5 Replies Latest reply: Mar 1, 2018 3:36 AM by youssef belloum RSS

    Disable sharing unpublished sheet

    eva bornaccini

      Hi all,

      I am working with Qliksense server and I have some issue regarding security permission.

      I have an app shared among 2 different user group :sales and aftersales.

      I'd like that if a sales user publishes a sheet it will be available only for other sales users but not for aftersales ones.

      Furthermore If a user create a new sheet but doesn't publish it, it would not be visible to any other user but now it is so.

      how can I achieve this two goals?

       

      Thank u in advance

        • Re: Disable sharing unpublished sheet
          youssef belloum

          Hi,

           

          Interesting post, I'll try to do this and if it works for me I'll describe step by step how to do it.

           

          Maybe experts here can quickly guide you on how to do it (if it is possible)

           

          Hi Guys ltu, mto , do you think it is possible ?

            • Re: Disable sharing unpublished sheet
              Michael Tarallo

              Hi Guys - need some clarification here - when we say new user and publish - are we talking about a content admin type person creating new sheets in an app in their work space and then publishing the app to a stream?

               

              OR

               

              Are we talking about an already published app in a stream - where someone creates their own sheet BASED of the existing approved app - and then has the option to publish it to the broader community so others can see THEIR work?

               

              I assume you mean the latter - since you said you have an APP shared by 2 different groups - but need to check.

               

              So what we are looking at is sheet level security - but more granular depending the group it belongs too - I am not a security rule expert - but I believe this should be possible with a custom rule and perhaps custom properties.

               

              Most likely will be defined with App Objects:

               

              See if this thread helps: Sheet or App Object Level Security Qlik Sense

               

              Let me know how you do.

               

              Regards,

               

              Mike T

              Qlik

                • Re: Disable sharing unpublished sheet
                  Levi Turner

                  Correct @mto, this distinction is a major issue.

                   

                  If it's Community sheets on a Published app, then you would need to fiddle with the Stream rule 19iv1987

                   

                  The key portion of the rule is bolded below:

                  (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

                   

                  Both base and community sheets fulfill this condition, so you'd want to disable the Stream rule and change resource.published to resource.approved (which distinguishes community from base).

                   

                  For the schema of the rule to handle the community sheets

                  Filter: App.Object_*

                  Action: Read

                  Conditions: ((resource.published="true" and resource.owner.group=user.group))

                  Context: Both

                   

                  This assumes that there is perfect alignment between the group attribute and there isn't sufficient noise inside of the users' persistent attributes which would make this rule non-function (e.g. all folks are members of geographical groups in AD / UDC). In an AD context where perfect control over the group membership isn't possible then something like this should point in the right direction:

                   

                  Filter: App.Object_*

                  Action: Read

                  Conditions: ((resource.published="true" and  (resource.owner.group="foo" and user.group="foo")))

                  Context: Both

                   

                  Hope that points in the right direction.

                  • Re: Disable sharing unpublished sheet
                    youssef belloum

                    Hi mto

                     

                    that's what I thought too, that he was talking about app already published

                     

                    Thank you