Skip to main content

Security rules example: Recreating a document admin by creating a QMC app admin

ON THIS PAGE

Security rules example: Recreating a document admin by creating a QMC app admin

In this example, you recreate a QlikView document administrator in Qlik Sense. You can recreate the administrator by doing the following:

  • Creating a new role (app admin)
  • Creating a custom property to connect this role to the apps

The following table presents the security rules for the app admin role.

Security rule The result of the rule
AppAdminQmcSections Controls the sections in the QMC that are to be visible for the administrator.
AppAdminRead Controls which resources the administrator is to be able to read.
AppAdminModify Controls which resources the administrator is to be able to modify.
Note: The rules that grant modify and read access have been split. Thereby, the app admin can have access to read and see (but not modify) information that can be important to understand when working with apps – in this example the stream information.

Procedure

Do the following:

  1. Create the three new security rules (AppAdminQmcSections, AppAdminRead and AppAdminModify): 

    1. Select Security rules and click P Create new.
    2. In the Advanced and Basic sections, fill in the fields Resource filter, Conditions, Actions and Context per Security rule code for "AppAdminQmcSections".

    3. Set the Name to correspond to the activity.
    4. Click Apply.
  2. Apply the role to the user to make the user become app admin: 

    1. Select Users, select a user and click Edit.

    2. Click P under Admin roles and select AppAdmin.
    3. Click Apply.

  3. Create a new custom property and add the user as a value:

    1. Select Custom properties and click Create new.
    2. Type AppAdmin in the Name field.
    3. Under Resource types, select Apps.
    4. Under Values, click P Create new, add the User ID as a value and click OK.
    5. Click Apply.
  4. Select the apps that this user is to be able to administrate:

    1. Select Apps, Ctrl+click to select more than one app and click Edit.
    2. Select the User ID for the custom property AppAdmin.
    3. Click Apply.

You have now created and assigned the app admin role. When the user with this role logs in to the QMC the following can be accessed: apps, tasks, sheets, and streams.

Security rule code

The following is the security rule code for this example, with explanatory comments.

Security rule code for "AppAdminQmcSections"

Field Code Comments
Resource filter QmcSection_Stream, QmcSection_App, QmcSection_App.Sheet,QmcSection_App.Story, QmcSection_Tag,QmcSection_Task, QmcSection_ReloadTask, QmcSection_Event, QmcSection_SchemaEvent, QmcSection_CompositeEvent

Specifically filters on streams, apps, sheets, stories, tags, tasks, and triggers.

Conditions user.roles = "AppAdmin"

The rule will apply to all users that have the user role set to AppAdmin.

Actions read Read action will be granted provided the conditions are met.
Context Only in QMC The rule is only valid when you use the QMC.

Security rule code for "AppAdminRead"

Field Code Comments
Resource filter Stream_*,App*,ReloadTask_*,SchemaEvent_*,Tag_*,CompositeEvent_*,User*

Specifically filters on resource types:  streams, apps, sheets, stories, tags, tasks, and triggers.

Conditions user.roles = "AppAdmin" and ( (resource.resourcetype="App" and resource.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or ((resource.resourcetype="ReloadTask" or resource.resourcetype="App.Object") and resource.app.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag" or resource.resourcetype="Stream" or resource.resourcetype="User")

The rule will apply to all users with the same userId as the custom property AppAdmin connected to apps.

Actions read Read action will be granted provided the conditions are met.
Context Only in QMC The rule is only valid when you use the QMC.

Security rule code for "AppAdminModify"

This rule determines what the app admin can modify in the QMC. This is the same rule as for read except for that streams cannot be modified.

Field Code Comments
Resource filter App*,ReloadTask_*,SchemaEvent_*,Tag_*,CompositeEvent_*

Specifically filters on resource types:  streams, apps, sheets, stories, tags, tasks, and triggers.

Conditions user.roles = "AppAdmin" and ( (resource.resourcetype="App" and resource.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or ((resource.resourcetype="ReloadTask" or resource.resourcetype="App.Object") and resource.app.@AppAdmin=user.userId and user.userDirectory="QVNCycles") or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag")

The rule will apply to all users with the same userId as the custom property AppAdmin connected to apps.

Actions create, update, delete, changeowner The specified actions will be granted provided the conditions are met.
Context Only in QMC The rule is only valid when you use the QMC.