13 Replies Latest reply: Oct 11, 2018 10:37 AM by Sridhar Kasthuri RSS

    Sheet Level Security in QlikSense

    Sridhar Kasthuri

      Hi All,

       

      We have requirement where certain set of users need to be restricted from accessing  particular sheets in a application.

       

      I tired both the below process but none of them worked.

       

      https://community.qlik.com/docs/DOC-18300

       

      Sheet or App Object Level Security Qlik Sense

       

      We have 10 sheets out of which 2 sheets need to restricted for set of user group.

       

      If there are any alternative methods please let me know.

       

      Really appreciate your help.

       

      Thanks

        • Re: Sheet Level Security in QlikSense
          Gabor Tarnoczai

          Hi Sridhar,

           

          I didn't peruse the links, but I assume that contains only a workaround for sheet security, I don't think this kind of security exist in Sense.

           

          I suggest you to create two application and publish to different streams according to the user groups.

          If the reload would take too much time then you can extract and transforms the input data to qvd-s, and both application can reload from it much faster.

           

          G.

          • Re: Sheet Level Security in QlikSense
            Andrea Gigliotti

            for your kind of request you should work with the security rules.

            • Re: Sheet Level Security in QlikSense
              Benoît Gochel

              A security rule will work for preventing the access to a sheet but if this sheet contains some master items, the users will be able to create their own page and access it anyway, which is a big risk ...

                • Re: Sheet Level Security in QlikSense
                  Sridhar Kasthuri

                  Hi Benoit,

                   

                  I am looking for what security rules need to modified or created to restrict sheet level access.

                   

                  Thanks

                    • Re: Sheet Level Security in QlikSense
                      Bilal Chaudhary

                      Hi Sridhar,

                       

                      We've done something like this. Its just a workaround, and will require some manual work.

                      1. Create a custom property, Select User in "Resource Type.

                      2. Add Sheet name in values

                      3. Edit your users, you'll find your newly created custom property. Select the appropriate sheet names that you want the user to have access on.

                      4. Create a new security rule, and select "App.Object_*" in resource filter.

                      5. Add the following in the Advanced conditions

                      ((user.@SheetSecurity=resource.name) or user.name=resource.owner.name)

                      The above condition will ensure that the user will only view the sheets on which they have access to. And will also have access on sheets that was created by that user.

                        • Re: Sheet Level Security in QlikSense
                          Sridhar Kasthuri

                          Hi Bilal,

                           

                          I tired as your described but not able to achieve.

                           

                          I have Application Name as: Salesforce with sheets name as 1. RawData 2.SalesforceData.

                           

                          I created a Customer Property

                           

                          -->SheetLevelSecurity with resource filters selected as Users and gave values RawData only.

                           

                          --> In Users selected one username (User1) and in Custom Properties I add value RawData for SheetLevelSecurity.

                          4. Createed a new security rule, and select "App.Object_*" in resource filter.

                          5. Add the following in the Advanced conditions

                          ((user.@SheetLevelSecurity=resource.name) or user.name=resource.owner.name)

                           

                          When I logged in(i.e.User1) I could see both the Sheets.

                           

                          Not sure if I have done anything wrong here.

                           

                          Any thoughts?

                           

                          Sridhar

                        • Re: Sheet Level Security in QlikSense
                          William Fu

                          Hi Sridhar,

                           

                          I have this custom rule to hide sheets named "testsheet" in published dashboards from users that are not RootAdmin:

                          I don't remember if I had to disable any native rules for this to work, but maybe you can try to adapt it to your scenario?

                           

                          srule.png

                      • Re: Sheet Level Security in QlikSense
                        Boycke Eggen

                        I my case I created a "custom propertie" on users level (internal or external user).

                         

                        then i created a security rule like this on "App.Object*" level with "read" rights:

                         

                        (((user.@InternExtern = "Extern" and (resource.name like "*[$E]" or (resource.objectType="masterobject" or resource.objectType="LoadModel" or resource.objectType="measure" or resource.objectType="LoadModel" or resource.objectType="dimension"))))

                         

                        So if you are a external user and the sheet has [$E] in its name, you can see it.

                         

                        and for the internal user i used the same rule but with: resource.name like "*[$I]"

                         

                        so everyone who is an external user can only see sheets with [$E] in the sheetname, and every internal user can only see the sheets with [$I] in the name.

                         

                        works like a charm for me and my users. I use this with ALL my app's.

                          • Re: Sheet Level Security in QlikSense
                            Sridhar Kasthuri

                            Hi Boycke,

                             

                            I have Salesforce as Application Name and 1.RawData 2.SalesForceData as sheet names.

                             

                            I created a custom property InternExtern with values Extern and Intern and assigned User with Extern value in custom properties of User.


                            Then created Security Rule for App Object Access as


                            (((user.@InternExtern = "Extern" and (resource.name like "*[$w]" or (resource.objectType="masterobject" or resource.objectType="LoadModel" or resource.objectType="measure" or resource.objectType="LoadModel" or resource.objectType="dimension"))))


                            As per you're statement below

                            So if you are a external user and the sheet has [$E] in its name, you can see it.


                            I should see only RawData sheet but I am seeing both the sheets. Did I do anything wrong here?


                            Really appreciate your help.


                            Sridhar

                              • Re: Sheet Level Security in QlikSense
                                Boycke Eggen

                                Hi Sridhar,

                                 

                                I think in your case you are being overruled by the standard rules of Qlik Sense.

                                Forgot i did this….

                                 

                                I switched off some standard rules in Qlik Sense, en created some new ones with reduced rights.

                                 

                                i think the rules you need to evaluate are:

                                - CreateAppObjectsPublishedApp (If you have read rights on an published app you should be able to create sheets, stories, bookmarks and snapshots belonging to that app)

                                - CreateAppObjectsUnPublishedApp

                                     (If you have read rights on an unpublished app you should be able to create app objects belonging to that app)

                                 

                                I think these 2 standard rules are overruling the newly created one.

                                Try to evaluate these (don't change them, just copy them, adjust it, and disable the Original ones).

                                 

                                Regards Boycke