We use security rules that give users access to streams and apps based on a custom property 'access_class' on the users, steams, and apps: If, for this property, the values on a resource (stream or app) matches the values on the user (value intersection is not empty), access is granted. Only problem: There are many users, and the root admin is the only one who can set property values for them.

Thus, we would like to define a new admin role UserPropertyAdmin for admins who can only set/remove property values on the users - not the properties on other ressources, not other data of the user, and not defining/changing other existing or new properties (and optimally: setting/removing only values of the specific property 'access_class').

Has somebody a hint for me, how to correctly set the resource filter and resource conditions? Or a hint to some kind of documentation for resources 'around' custom properties that I can target in a security rule?

(I have already re-read the respective sections of the help for qlik sense for administrators, and the page Collection of Specific Rule Scenarios and Customization of Qlik)

Thanks in advance