Skip to main content Skip to complementary content
Qlik Resources

Security rules example: Access to stream by IP address

In this example, you create access rights to a specific stream through the IP address.

You can use the IP address for access rights in the following cases:

  • When you want an app to only be available from an internal network.
  • When you want an app to only be available to mobile users.

Procedure

Do the following:

  1. Open Virtual proxies.

  2. Select the virtual proxy that you want to edit and click Edit.

  3. In the Advanced section, select Extended security environment.

  4. Click Apply.

  5. Click OK in the Apply changes to virtual proxy popup.

  6. Open Streams and create a new stream.

  7. Open Security rules and click Create new Create new.

  8. In the Create rule from template list, select Stream access.

  9. Enter a name for the rule.

  10. Set the resource filter to filter on a specific stream:

    In the Advanced section, fill in the Resource filter field as per Security rule code.

    Example: Stream_aaec8d41-5201-43ab-809f-3063750dfafd

  11. Set the conditions to specify the resource and IP address that the rule applies to:

    In the Advanced section, fill in the Conditions field as per Security rule code.

    Example: user.environment.ip = "::ffff:10.88.0.5"

  12. Set the actions that the rule is to provide:

    In the Basic section, select Actions as per Security rule code.

    Select the actions Read and Publish.

  13. Click Apply.

You have now created access to a specific stream based on the IP address of the connecting device.

Security rule code

The following is the security rule code for this example, with explanatory comments.

Security rule code fields
Field Code Comments
Resource filter Stream_<GUID>

Filters on a specific stream.
Conditions (user.environment.ip="<Your_IP_address>")

There are different formats for the user.environment.ip condition. With the implementation of the hybrid dual-stack IPv6/IPv4, it is always the IPv6 format that is used. If the client that makes the call uses IPv6, the IPv6 address is added by the proxy. If the client uses IPv4, the IPv4-mapped addresses are used.

Example 1:  

IPv4 address: 10.88.0.5 => ::ffff:10.88.0.5 (IPv6)

In this case the rule condition can be written in the following ways:

  • user.environment.ip like "*10.88.0*"
  • user.environment.ip like "::ffff:10.88*"
  • user.environment.ip = "::ffff:10.88.0.5"

Example 2:  

IPv6 address: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

In this case the rule condition can be written in the following ways:

  • user.environment.ip like "*0db8:85a3:0000:0000:8a2e*"
  • user.environment.ip like "2001:0db8:85a3:0000:0000*"
  • user.environment.ip = "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
Information noteThe asterisks (*) in the examples indicate additional characters.

(user.environment.ip="<Your_IP_address>")

The rule applies to the devices that connect from an IP address that corresponds to the value.

Actions Read, Publish

Read and Publish actions will be granted provided that the conditions are met.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here