Hi Guys - need some clarification here - when we say new user and publish - are we talking about a content admin type person creating new sheets in an app in their work space and then publishing the app to a stream?
Are we talking about an already published app in a stream - where someone creates their own sheet BASED of the existing approved app - and then has the option to publish it to the broader community so others can see THEIR work?
I assume you mean the latter - since you said you have an APP shared by 2 different groups - but need to check.
So what we are looking at is sheet level security - but more granular depending the group it belongs too - I am not a security rule expert - but I believe this should be possible with a custom rule and perhaps custom properties.
Most likely will be defined with App Objects:
See if this thread helps: Sheet or App Object Level Security Qlik Sense
Let me know how you do.
Correct @mto, this distinction is a major issue.
If it's Community sheets on a Published app, then you would need to fiddle with the Stream rule 19iv1987
The key portion of the rule is bolded below:
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))
Both base and community sheets fulfill this condition, so you'd want to disable the Stream rule and change resource.published to resource.approved (which distinguishes community from base).
For the schema of the rule to handle the community sheets
Conditions: ((resource.published="true" and resource.owner.group=user.group))
This assumes that there is perfect alignment between the group attribute and there isn't sufficient noise inside of the users' persistent attributes which would make this rule non-function (e.g. all folks are members of geographical groups in AD / UDC). In an AD context where perfect control over the group membership isn't possible then something like this should point in the right direction:
Conditions: ((resource.published="true" and (resource.owner.group="foo" and user.group="foo")))
Hope that points in the right direction.