Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
marcelo_7
Creator
Creator
‎2022-06-02 05:04 AM

Security rules: Be able to see datamodel without being able to update the app

Hi,

This is regarding security rules.

Is it possible to allow users to see datamodel without getting Update rights on the whole app.

I am aware that the following type of security rules would give access to datamodel.

Resource: App_*
Action: Update
Conditions: Whatever you want

Action: Read is not necessary. The problem with the above is that it also give permission to update the app while I just want the user to be able to see the datamodel.

This is an attempt to only give access to the datamodel

Resource: App* (meaning both Apps and App objects)
Action: Update,Read
Conditions:

((resource.objectType="loadmodel" and user.userId="my_username"))

 

Obviously the part about my username would be changed to rely on groups and other condition. But even in this most basic form it does not work.

 

Any ideas?

Labels (2)
Labels
430 Views
0 Likes
2 Replies
Or
MVP
MVP
‎2022-06-02 05:23 AM

Historically, giving update rights was the only way to allow people to view the data model for published apps. Unless something has changed recently, I'd assume this is still the case (if something has changed, nobody took the time to update the knowledge base article about it, for what that's worth).

Sadly, Qlik's security rules have a weak point when it comes to actions on published apps - another similar issue is that you can't give someone rights to reload an app via task (from Hub) without also giving them update rights to the app.

424 Views
0 Likes
marcelo_7
Creator
Creator
‎2022-06-02 06:33 AM
Author

In response to Or

Thanks for the quick response. The current rule that we have allows everyone to see the datamodel in published apps. This is normally not a problem, but when we for certain users wanted to allow them to republish eachothers applications in a stream given that a custom property was set to enabled this datamodel rule allows them instead to republish all apps regardless of that custom property.

But an alternate way that I haven't quite figured out would be that instead of having this custom property on apps we could allow them to change the owner of all the apps in their stream. So here's the question.

Given that the stream has a custom property called streamDeveloper with the value "sense_developers_group1".
There's also an AD-group with that name that they're members of. All members of that group are developers in that stream and can see all apps in the stream, they can publish to it but can not publish over eachothers apps.
But they should be able to change owner of all apps to get around this problem.

Currently when they want to change owner, there are no other usernames available in the dropdown for them.
How can I write a rule that allows them to only see the members in the ad-group "sense_developers_group1" ie. stream.@streamDeveloper. 

 

403 Views
0 Likes