Skip to main content Skip to complementary content

Security rules example: Creating QMC content admin roles

In this example, you organize the administration of access rights for streams and their contents by doing the following:

  • Creating an administrator for each stream
  • Providing each administrator with full access rights to the stream and apps, sheets, and stories in the stream

You can do this by creating security rules for each individual user, but it is easier to apply security rules based on an admin role. Since there is no default administrator role for streams, you have to create one. This is done by defining a rule and then applying it to a user role.

In the example, you create an administrator for the Stream 1 stream, but the following steps can be applied to any stream.

Procedure

Do the following:

  1. Select Security rules and click PCreate new.

  2. Type a name for the security rule in the Name field.

  3. The resource filter for the rule should be set to filter on streams and their apps, sheets, stories, and tasks.

    In the Advanced section, fill in the Resource filter field with text as per Security rule code.

  4. You now need to set the conditions to specify the resources that the rule applies to, and the user role that the rule defines.

    In the Advanced section, fill in the Conditions field with text as per Security rule code.

  5. Set the actions that the rule should provide for the specified resources.

    In the Basic section, select the Actions as per Security rule code.

  6. Click Apply.

  7. You need to assign the role to the user who will be the stream administrator.

    Go to QMC > Users.

  8. Select the user and click Edit.

  9. Click P under Admin roles and select Stream1Admin.

  10. Click Apply.

You have now created an administrator role for the stream named Stream1Admin.

Security rule code

The following is the security rule code for this example, with explanatory comments.

Field Code Comments
Resource filter Stream_*, App_*, App.Object_*, ReloadTask_*

Specifically filters on resource types Stream, App, AppObjects and ReloadTasks.

Tip noteAlternatively you could write App* instead of App_*, App.Object_* as using the wildcard (*) without the underscore (_). This implies all resource types beginning with App will be targeted.
Conditions user.roles = "Stream1Admin" and ((resource.resourcetype="Stream" and resource.name="Stream 1") or (resource.resourcetype="App" and resource.stream.name="Stream 1") or (resource.resourcetype="App.Object" and resource.objectType="sheet" and resource.app.stream.name="Stream 1") or (resource.resourcetype="ReloadTask" and resource.app.stream.name="Stream 1"))

user.roles = "Stream1Admin" and

The conditions that follow define the user role Stream1Admin which will be available in Users > Roles.

((resource.resourcetype="Stream" and resource.name="Stream 1") or

The rule applies to streams with the name Stream1 only. The double parenthesis at the beginning is due to the preceding and statement.

(resource.resourcetype="App" and resource.stream.name="Stream 1") or

The rule applies to all apps in Stream 1.

Information noteNot specifying resource.stream.name means that you give access to all apps.

(resource.resourcetype="App.Object" and resource.objectType="sheet" and resource.app.stream.name="Stream 1") or

The rule applies to all sheets in Stream 1.

(resource.resourcetype="ReloadTask" and resource.app.stream.name="Stream 1"))

The rule applies to all reload tasks in Stream 1. The double parenthesis at the end is due to the and statement in conjunction with the user.roles condition.

Actions create, read, update, delete, export, publish, changeOwner, changeRole, exportData

The actions will be granted provided that the conditions are met.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!