QlikWorld 2020 Global Conference. Join us to discover how to get the most from your data. Act fast. Register now and save.

Security rules example: Applying Qlik Sense access rights for user types

In this example, you set access rights according to user types. Your development department comprises the following user types:

  • Developer: is allowed to create apps, sheets, stories, objects and can use and create data connections.
  • Contributor: is allowed to create stories and sheets for published apps but is not allowed to create new apps.
  • Consumer: can only consume and is not allowed to create content.

The following activities with corresponding access rights have been identified.

Activity Developer Contributor Consumer
Create app Allowed Not allowed Not allowed
Create app object Allowed Allowed Not allowed
Create data connection Allowed Not allowed Not allowed
Note: The following assumes that you have the out-of-the-box rule Stream in place that gives users read access to apps on a stream that they have read access to. This will enable Consumers to read apps. Also, when setting up the access rights according to this example, the following out-of-the-box security rules must be disabled: CreateApp, CreateAppObjectsPublishedApp, CreateAppObjectsUnPublishedApp, and DataConnection.

You set access rights according to user types by using security rules in the following main steps:

  1. Define each user type so that it is possible to apply rules to each user type instead of individual users.
  2. Apply the custom property to the relevant users.

    Tip: Alternatively, if you have a user directory with a corresponding group, you can use that instead of custom properties.
  3. Create one rule per activity type.

Procedure

Do the following:

  1. Define the user types as values to a custom property.
    1. Create a custom property called UserType.
    2. Apply the custom property to the resource type Users.
    3. Define the custom property values as Developer, Contributor, and Consumer.
    4. Click Apply.
  2. Apply the UserType custom property to the appropriate users in the Users page.
  3. Create the four new security rules (CreateApp, CreateAppObjectsPublishedApp, CreateAppObjectsUnPublishedApp, and DataConnection):
    1. Select Security rules and click P Create new.

    2. In the Advanced and Basic sections, fill in the fields Resource filter, Conditions, Actions and Context.

      Security rule code for "Create app".

    3. Set the Name to correspond to the activity.

    4. Click Apply.

  4. Make sure the following out-of-the-box security rules are disabled or deleted:

    1. CreateApp
    2. CreateAppObjectsPublishedApp
    3. CreateAppObjectsUnPublishedApp
    4. DataConnection

You have now created rules to give access rights according to user types.

Security rule code

The following is the security rule code for this example, with explanatory comments.

Security rule code for "Create app"

Field Code Comments
Resource filter App_*,FileReference_*

Specifically filters on resource type App.

Conditions

!user.IsAnonymous() and (user.@usertype="Developer")

!user.IsAnonymous()

This condition uses the security rules function IsAnonymous() that can be used to evaluate whether the user is logged in as anonymous. In this case, if the user is logged in as an anonymous user, the condition is not met.

(user.@usertype="Developer")

The condition is met by all users that have the custom property @usertype set to Developer.

Tip: Alternatively, if you have a user directory with a corresponding group, you can use that instead of custom properties. In this case the condition could look like this: user.group="Developer".
Action create

The specified action is granted provided that the conditions are met.

Security rule code for "Create app object" (sheets, stories, app objects)

Field Code Comments
Resource filter App.Object_*

Specifically filters on resource type App.Object.

Conditions

resource.App.HasPrivilege("read") and !user.IsAnonymous() and (user.@usertype= "Developer" or user.@usertype= "Contributor")

resource.App.HasPrivilege("read")

This condition uses a security rules function HasPrivilege() that can be used to evaluate access rights for resource types.

In this instance, the function evaluates whether the resource type user is allowed to perform the action update on the resource sheet. This means that a Contributor will be allowed to create objects for sheets that the contributor owns.

Action create

The specified action is granted provided that the conditions are met.

Security rule code for "Data connections"

Field Code Comments
Resource filter DataConnection_*

Specifically filters on resource type DataConnection.

Conditions

resource.resourcetype = "DataConnection" and (user.@usertype="Developer")

resource.resourcetype = "DataConnection"

The rule will apply to resources of the type DataConnection.

user.@usertype="Developer"

The rule will apply to users with the custom property @usertype set to "Developer".

Action create

The specified action is granted provided that the conditions are met.

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?