules.

             

            Why do you want the update right? To expose the DLE? Expose the data model?

              • Re: QlikSense Security Rule - Update published apps to some users
                Marcos Herrera

                Hi Levi Turner

                 

                I create one Rule with the following attributes


                Name: Stream Admin

                Resorce filter: App*

                Actions: read, update

                Condition:

                ((resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))) and user.@UserGroup = "Admin"


                This rule worked fine for me, but i need an extra rule to the user thah does not have the custom property  UserGroup = "Admin" the rule will be used for the "reader" user on published Apps. I tried with this

                 

                Name: Stream Reader

                Resorce filter: App*

                Actions: read

                Condition:

                ((resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and resource.@UserGroup.empty()) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")))


                But not works, the users that not have custom property  UserGroup = "Admin" can edit the Published App