Security rules included in Qlik Sense
In a Qlik Sense installation, a number of security rules are included by default and available in the QMC. The security rules can be used to grant users access to areas in Qlik Sense. There are three types of rules: Default, Read only, and Custom. The Read only rules are essential to Qlik Sense and cannot be edited or deleted. The Default rules can be edited. When you edit a Default rule or create a new rule, the type is changed to Custom.
The following security rules are included by default in a Qlik Sense installation.
AuditAdmin
Property | Details |
---|---|
Name | AuditAdmin |
Description | Audit admin should have read rights to audit entities |
Resource filter |
* |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | user.roles = "AuditAdmin" and !(resource.resourcetype = "TransientObject" and resource.name like "QmcSection_*") |
AuditAdminQmcSections
Property | Details |
---|---|
Name | AuditAdminQmcSections |
Description | Audit admin should have read rights to audit related sections |
Resource filter |
License_*,TermsAcceptance_*,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution, QmcSection_Tag,QmcSection_Audit,QmcSection_DeploymentSetup |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="AuditAdmin")) |
Content library content
Property | Details |
---|---|
Name | Content library content |
Description | Everyone who has read rights to a content library should also have read rights to its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.ContentLibrarys.HasPrivilege("Read") |
Content library manage content
Property | Details |
---|---|
Name | Content library manage content |
Description | Everyone who has update rights to a content library should also have rights to manage its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.ContentLibrarys.HasPrivilege("Update") |
ContentAdmin
Property | Details |
---|---|
Name | ContentAdmin |
Description | Content admin should have rights to manage content related entities |
Resource filter |
Stream_*,App*,ReloadTask_*,ExternalProgramTask_*,UserSyncTask_*, SchemaEvent_*,User*,CustomProperty*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*,CustomBannerMessage_* |
Actions | Create, Read, Update, Delete, Export, Publish, Change owner |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="ContentAdmin")) |
ContentAdminQmcSections
Property | Details |
---|---|
Name | ContentAdminQmcSections |
Description | Content admin should have read rights to content related sections |
Resource filter |
License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object, QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_DataConnection, QmcSection_Tag,QmcSection_User,QmcSection_CustomPropertyDefinition,QmcSection_Task, QmcSection_Event, QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension, QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary, QmcSection_Audit,QmcSection_AnalyticConnection,QmcSection_SystemNotification, QmcSection_SystemNotificationPolicy,QmcSection_DeploymentSetup,QmcSection_CustomBannerMessage |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="ContentAdmin")) |
ContentAdminRulesAccess
Property | Details |
---|---|
Name | ContentAdminRulesAccess |
Description | Content admin should have rights to manage security rules for streams, data connections, content libraries, and extensions |
Resource filter |
SystemRule_* |
Actions | Create, Read, Update, Delete |
Context | Only in QMC |
Type | Default |
Conditions | user.roles = "ContentAdmin" and (resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}") or (resource.category = "Generic" and resource.subcategory = "SystemNotification")) |
CreateApp
Property | Details |
---|---|
Name | CreateApp |
Description | Everyone, except anonymous users, should have rights to create apps |
Resource filter |
App_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() |
CreateAppObjectsPublishedApp
Property | Details |
---|---|
Name | CreateAppObjectsPublishedApp |
Description | Everyone who has read rights to a published app should also have rights to create sheets, stories, bookmarks and snapshots belonging to that app |
Resource filter |
App.Object_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() |
CreateAppObjectsUnPublishedApp
Property | Details |
---|---|
Name | CreateAppObjectsUnPublishedApp |
Description | Everyone who has read rights to an unpublished app should also have rights to create app objects belonging to that app |
Resource filter |
App.Object_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | resource.App.stream.Empty() and resource.App.HasPrivilege("read") and !user.IsAnonymous() |
CreateOdagLinks
Property | Details |
---|---|
Name | CreateOdagLinks |
Description | Non-anonymous users with read access to the ODAG template app can create links and it is possible to create a link without first knowing the template app |
Resource filter |
OdagLink_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and (resource.templateApp.Empty() or resource.templateApp.HasPrivilege("read")) |
CreateOdagLinkUsage
Property | Details |
---|---|
Name | CreateOdagLinkUsage |
Description | Non-anonymous users with read access to the selectionApp and read access to the link can create OdagLinkUsages |
Resource filter |
OdagLinkUsage_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and (resource.selectionApp.Empty() or resource.selectionApp.HasPrivilege("read")) and (resource.link.Empty() or resource.link.HasPrivilege("read")) |
CreateOdagRequest
Property | Details |
---|---|
Name | CreateOdagRequest |
Description | Non-anonymous users with read access to the link can create new Requests using that link |
Resource filter |
OdagRequest_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and (resource.link.HasPrivilege("read")) |
Custom banner message
Property | Details |
---|---|
Name | Custom banner message |
Description | Allows all users to see the custom banner messages |
Resource filter |
CustomBannerMessage_* |
Actions | Read |
Context | Only in hub |
Type | Default |
Conditions | true |
DataConnection
Property | Details |
---|---|
Name | DataConnection |
Description | Data connections can be created for all resource types, except "folder" |
Resource filter |
DataConnection_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | ((resource.type!="folder")) |
DataPrepAppCacheAccessRule
Property | Details |
---|---|
Name | DataPrepAppCacheAccessRule |
Description | Everyone, except anonymous users, should have read rights to data connections |
Resource filter |
DataConnection_<Connection_ID> |
Actions | Read |
Context | Both in hub and QMC |
Type | Custom |
Conditions | !user.isAnonymous() |
Default content library
Property | Details |
---|---|
Name | Default content library |
Description | Everyone should have read rights to the default content library |
Resource filter |
ContentLibrary_<Content library ID> |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | true |
DeleteOdagLinkUsage
Property | Details |
---|---|
Name | DeleteOdagLinkUsage |
Description | Non-anonymous users with read access on the selection app can delete OdagLinkUsages for that app |
Resource filter |
OdagLinkUsage_* |
Actions | Read, Delete |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and resource.selectionApp.HasPrivilege("read") |
DeploymentAdmin
Property | Details |
---|---|
Name | DeploymentAdmin |
Description | Deployment admin should have access rights to deployment related entities |
Resource filter |
ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*, User*,CustomProperty*,Tag_*,License*, TermsAcceptance_*,ReloadTask_*,ExternalProgramTask_*, UserSyncTask_*,SchemaEvent_*,CompositeEvent_*, Deployment_*,IdentityProviderSettings_*, SystemNotification_*, CustomBannerMessage_* |
Actions | Create, Read, Update, Delete |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminAppAccess
Property | Details |
---|---|
Name | DeploymentAdminAppAccess |
Description | Deployment admin should have read and update rights to apps in order to handle load balancing rules |
Resource filter |
App_* |
Actions | Read, Update |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminQmcSections
Property | Details |
---|---|
Name | DeploymentAdminQmcSections |
Description | Deployment admin should have read rights to deployment related sections |
Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_AppDistributionStatus, QmcSection_CloudDistribution,QmcSection_Tag,QmcSection_Templates,QmcSection_ServiceCluster, QmcSection_ServerNodeConfiguration,QmcSection_EngineService,QmcSection_ProxyService, QmcSection_VirtualProxyConfig,QmcSection_RepositoryService, QmcSection_SchedulerService,QmcSection_PrintingService,QmcSection_License*,QmcSection_Token, LoadbalancingSelectList,QmcSection_User,QmcSection_UserDirectory,QmcSection_CustomPropertyDefinition, QmcSection_Certificates,QmcSection_Certificates.Export,QmcSection_Task,QmcSection_App,QmcSection_SyncRule, QmcSection_LoadBalancingRule,QmcSection_Event,QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_Audit, QmcSection_DistributionPolicy,QmcSection_SystemNotification,QmcSection_SystemNotificationPolicy, QmcSection_DeploymentSetup,QmcSection_CustomBannerMessage |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminRulesAccess
Property | Details |
---|---|
Name | DeploymentAdminRulesAccess |
Description | Deployment admin should have rights to manage sync and license rules |
Resource filter |
SystemRule_* |
Actions | Create, Read, Update, Delete |
Context | Only in QMC |
Type | Default |
Conditions | user.roles = "DeploymentAdmin" and (resource.category = "Sync" or resource.category = "License" or resource.category = "Generic") |
ExportAppData
Property | Details |
---|---|
Name | ExportAppData |
Description | Everyone is allowed to export the app data they are allowed to see, except anonymous users |
Resource filter |
App_* |
Actions | Export data |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Extension
Property | Details |
---|---|
Name | Extension |
Description | Everyone should have read rights to extensions |
Resource filter |
Extension_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | true |
Extension manage content
Property | Details |
---|---|
Name |
Extension manage content |
Description | Everyone who has update rights to an extension should have rights to manage its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.Extensions.HasPrivilege("Update") |
Extension static content
Property | Details |
---|---|
Name |
Extension static content |
Description | Everyone who has read rights to an extension should have read rights to its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.Extensions.HasPrivilege("Read") |
File upload connection object
Property | Details |
---|---|
Name |
File upload connection object |
Description | Everyone, except anonymous users, should have read rights to data connections used for uploading files to server |
Resource filter |
DataConnection_<data_connection_ID> |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | !user.IsAnonymous() |
FolderDataConnection
Property | Details |
---|---|
Name |
FolderDataConnection |
Description | Admins should have rights to manage folder data connections |
Resource filter |
DataConnection_* |
Actions | Create, Read, Update, Delete |
Context | Only in hub |
Type | Default |
Conditions | resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = "ContentAdmin" or user.roles = "SecurityAdmin") |
HubAdmin
Property | Details |
---|---|
Name | HubAdmin |
Description | Hub admin should have read, create and update rights to reload tasks and schema events |
Resource filter |
ReloadTask_*,SchemaEvent_* |
Actions | Create, Read, Update |
Context | Only in hub |
Type | Default |
Conditions | ((user.roles="HubAdmin")) |
HubSectionHome
Property | Details |
---|---|
Name | HubSectionHome |
Description | Allows all users to access the home hub section |
Resource filter |
HubSection_Home |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | true |
HubSectionTask
Property | Details |
---|---|
Name | HubSectionTask |
Description | Allows all users to access the task hub section |
Resource filter |
HubSection_Task |
Actions | Read |
Context | Only in hub |
Type | Default |
Conditions | true |
Installed static content
Property | Details |
---|---|
Name | Installed static content |
Description | Everyone should have read rights to installed static content |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | ((resource.StaticContentSecurityType="Open")) |
ManageAnalyticConnection
Property | Details |
---|---|
Name | ManageAnalyticConnection |
Description | RootAdmin, ContentAdmin and SecurityAdmin roles should be able to manage an analytical connection |
Resource filter |
AnalyticConnection_* |
Actions | Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Default |
Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
Offline access
Property | Details |
---|---|
Name | Offline access |
Description | Everyone is allowed offline access to the app they are allowed to see except anonymous users |
Resource filter |
App_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Owner
Property | Details |
---|---|
Name | Owner |
Description | The owner of a resource should have update and delete rights if the resource is not published to a stream |
Resource filter |
* |
Actions | Update, Delete |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and (resource.owner = user and !((resource.resourcetype = "App" and !resource.stream.Empty()) or (resource.resourcetype = "App.Object" and resource.published = "true"))) |
OwnerAnonymousTempContent
Property | Details |
---|---|
Name | OwnerAnonymousTempContent |
Description | An anonymous owner of temporary content should be able to access and delete it |
Resource filter |
TempContent_* |
Actions | Read, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | user.IsAnonymous() and resource.anonymousOwnerUserId = user.userId |
OwnerAppApproveAppObject
Property | Details |
---|---|
Name | OwnerAppApproveAppObject |
Description | The owner of an app should be able to approve app objects belonging to the app |
Resource filter |
App.Object_* |
Actions | Approve |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.App.owner = user |
OwnerPublishAppObject
Property | Details |
---|---|
Name | OwnerPublishAppObject |
Description | The owner of an app object should have publish rights to the object unless it is approved |
Resource filter |
App.Object_* |
Actions | Publish |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish") |
OwnerPublishDuplicate
Property | Details |
---|---|
Name | OwnerPublishDuplicate |
Description | The owner of an app or a stream should be able to publish, and the owner of an app should be able to duplicate |
Resource filter |
App_*,Stream_* |
Actions | Publish, Duplicate |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and resource.owner = user |
OwnerRead
Property | Details |
---|---|
Name | OwnerRead |
Description | The owner of a resource should have read rights to the resource if it is published to a stream |
Resource filter |
* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.IsOwned() and resource.owner = user |
OwnerUpdateApp
Property | Details |
---|---|
Name | OwnerUpdateApp |
Description | The owner of an app should be able to update |
Resource filter |
App_* |
Actions | Update |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and resource.owner = user |
QMCCachingSupport
Property | Details |
---|---|
Name | QMCCachingSupport |
Description | Enable this rule along with QmcCacheEnabled flag to support QMC-caching |
Resource filter |
ExecutionSession_*,ExecutionResult_*,*TaskOperational* |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="ContentAdmin" or user.roles="DeploymentAdmin")) |
ReadAnalyticConnectionEveryone
Property | Details |
---|---|
Name | ReadAppContentFiles |
Description | Non-anonymous users can read an analytic connection |
Resource filter |
AnalyticConnection_* |
Actions | Read |
Context | Only in hub |
Type | Read only |
Conditions | !user.IsAnonymous() |
ReadAppContentFiles
Property | Details |
---|---|
Name | ReadAppContentFiles |
Description | Everyone who has read rights to an app should also have read rights to its content files |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.AppContents.App.HasPrivilege("Read") |
ReadAppContents
Property | Details |
---|---|
Name | ReadAppContents |
Description | Everyone who has read rights to an app should also have read rights to app content belonging to that app |
Resource filter |
App.Content_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("read") |
ReadAppDataSegments
Property | Details |
---|---|
Name | ReadAppDataSegments |
Description | Everyone who has read rights to an app should also have read rights to app data segments belonging to that app |
Resource filter |
App.DataSegment_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("read") and !user.IsAnonymous() |
ReadAppInternals
Property | Details |
---|---|
Name | ReadAppInternals |
Description | Everyone who has read rights to an app should also have read rights to app internals belonging to that app |
Resource filter |
App.Internal_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("read") |
ReadContentCacheControl
Property | Details |
---|---|
Name | ReadContentCacheControl |
Description | Read-access to parent content library should also give read-access to referencing content cache controls. |
Resource filter |
ContentCacheControl_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions |
((user.roles="ContentAdmin" or user.roles="SecurityAdmin" or resource.contentLibrary.HasPrivilege("read"))) |
ReadCustomProperties
Property | Details |
---|---|
Name | ReadCustomProperties |
Description | Non-anonymous users can read custom property definitions and values |
Resource filter |
CustomProperty* |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | !user.IsAnonymous() |
ReadOdagLinks
Property | Details |
---|---|
Name | ReadOdagLinks |
Description | Non-anonymous users can read ODAG links |
Resource filter |
OdagLink_* |
Actions | Read |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() |
ReadOdagLinkUsage
Property | Details |
---|---|
Name | ReadOdagLinkUsage |
Description | Non-anonymous users with read access to the selection app can read its OdagLinkUsages |
Resource filter |
OdagLinkUsage_* |
Actions | Read |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() |
RootAdmin
Property | Details |
---|---|
Name | RootAdmin |
Description | Root admin should have full access rights |
Resource filter |
* |
Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data |
Context | Only in QMC |
Type | Read only |
Conditions | ((user.roles="RootAdmin")) |
SecurityAdmin
Property | Details |
---|---|
Name | SecurityAdmin |
Description | Security admin should have access rights to security related entities |
Resource filter |
Stream_*,App*,Proxy*,VirtualProxy*,User*,SystemRule_*,CustomProperty*,Tag_*,DataConnection_*, ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,Deployment_*, IdentityProviderSettings_* |
Actions |
Create, Read, Update, Delete, Export, Publish, Change owner |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminQmcSections
Property | Details |
---|---|
Name | SecurityAdminQmcSections |
Description | Security admin should have read rights to security related sections |
Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Stream,QmcSection_App, QmcSection_App.Object,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_SystemRule, QmcSection_DataConnection,QmcSection_Tag,QmcSection_Templates,QmcSection_Audit,QmcSection_ProxyService,QmcSection_VirtualProxyConfig,QmcSection_User,QmcSection_CustomPropertyDefinition, QmcSection_Certificates,QmcSection_Certificates.Export,QmcSection_ContentLibrary, QmcSection_AnalyticConnection,QmcSection_DeploymentSetup |
Actions |
Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminServerNodeConfiguration
Property | Details |
---|---|
Name | SecurityAdminServerNodeConfiguration |
Description | Security admin should have read rights to the ServerNodeConfiguration entity |
Resource filter |
ServerNodeConfiguration_* |
Actions |
Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="SecurityAdmin")) |
ServiceAccount
Property | Details |
---|---|
Name | ServiceAccount |
Description | Service accounts should have rights to perform all actions |
Resource filter |
* |
Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data |
Context | Both in hub and QMC |
Type | Read only |
Conditions | ((user.UserDirectory="INTERNAL" and user.UserId like "sa_*")) |
Shared content manage content
Property | Details |
---|---|
Name | Shared content manage content |
Description | Everyone who has update rights to shared content should also have rights to manage its corresponding files |
Resource filter |
StaticContentReference_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.SharedContents.HasPrivilege("Update") |
Shared content see content
Property | Details |
---|---|
Name | Shared content see content |
Description | Everyone who has read rights to shared content should also have read rights to the corresponding files |
Resource filter |
StaticContentReference_* |
Actions |
Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.SharedContents.HasPrivilege("Read") |
Stream
Property | Details |
---|---|
Name | Stream |
Description |
Everyone who has read rights to a stream should also have read rights to a resource published to that stream |
Resource filter |
App* |
Actions |
Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")) |
StreamEveryone
Property | Details |
---|---|
Name | StreamEveryone |
Description | Everyone, except anonymous users, should have read and publish rights to the default stream called Everyone |
Resource filter |
Stream_<stream_ID> |
Actions |
Read, Publish |
Context | Both in hub and QMC |
Type | Default |
Conditions | !user.IsAnonymous() |
StreamEveryoneAnonymous
Property | Details |
---|---|
Name | StreamEveryoneAnonymous |
Description | Anonymous users should have read rights to the default stream called Everyone |
Resource filter |
Stream_<stream_ID> |
Actions |
Read |
Context | Only in hub |
Type | Default |
Conditions | user.IsAnonymous() |
StreamMonitoringAppsPublish
Property | Details |
---|---|
Name | StreamMonitoringAppsPublish |
Description | RootAdmin, ContentAdmin, and SecurityAdmin should have publish rights to the default stream called Monitoring apps |
Resource filter |
Stream_<stream_ID> |
Actions |
Publish |
Context | Only in hub |
Type | Default |
Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
StreamMonitoringAppsRead
Property | Details |
---|---|
Name | StreamMonitoringAppsRead |
Description | Default administrators should have read rights to the default stream called Monitoring apps |
Resource filter |
Stream_<stream_ID> |
Actions |
Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or user.roles="AuditAdmin")) |
Temporary content
Property | Details |
---|---|
Name | Temporary content |
Description | Everyone, except anonymous users, should have rights to create temporary content |
Resource filter |
TempContent_* |
Actions |
Create |
Context | Both in hub and QMC |
Type | Read only |
Conditions | !user.IsAnonymous() |
UpdateAppContentFiles
Property | Details |
---|---|
Name | UpdateAppContentFiles |
Description | Everyone who has update rights to an app should also have rights to manage its content files |
Resource filter |
StaticContentReference_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.AppContents.App.HasPrivilege("Update") |
UpdateAppContents
Property | Details |
---|---|
Name | UpdateAppContents |
Description | Everyone who has update rights to an app should also have update rights to app content belonging to that app |
Resource filter |
App.Content_* |
Actions |
Update |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("update") |
UpdateAppDataSegments
Property | Details |
---|---|
Name | UpdateAppDataSegments |
Description | Everyone who has update rights to an app should also have rights to manage app data segments belonging to that app |
Resource filter |
App.DataSegment_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("update") and !user.IsAnonymous() |
UpdateAppInternals
Property | Details |
---|---|
Name | UpdateAppInternals |
Description | Everyone who has update rights to an app should also have rights to manage app internals belonging to that app |
Resource filter |
App.Internal_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("update") |