Skip to main content Skip to complementary content
Qlik Resources

Security rules example: Recreating document admin by creating QMC app admin

In this example, you recreate a Qlik Sense document administrator in Qlik Sense. You can do this by:

  • Creating a new role (app admin)
  • Creating a custom property to connect this role to the apps

Security rules for the app admin role:

Security rule The result of the rule
AppAdminQmcSections Controls the sections in the QMC that should be visible for the administrator.
AppAdminRead Controls which resources the administrator should be able to read.
AppAdminModify Controls which resources the administrator should be able to modify.
Information noteWe have split the rules that grant modify and read access. By doing this we allow for the app admin to get access to read/see (but not modify) information that can be important to understand when working with apps, in this example the stream information.

Procedure

Do the following:

  1. Create the three new security rules (AppAdminQmcSections, AppAdminRead and AppAdminModify): 

    1. Select Security rules and click PCreate new.

    2. In the Advanced and Basic sections, fill in the fields Resource filter, Conditions, Actions and Context per Security rule code.

    3. Set the Name to correspond to the activity.
    4. Click Apply.

  2. Apply the role to the user to become app admin: 

    1. Select Users, select a user and click Edit.

    2. Click P under Admin roles and select AppAdmin.

    3. Click Apply.

  3. Create a new custom property and add the user as a value:

    1. Select Custom properties and click Create new.
    2. Type AppAdmin in the Name field.
    3. At Resource types check the checkbox for Apps.
    4. At Values click PCreate new , add the User ID as a value and click OK.
    5. Click Apply.

  4. Select the apps that this user should be able to administrate:

    1. Select Apps, Ctrl+click to select more than one app and click Edit.
    2. Select the User ID for the custom property AppAdmin.
    3. Click Apply.

You have now created and assigned the app admin role. When the user with this role logs in to the QMC the following can be accessed: apps, tasks, sheets and streams.

Security rule code

The following is the security rule code for this example, with explanatory comments:

Security rule code for "AppAdminQmcSections"

Field Code Comments
Resource filter QmcSection_Stream, QmcSection_App, QmcSection_App.Sheet,QmcSection_App.Story, QmcSection_Tag,QmcSection_Task, QmcSection_ReloadTask, QmcSection_Event, QmcSection_SchemaEvent, QmcSection_CompositeEvent

Specifically filters on streams, apps, sheets, stories, tags, tasks, and triggers.
Conditions user.roles = "AppAdmin"

The rule will apply to all users that have the user role set to AppAdmin.
Actions read Read action will be granted provided the conditions are met.
Context Only in QMC The rule is only valid when you use the QMC.

Security rule code for "AppAdminRead"

Field Code Comments
Resource filter Stream_*,App*,ReloadTask_*,SchemaEvent_*,Tag_*,CompositeEvent_*

Specifically filters on resource types;  streams, apps, sheets, stories, tags, tasks, and triggers.
Conditions user.roles = "AppAdmin" and ( (resource.resourcetype="App" and resource.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or ((resource.resourcetype="ReloadTask" or resource.resourcetype="App.Object") and resource.app.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag" or resource.resourcetype="Stream" )

The rule will apply to all users with the same userId as the custom property AppAdmin connected to apps.
Actions read Read action will be granted provided the conditions are met.
Context Only in QMC The rule is only valid when you use the QMC.

Security rule code for "AppAdminModify"

This rule determines what the app admin can modify in the QMC. This is the same rule as for read except for that streams cannot be modified.

Field Code Comments
Resource filter App*,ReloadTask_*,SchemaEvent_*,Tag_*,CompositeEvent_*

Specifically filters on resource types;  streams, apps, sheets, stories, tags, tasks, and triggers.
Conditions user.roles = "AppAdmin" and ( (resource.resourcetype="App" and resource.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or ((resource.resourcetype="ReloadTask" or resource.resourcetype="App.Object") and resource.app.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag")

The rule will apply to all users with the same userId as the custom property AppAdmin connected to apps.
Actions create, update, delete, changeowner The specified actions will be granted provided the conditions are met.
Context Only in QMC The rule is only valid when you use the QMC.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here