Stream specific rights in Qlik Sense QMC - Qlik Community

bhsharm5 · ‎2020-08-15

Hi,

I am trying to give admin access to a developer in one stream. Basically, he should be able to access the QMC and able to perform actions like scheduling tasks, reloading apps (for that particular stream) in the QMC. But couldn't figure out how to do it. Tried all means, but it seems to work only at hub level, not able to give a restricted QMC access.

Appreciate if anyone can help resolve this.

Regards,

Bhaskar

jwjackso · ‎2020-08-15

When working with security rules, be VERY CAREFUL!!!

To customize security rules, you should use Custom Properties ( tutorial ).

We authenticate our users with Active Directory. We also wanted to limit which application in a stream a user could see. In the QMC, the developers only have access to the Apps and Tasks menu items. You will see 2 rules default and exception for each action. The exception rule was created to handle when an custom property was assigned to an application. I split a lot of the actions into multiple rules because I found it easier to validate the rules.

I created 3 Custom Properties:

ADGroup with resource types Apps and Streams and the values will be the Active Directory group names

Developer with resource types Users and the values will be the Active Directory group names

UserType with resource types Users and the value is Scheduler

After creating the rules below, I disabled the delivered Stream rule.

NEWAppLimiteUserDefault:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in hub

NEWAppLimitedUseException:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup = user.group) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in hub

NEWAppLimitedUseQMCDefault:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in QMC

NEWAppLimitedUseQMCException:
Resource Filter: App*
Actions: Read
Conditions:
(resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer) and (resource.resourcetype = "App" and !resource.stream.empty())
Context: Only in QMC

NEWAppObjectAccess:
Resource Filter: App.Object_*
Actions: Read
Conditions:
(resource.resourcetype = "App.Object" or
resource.objectType = "app_appscript" or
resource.objectType = "loadmodel") and
resource.published ="true"
Context: Both in hub and QMC

NEWCreateTask:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*
Actions: Create
Conditions: ((user.@UserType="Scheduler"))
Context: Only in QMC

NEWDeleteExportDefult:
Resource Filter: App*
Actions: Delete, Export, Export data
Conditions: ((resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and resource.@ADGroup.empty()))
Context: Both in hub and QMC

NEWDeleteExportException:
Resource Filter: App*
Actions: Delete, Export, Export Data
Conditions: ((resource.@ADGroup=user.@Developer and resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and !resource.@ADGroup.empty()))
Context: Both in hub and QMC
NEWDeveloperQmcAppsMenu:
Resource Filter: QmcSection_App
Conditions: ((user.group=user.@Developer))
Context: Only in QMC

NEWDuplicateAppDefault:
Resource Filter: App*
Actions: Publish, Duplicate
Conditions:
((resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and resource.@ADGroup.empty()))
Context: Both in hub and QMC

NEWDuplicateAppException:
Resource Filter: App*
Actions: Publish, Duplicate
Conditions:
((resource.@ADGroup=user.@Developer and resource.stream.@ADGroup=user.@Developer and resource.resourcetype="App" and !resource.@ADGroup.empty()))
Context: Both in hub and QMC

NEWReloadTaskDefault:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read, Update, Delete
Conditions:
((user.@UserType="Scheduler")) and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
resource.app.@ADGroup.Empty()) or
(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))
Context: Only in QMC

NEWReloadTaskException:
Resource Filter: ReloadTask*,SchemaEvent*,CompositeEvent*,ExecutionResult*
Actions: Read, Update, Delete
Conditions:
((user.@UserType="Scheduler"))
and
((resource.resourcetype="ReloadTask" and
resource.app.stream.@ADGroup=user.@Developer and
!resource.app.@ADGroup.Empty() and resource.app.@ADGroup = user.@Developer) or
(resource.resourcetype = "SchemaEvent" or resource.resourcetype = "CompositeEvent"))
Context: Only in QMC

NEWSchedulerQMCTasksMenu:
Resource Filter: QmcSection_Task,QmcSection_ReloadTask,QmcSection_Event,QmcSection_SchemaEvent,QmcSection_CompositeEvent
Actions: Read
Conditions: !user.IsAnonymous() and ((user.@UserType="Scheduler"))
Context: Only in QMC

NEWStream:
Resource Filter: Stream_*
Actions; Read
Conditions: ((user.group=resource.@ADGroup))
Context: Only in hub

NEWStreamPublish:
Resource Filter: Stream_*
Actions: Publish
Conditions: ((resource.@ADGroup=user.@Developer))
Context: Both in hub and QMC

NEWStreamQMC:
Resource Filter: Stream_*
Actions: Read
Conditions: ((resource.@ADGroup=user.@Developer))
Context: Only in QMC

NEWUpdateAppDefault:
Resource Filter: App*
Actions: Update
Conditions:
((resource.resourcetype = "App" and resource.@ADGroup.empty() and resource.stream.@ADGroup=user.@Developer and !resource.stream.empty()))
Context: Both in hub and QMC
NEWUpdateAppException:
Resource Filter: App*
Actions: Update
Conditions:
((resource.resourcetype = "App" and !resource.@ADGroup.empty() and resource.@ADGroup=user.@Developer and !resource.stream.empty()) )
Context: Both in hub and QMC