Skip to main content

Support Updates

The Support Updates blog delivers important and useful Qlik Support information about end-of-product support, new service releases, and general support topics.

Announcements
Welcome to Qlik Community! Check out our new navigation! FIND OUT MORE
Katie_Davis
Digital Support
Digital Support

The Access Evaluator is a comprehensive dashboard to analyze user roles, access, and permissions across a Qlik Sense tenant.

Hello Qlik Users! 

We would like to introduce our fourth monitoring app for Qlik Cloud, the Access Evaluator! The Access Evaluator is a comprehensive dashboard to analyze user roles, access, and permissions across a Qlik Sense tenant. As a Qlik Cloud tenant becomes densely populated with spaces, apps, users, and groups, it is crucial to be able to quickly answer questions such as:

  • “What users and groups have access to space <X>?” 
  • “What users and groups have access to app <X>?”
  • “How does a user have access to app <X>; via direct assignment, group, or app share?”
  • “Are there redundancies in policies? E.g., does a user have the same access to a space via a direct assignment as well as a group?”
  • “Who has what roles across the tenant?”

Katie_Davis_0-1657572847637.png

 

The Access Evaluator app provides insights on: 

  • User and group access to spaces
  • User, group, and share access to apps
  • User roles and associated role permissions
  • Group assignments to roles
  • And more! 

Katie_Davis_1-1657572955376.png

(Available Sheets)

 

The Access Evaluator uses Qlik’s RESTful APIs to fetch all the required data from the tenant.

Items to note: 

  • This app evaluates what a user and/or group has the potential to access, not what they have accessed. As such, it cannot be used to audit user activity. It simply evaluates the current access policies in the tenant.
  • This app is provided as-is and is not supported by Qlik Support.
  • This app leverages several experimental API endpoints.
  • It is recommended to always use the latest app.
  • Information is not collected by Qlik when using this app.

 

The app as well as the configuration guide can be found at the bottom of this post. This app was created internally and will be supported by the developers of the app. They will be following this thread so be sure to post any questions or issues here so they can be addressed. 

The other three monitoring apps for Qlik Cloud can be found here:

Be sure to subscribe to the Qlik Support Updates Blog by clicking the green Subscribe button to stay up-to-date with the latest Qlik Support announcements. Please give this post a like if you found it helpful! 

 

App Version Change log:

Version 1.0.0 -  Initial release

 

Kind regards, 

Qlik Digital Support Team 

6 Comments
jpjust
Specialist
Specialist

 

Thanks Katie for this.

Do we have such an app for Qliksense enterprise version?

1,354 Views
Daniel_Pilla
Employee
Employee

Hi @jpjust ,

A version of this application is not available for Qlik Sense Enterprise Client-Managed as the audit rules matrix is an extraordinarily heavy call, and can have negative impacts on the repository if run at scale and without filtering. Meaning, if you have complex security rules with thousands of apps, dozens of streams, and thousands of users, evaluating the resolution of everything in the site can take a very long time and dramatically affect the performance of the site. The benefit of Qlik Sense Enterprise Client-Managed, though, is that an audit capability is built into the QMC in a controlled manner, where filtering is required before executing, as opposed to trying to resolve everything without any filtering. An application has been built, but it was decided that the impact was not worth the value that it brought, given that the built-in functionality solves most customer's needs. (my personal experience and findings)

 

I hope this helps-

Cheers,

1,184 Views
jpjust
Specialist
Specialist

Thanks Daniel for the detailed explanation. Really make sense.

Is it possible to get the application that has been built just to try out in an test environment?

Thanks

1,140 Views
agherbert4
Partner - Contributor III
Partner - Contributor III

@Daniel_Pilla An issue we run into with QMC in Qlik Sense Enterprise is that there is no functionality to export results from Audit (or the other screens) into Excel or csv. So there's no way to easily compare who has access (in QMC) vs. who has actually used the app (in Operations Monitor), which is really the question we're trying to answer much of the time.

1,097 Views
Levi_Turner
Employee
Employee

@agherbert4 : Getting audit data out of Qlik Sense Enterprise Client Managed is possible (but a bit tricky) via the QRS API layer. Here's an example PowerShell script built off of Qlik-Cli-Windows which will extract the needed data (this script will support auditing the read right):

# Script to audit user access to: apps, streams, and data connections
# The script will dump the extracts into the ArchivedLogs folder

################
## Parameters ##
################

# Assumes default credentials are used for the Qlik CLI Connection

# machine name
$computerName = '<machine-name>'
# leave empty if windows auth is on default VP
$virtualProxyPrefix = '/default'
# audit streams? $true or $false
$auditStreams = $true
# audit apps? $true or $false
$auditApps = $true
# audit data connections? $true or $false
$auditDataConnections = $true

################
##### Main #####
################

# set the computer name for the Qlik connection call
$computerNameFull = ($computerName + $virtualProxyPrefix).ToString()

# connect to Qlik
Connect-Qlik -ComputerName $computerNameFull -UseDefaultCredentials -TrustAllCerts

# Get the Archived Logs folder
$rootFolder = (Get-QlikServiceCluster -full).settings.sharedPersistenceProperties.archivedLogsRootFolder

# Check for the store folder, create if needed
$storeDir = $rootFolder + '\qs-security-audit-csv'
if (!(Test-Path $storeDir)){
    Set-Location $rootFolder
    New-Item -path $storeDir -type directory | Out-Null
}

if ($auditStreams -eq $true){
    $streamAuditBody = '{"resourceType":"Stream","resourceRef":{},"subjectRef":{"resourceFilter":""},"actions":2,"environmentAttributes":"context=AppAccess;","subjectProperties":["id","name","userId","userDirectory"],"auditLimit":100000,"outputObjectsPrivileges":4,"resourceProperties":["name"]}'
    $streamAudit = Invoke-QlikPost -path /qrs/systemrule/security/audit/matrix -body $streamAuditBody
    $streamAudit.matrix | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\streamsAudit.csv" -NoTypeInformation
    $streams = Get-QlikStream
    $streams | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\streams.csv" -NoTypeInformation
}


if ($auditApps-eq $true){
    $appAuditBody = '{"resourceType":"App","resourceRef":{},"subjectRef":{"resourceFilter":""},"actions":2,"environmentAttributes":"context=AppAccess;","subjectProperties":["id","name","userId","userDirectory"],"auditLimit":100000,"outputObjectsPrivileges":4,"resourceProperties":["name"]}'
    $appAudit = Invoke-QlikPost -path /qrs/systemrule/security/audit/matrix -body $appAuditBody
    $appAudit.matrix | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\appsAudit.csv" -NoTypeInformation
    $apps = Get-QlikApp
    $apps | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\apps.csv" -NoTypeInformation
}

if ($auditDataConnections-eq $true){
    $dataConnectionAuditBody = '{"resourceType":"DataConnection","resourceRef":{},"subjectRef":{"resourceFilter":""},"actions":2,"environmentAttributes":"context=AppAccess;","subjectProperties":["id","name","userId","userDirectory"],"auditLimit":100000,"outputObjectsPrivileges":4,"resourceProperties":["name"]}'
    $dataConnectionAudit = Invoke-QlikPost -path /qrs/systemrule/security/audit/matrix -body $dataConnectionAuditBody
    $dataConnectionAudit.matrix | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\dataConnectionsAudit.csv" -NoTypeInformation
    $dataConnections = Get-QlikDataConnection
    $dataConnections | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\dataConnections.csv" -NoTypeInformation
}

$user = Get-QlikUser
$user | Export-Csv -path "$($rootFolder)\qs-security-audit-csv\users.csv" -NoTypeInformation

 

This should accomplish the job but it's been ages since I've dug in at this layer. From the resulting CSVs, here's a simple load script to visualize the results:

[apps]:
LOAD
    id AS app_id,
    name AS app_name,
    IF(Len(stream)<1, 'Unpublished',TextBetween(stream, 'id=',';')) AS app_stream_id
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/apps.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

LEFT JOIN([apps])
LOAD
    id AS app_stream_id,
    name AS app_stream_name
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/streams.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[app_audit]:
LOAD
    subjectId AS user_id,
    resourceId AS app_id,
    IF(audit='@{access=2}','Read',null()) AS [app_access]
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/appsAudit.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[users]:
LOAD
    name AS user_name,
    userDirectory AS user_directory,
    "userId" AS user_userid,
    id AS user_id
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/users.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[data_connections]:
LOAD
    id AS dataconnection_id,
    name AS dataconnection_name
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/dataConnections.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[data_connection_audit]:
LOAD
    subjectId AS user_id,
    resourceId AS dataconnection_id,
    IF(audit='@{access=2}','Read',null()) AS [data_connection_access]
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/dataConnectionsAudit.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[streams]:
LOAD
    id AS stream_id,
    name AS stream_name
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/streams.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

[stream_audit]:
LOAD
    subjectId AS user_id,
    resourceId AS stream_id,
    IF(audit='@{access=2}','Read',null()) AS [stream_access]
FROM [lib://ArchivedLogsFolder/qs-security-audit-csv/streamsAudit.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

 

(yes this could be modeled quite a bit better but I don't have cycles to write out a clean model at the moment).

Hope that helps

1,032 Views
Daniel_Pilla
Employee
Employee

@agherbert4 If you need to export the data, I suggest using @Levi_Turner 's approach which uses the same REST call as the app did to fetch that information.  If you want to alter the audits to make them more specific, you can alter the appAuditBody payload (he also included the ability to audit data connections and streams as well). A simple way to do this is to build the audit that you would like to export in the QMC and trace the payload. You can then take that payload and inject it into the PowerShell script. Be aware of the "auditLimit" parameter as well which could truncate the results.

audit trace.png

1,009 Views