Skip to main content

Security rule conventions

In general, a rule can be read as a sentence:

"Allow the requester to [action] the [resource] provided that [conditions]."

This section describes the action, resource, conditions, and other properties that can be used to build a rule.

Tip: You can create rules for users that are not yet in the system or resources that do not yet exist in the system. This enables you to proactively create rules. However, the rules cannot evaluate until the users are authenticated in the system, or the resources, such as apps, actually exist.

Reading the security rule syntax notation

The security rules syntax notation is as follows:

  • words written outside brackets in regular text are mandatory (required).
  • words or characters written in bold outside or inside brackets are mandatory.
  • words written in italic inside brackets are optional.
  • words in blue in the syntax descriptions are links to further information on the syntax.

Security rule properties

Some rules do not have all of the following items.

Create rule from template: Select the type of rule you want to create. Resource filter and Actions are filled in automatically. (OPTIONAL)

Name: A name to identify the security rule. (MANDATORY)

Disabled: Select to disable the security rule. The effect of disabled rules can still be evaluated using the preview or the audit tool. (OPTIONAL)

Description: A short description of the intention with the rule. (OPTIONAL)

Resource filter: A mandatory definition of the type or types of resources that the security rule will be evaluated for. (MANDATORY)

resourcetype1[*][_*][, resourcetype2[*][_*], ...]

Context: Specify whether the security rule should apply: Both in hub and QMC, Only in hub, or Only in QMC.

Actions: A mandatory definition of the actions that the user will be allowed to perform on the resources if the rule evaluates to True. (MANDATORY)

action [, action]

Tags: You can add tags to the security rule. (OPTIONAL)

Conditions for security rules

Define resource and/or user conditions that should be met for the rule to apply. (OPTIONAL).

Conditions are defined using property-value pairs. You are not required to specify resource or user conditions. In fact, you can leave the Conditions field empty.

[resource.resourcetype = "resourcetypevalue"] [OPERATOR] [(((resource.property = propertyvalue) [OPERATOR (resource.property = propertyvalue)))]

 

Functions for conditions

The QMC includes several predefined functions that can be used to return property values from targeted resources.

IsAnonymous

Boolean function for user conditions that returns True if the user requesting access has logged in as anonymous. Otherwise returns False.

user.IsAnonymous()

HasPrivilege

Boolean function for resource conditions that returns True if the user making the request has the specified access right for the targeted resource or resources. Otherwise returns False.

resource.HasPrivilege("action")

IsOwned

Boolean function for resource conditions that returns True if the specified resource has an owner. Otherwise returns False.

resource.IsOwned()

Empty()

Boolean function for resource conditions that returns True if the specified resource has no connections (that is, has no value). Otherwise returns False.

Note: In practice this function is only valid in situations where resource filter is set to App_* as apps are the only resource that can be connected with multiple resources (in this case streams).

resource.Streams.Empty()

Operators for conditions

Logical operator precedence

When more than one logical operator is used in a condition, NOT is evaluated first, then AND, and finally OR. Using parentheses, even when they are not required, can improve the readability of conditions and reduce the risk of making mistakes because of operator precedence.

Example:  

How is A OR B AND C interpreted by the Qlik Sense security rules?

It is interpreted as A OR (B AND C).

Note: You must use lower-case letters for the operators and, or, like, and matches.

AND

This operator compares two expressions and returns True only if both evaluate to True.

(EXPRESSION) && (EXPRESSION)

(EXPRESSION) and (EXPRESSION)

OR

This operator compares two expressions and returns True if one or both evaluate to True.

(EXPRESSION) || (EXPRESSION)

(EXPRESSION) or (EXPRESSION)

EQUAL

This operator is case insensitive and returns True if the compared expressions are equal. If a list is used, only one value needs to match.

(EXPRESSION) = (EXPRESSION)

STRICT EQUAL

This operator is case sensitive and returns True if the compared expressions are exactly equal. The full list does not have to match when a value used in an expression exists in a list.

(EXPRESSION) == (EXPRESSION)

NOTEQUAL

This operator is case insensitive and returns True if the compared expressions are not equal. If a list is used, only one value needs not to match.

(EXPRESSION) != (EXPRESSION)

STRICT NOT EQUAL

This operator is case sensitive and returns True if the compared expressions are exactly not equal. The full list does not have to match when a value used in an expression exists in a list.

(EXPRESSION) !== (EXPRESSION)

NOT

This operator inverts the Boolean value of an expression and returns True if the expression is False and returns False if the expression is True.

!(EXPRESSION)

LIKE

The security rules support the regular expression operator "like". This operator is case insensitive.

(EXPRESSION) like (EXPRESSION)

MATCHES

The security rules editor supports the regular expression operator "matches". This operator is case insensitive and returns results that match your expression, irrespective of case. Regex start and end anchors are implicitly added.

(EXPRESSION) matches (EXPRESSION)