Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

"Access Is Denied" when using Capability App API to Reload a Published App

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

"Access Is Denied" when using Capability App API to Reload a Published App

Last Update:

Mar 22, 2022 7:06:28 AM

Updated By:

Sonja_Bauernfeind

Created date:

Feb 23, 2018 8:37:52 AM

"Access Is Denied" in Qlik Sense When Using the Capability App API to Reload a Published App For All Users Except App Owner

In a particular Qlik Sense use case, a visualization extension has been implemented that presents a button to the user that allows any user with access to that sheet to reload the app.

This button uses the Capability (App) API qlik.app.doReload() method in order to perform the reload.

This app has been published and is accessible to the intended users.

The issue is that this only works for the app-owner; all other intended users are presented with an "Access is Denied" message after they've pressed the button and the app is not reloaded.

 

Professional License is required for the user to be able to interact with reloads.

 

Cause

 

If one examines the AuditActivity_Engine logs after the error message is presented then you can see more information about the error; one can see that Access is Denied specifically for "Script access denied". This means that this user does not have access to the App's objects, so granting read access to App.Object_someguid will grant this user the needed permissions.

 

Resolution


Implement a security rule that grants READ access to the App.Object_someguid.

NOTE: The figure below is for purposes ONLY. The below rule grants access to ALL app objects for a specific user and is not scoped to a specific object; do not use in production.

For production use, the App.Object_* needs to be replaced with the accurate App.Object_ID and ((user.name="SomeUser")) with the correct user name or group as required. 

publishbutton.png

Comments
heo_bi_max
Contributor
Contributor

Hello @Sonja_Bauernfeind, Thanks a lot for these instructions.

Using the doReload() function I was presented with the issue that only the owner is able to reload the app via the button. I followed your guide, found the entries in the audit log:

 

Origin    Context Command Result     Message
Doc::DoReload Reload app 5        Script access denied

 


and set up a security rule that allows certain users the rights on the ObjectId from the log. When I preview/audit the rule it seems all correct, I granted full access to the app, the sheet, even the extension for the reload button and the associated reload task (probably not needed) but it still won't work.

Is this fix still possible?

Thank you! Cheers

Max

Sonja_Bauernfeind
Digital Support
Digital Support

Hello Max!

Let me look into this for you. I'll reach out to our subject matter experts on this.

Though since this generally falls into customization (which is not covered by support), I'd advise posting a question in our community itself as well! I believe this forum would be best: Integration, Extension & APIs 

 

/Sonja 

 

dirk_fischer
Creator
Creator

Hello Sonja,

did you get any feedback for Max? I have the same problem, the AuditActivity_Engine logs show a success for the reload, but the app still does not get saved and the user gets the error message access denied.

 

Would be nice to know, if there is something new.

 

Thank you. Cheers

 

Dirk

dirk_fischer
Creator
Creator

Hello Sonja,

do you know, if the license type can prohibit the reload?

So if the user has only an analyzer capacity license, will he / she be able to execute the reload or is this something, that is not possible?

Would be great, if you had some feedback on this.

 

Best regards

Dirk

heo_bi_max
Contributor
Contributor

Hello Dirk, In my case I had a user with professional licence test the function and even then only the owner could reload successfully. However, I did not check upon this since the week of my comment, April last year. Could well be that the situation and behaviour changed since then. Also the environment was updated a couple of times to newer qlik sense versions.

dirk_fischer
Creator
Creator

Hi Max,

I assigned a professional licence to the user and then he was able to update the app (I could see it in the QMC, when I checked the properties last reload and modified by).

Just in case you want to try, these are the security rules we use for this. We have created a property for apps, which shows that the app is doing a reload and a second property for the users, who are allowed to execute the reload. Then of course, you have to give the users the privelege to update the data connections.

We updated to the November 2021 release and then switched to the SaaS licence type. Before it was working nicely, but now it seems to work only if the licence type is Professional.

But it would be nice to get a feedback from Qlik on this one.

dirk_fischer_0-1647336893106.pngdirk_fischer_1-1647336920634.png

 

dirk_fischer_2-1647336927843.pngdirk_fischer_3-1647336933869.png

Best regards,

Dirk

 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @dirk_fischer and @heo_bi_max 

A Professional License is required for this to work (I have updated the article accordingly). See Difference between Qlik Sense Enterprise Professional and Analyzer Users license type.

All the best,
Sonja 

dirk_fischer
Creator
Creator

Hello Sonja

thank you very much for your feedback, even if it is an unpleasant one.

It means one has to purchase a large number of professional licenses if you want to be able to do a flexible reload for an app or digging into the process of generating on-demand-apps.

The first is expensive and the second sounds like something that is pretty complicated.

 

Anyhow, thank youi very much for clarifying this issue.

 

Best regards,

 

Dirk

Contributors
Version history
Last update:
‎2022-03-22 07:06 AM
Updated by: