Security rules example: Recreating a document admin by creating a QMC app admin
In this example, you recreate a QlikView document administrator in Qlik Sense. You can recreate the administrator by doing the following:
- Creating a new role (app admin)
- Creating a custom property to connect this role to the apps
The following table presents the security rules for the app admin role.
Security rule | The result of the rule |
---|---|
AppAdminQmcSections | Controls the sections in the QMC that are to be visible for the administrator. |
AppAdminRead | Controls which resources the administrator is to be able to read. |
AppAdminModify | Controls which resources the administrator is to be able to modify. |
Procedure
Do the following:
-
Create the three new security rules (AppAdminQmcSections, AppAdminRead and AppAdminModify):
- Select Security rules and click Create new.
-
In the Advanced and Basic sections, fill in the fields Resource filter, Conditions, Actions and Context per Security rule code for "AppAdminQmcSections".
- Set the Name to correspond to the activity.
- Click Apply.
-
Apply the role to the user to make the user become app admin:
-
Select Users, select a user and click Edit.
- Click under Admin roles and select AppAdmin.
-
Click Apply.
-
-
Create a new custom property and add the user as a value:
- Select Custom properties and click Create new.
- Type AppAdmin in the Name field.
- Under Resource types, select Apps.
- Under Values, click Create new, add the User ID as a value and click OK.
- Click Apply.
-
Select the apps that this user is to be able to administrate:
- Select Apps, Ctrl+click to select more than one app and click Edit.
- Select the User ID for the custom property AppAdmin.
- Click Apply.
You have now created and assigned the app admin role. When the user with this role logs in to the QMC the following can be accessed: apps, tasks, sheets, and streams.
Security rule code
The following is the security rule code for this example, with explanatory comments.
Security rule code for "AppAdminQmcSections"
Field | Code | Comments |
---|---|---|
Resource filter | QmcSection_Stream, QmcSection_App, QmcSection_App.Sheet,QmcSection_App.Story, QmcSection_Tag,QmcSection_Task, QmcSection_ReloadTask, QmcSection_Event, QmcSection_SchemaEvent, QmcSection_CompositeEvent |
Specifically filters on streams, apps, sheets, stories, tags, tasks, and triggers. |
Conditions | user.roles = "AppAdmin" |
The rule will apply to all users that have the user role set to AppAdmin. |
Actions | read | Read action will be granted provided the conditions are met. |
Context | Only in QMC | The rule is only valid when you use the QMC. |
Security rule code for "AppAdminRead"
Field | Code | Comments |
---|---|---|
Resource filter | Stream_*,App*,ReloadTask_*,SchemaEvent_*,Tag_*,CompositeEvent_*,User* |
Specifically filters on resource types: streams, apps, sheets, stories, tags, tasks, and triggers. |
Conditions | user.roles = "AppAdmin" and ( (resource.resourcetype="App" and resource.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or ((resource.resourcetype="ReloadTask" or resource.resourcetype="App.Object") and resource.app.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag" or resource.resourcetype="Stream" or resource.resourcetype="User") |
The rule will apply to all users with the same userId as the custom property AppAdmin connected to apps. |
Actions | read | Read action will be granted provided the conditions are met. |
Context | Only in QMC | The rule is only valid when you use the QMC. |
Security rule code for "AppAdminModify"
This rule determines what the app admin can modify in the QMC. This is the same rule as for read except for that streams cannot be modified.
Field | Code | Comments |
---|---|---|
Resource filter | App*,ReloadTask_*,SchemaEvent_*,Tag_*,CompositeEvent_* |
Specifically filters on resource types: streams, apps, sheets, stories, tags, tasks, and triggers. |
Conditions | user.roles = "AppAdmin" and ( (resource.resourcetype="App" and resource.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or ((resource.resourcetype="ReloadTask" or resource.resourcetype="App.Object") and resource.app.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag") |
The rule will apply to all users with the same userId as the custom property AppAdmin connected to apps. |
Actions | create, update, delete, changeowner | The specified actions will be granted provided the conditions are met. |
Context | Only in QMC | The rule is only valid when you use the QMC. |