Security Rule Example: How to show data model viewer for published apps

Andre_Sostizzo · Jan 30, 2023 4:32:55 AM

How To Grant Users The Access To Data Model Viewer.

With default security rules and settings, users can not see the data model for published apps. However, we can achieve this by creating/updating security rules through the Qlik Sense Management Console.

Resolution

Option 1: Create a new Security Rule

Go to the Qlik Sense Management Console
Open Security Rules
Click Create new
Create the following rule:
1. Name = DataModelViewers
2. Description = A description of your choice.
3. Resource filter = App_*
4. Actions = "Read","Update"
5. Conditions = Users of your choice or a previously defined role you will tag the users with.
6. Context = Both in hub and QMC or Only in hub
Click Apply

Option 2: Tagging users as ContentAdmins

This requires a rework of the ContentAdmin rule and will provide far more permissions to users than Option 1. See ContentAdmin for details on what a ContentAdmin is allowed to do.

Tag the users you want to be able to see data models with the ContentAdmin role.
Go to the Security Rules
Locate the default ContentAdmin rule and open it
Modify the rule by changing QMC only to Both in hub and QMC
Click Apply

MN2 · ‎2022-03-01

Andre

With this solution, DatamodelsViewers can also update apps properties (add custom properties) and modify app Name and description in hub for pûblished apps.

It is possible to limit the rules to the data model button ?

Thanks

MN

mgranillo · ‎2022-03-30

I'm also finding this rule allows access to all dashboards in the hub. This is not good for data security. Is there a way around this?

Sonja_Bauernfeind · ‎2022-04-05

Hello @mgranillo

For further customization of security rules, I would recommend posting this query over in the Qlik Sense Deployment and Management forums.

All the best,
Sonja

mgranillo · ‎2022-04-07

Thank you. I've posted a question in that forum. For anyone that comes across this, we are having this issue because we have app level security in place.

Ken_T · ‎2023-01-20

This is not really clear on what part of the security rule actually grants access to the Data Model Viewer.

Could those details be added?

What part of Content Admin rules actually allows the data model viewer to work in the hub?

If it was desired to grant this view, without using content admin role (which is very plausible as content admin has tremendous power in qmc) - how could this be done?

This post, as is, begs the question of what conditions and objects control the data model viewer.

Sonja_Bauernfeind · ‎2023-01-30

Hello @Ken_T

I clarified the article, but am having the rule specifically created for this purpose verified by an SME as well (my tests came back OK, so it works).

To answer your question, it's this bit:

Resource filter = App_*
Actions = "Read","Update"

All the best,
Sonja

tduarte · ‎2023-05-05

Hi @Sonja_Bauernfeind

I assume this would be used in conjuction with
Resouce filter = App.Object_* and Condition resource.objectType = "loadmodel".

Please confirm.

Thanks,
Telmo

Security Rule Example: How to show data model viewer for published apps