10 Replies Latest reply: May 14, 2018 2:13 PM by Hannah Cozad RSS

    Hide a chart for a specific AD group

    Hannah Cozad

      Hello,

      I want to hide a chart on a sheet when the user is a member of a specific Active Directory group.

       

      Is this possible in version 3.2.4? If yes, what is the best way to implement?

       

      If not, what version do I need?

       

      Thanks!

        • Re: Hide a chart for a specific AD group
          Digvijay Singh

          I don't think you can hide a chart based on Group but you can hide dimensions used by the chart using Section access OMIT feature. The side effect is all the chart using these OMIT dimensions for a group will not render.

           

          If the group field is available somehow in data model, may be in chart calculation condition it can be used to stop chart calculation.

          • Re: Hide a chart for a specific AD group
            P Kumar

            Hi,

            You can achieve this by security rules in QMC.

            Please refer this BLOG, It has detail level of information how to achieve Sheet and App Object level security rules:

            Sheet or App Object Level Security Qlik Sense

              • Re: Hide a chart for a specific AD group
                Hannah Cozad

                Thanks! Yes - I found that article.  As I was reading through the beginning, it starts from scratch by installing Qlik Sense. Step number 4.1 says to disable the default STREAM security rule. I am not starting from a brand new install. I already have multiple streams and apps in production that users are using. If I disable this STREAM security rule, does it affect my other streams? If so, how does it affect them?

                  • Re: Hide a chart for a specific AD group
                    P Kumar

                    Hi,

                     

                    Long back i have worked on this sheet level section access. That time we have disabled the default  stream rule first then to Keep the Existing Stream Rule functionality, in addition, to adding sheet level section access Created one more Customized Stream rule like below.


                    This rule substitutes the default 'Stream' security rule with an exemption of Apps where SheetLevelSecurity is ON means created one custom property with SheetLevelSecurity  and given the value as ON. Next applied this ON value to the apps where this default rule need to avoid.


                    For avoiding sheets given description as APP_RESTRICTED


                     

                    Name: CUSTOM_STREAM_ACCESS

                    Resource Filter: App*

                    Action: Read

                    Condition:

                    (resource.resourcetype = "App” and resource.@SheetLevelSecurity != "ON"and resource.stream.HasPrivilege("read"))

                    or

                    ((resource.resourcetype = "App.Object" and resource.published = "true" and resource.objectType != "app_appscript"

                    and resource.objectType != "loadmodel" and (resource.description != "APP_RESTRICTED"))

                    and resource.app.stream.HasPrivilege("read"))

                                   Context: Both in hub and QMC

                      • Re: Hide a chart for a specific AD group
                        Hannah Cozad

                        How did you define the SheetLevelSecurity custom property? I don't currently have any custom properties, so if I wanted to create one for SheetLevelSecurity, how would I do that?

                          • Re: Hide a chart for a specific AD group
                            P Kumar

                            Hi,

                             

                            We have to create the custom property as per our use case.

                            1. Log into QMC and navigate to Custom Properties section
                            2. Click on ‘Create new’
                            3. Enter name i.e. ‘SheetLevelSecurity‘ with Apps as Resource Type and Corresponding values for example ON/OFF.
                            4. Click on Apply
                            5. Then assign this Custom property Sheet Level Security = ON to your section access app in the APPs tab so as per the custom stream rule it will exclude this particular app from the default functionality.


                            custom property.png

                            6. One more thing is on which sheet we have to apply the section access for that sheet add APP_RESTRICTED under Description like below.

                            APP_rESTRICTED.png

                             

                            So as per the below rule in the app which contains SheetLevelSecurity = "ON" and sheet description has APP_RESTRICTED those sheets will hide.


                            Name: CUSTOM_STREAM_ACCESS

                            Resource Filter: App*

                            Action: Read

                            Condition:

                            (resource.resourcetype = "App” and resource.@SheetLevelSecurity != "ON"and resource.stream.HasPrivilege("read"))

                            or

                            ((resource.resourcetype = "App.Object" and resource.published = "true" and resource.objectType != "app_appscript"

                            and resource.objectType != "loadmodel" and (resource.description != "APP_RESTRICTED"))

                            and resource.app.stream.HasPrivilege("read"))

                                           Context: Both in hub and QMC

                    • Re: Hide a chart for a specific AD group
                      Hannah Cozad

                      We ended up doing a few things to solve this issue.

                      1. We upgraded to the most recent version.

                      2. I made a duplicate of the sheet that has the charts we want to show or hide based on the AD group. One sheet has 4 charts, and the other has 2. The second sheet has an extra space in the sheet name in order to differentiate.

                      3. We disabled the default STREAM security rule, but added a rule for each of the streams. These new security rules were copies of the default, but a filter added for the stream it was for.

                      4. We added a new security rule and used the conditions below. "Production" is the name of the stream, AD Group does not see "SheetA", and AD Group Limited does not see "Sheet A" (space between sheet and A).

                       

                      Conditions for security rule:

                      (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")) and (resource.stream.name="Production" or resource.app.stream.name="Production") and

                      (resource.objectType != "sheet" or resource.name != "SheetA" or user.group="AD Group") and

                      (resource.objectType != "sheet" or resource.name != "Sheet A" or user.group="AD Group Limited")