Security Rule Example: Allow access to Data Load Editor on an app

We in Qlik Support have virtually no scope when it comes to debugging or writing custom security rules for customers. That level of implementation advice needs to be handled by the folks in Professional Services or Presales. That being said, this example is provided for demonstration purposes to explain a specific scenario. No Support or maintenance is implied or provided. Further customization is expected to be necessary and it is the responsibility of the end administrator to test and implement an appropriate rule for their specific use case. For access to more tips and tricks, best practices, and ever-evolving creative solutions, we recommend joining us in our active Qlik Community.

In this scenario, the administrator wants to grant access to the Data Load Editor on a series of apps which the user or set of users already have read rights to.

Setup:

• Name: _DLEUserAccess
• Description / Explanation: This rule will grant update rights to an application based on the inherited Read rights provided elsewhere. Update rights to an app are necessary to see the Data Load Editor Option
• Resource filter(s): App_*
• Action(s): Update
• Conditions: resource.resourcetype = "App" and resource.Stream.HasPrivilege("read") and (user.name="User2")
  • Note: In this example we are using a statically defined user.name value. In a realistic scenario you would want to have a more robust user selection criteria (e.g. user.group="BI Developers" if there is group membership which selects the specific users which you want to target).
  • Note2: This example assumes Authentication Setup is on Stream level -- the user is allowed to access all Apps under a Stream that he/she has "read" access on. Thus resource.Stream.HasPrivilege("read"). In a realistic scenario, depending on the exact Authentication setup, modification on this condition may be required.

• Name: _ScriptUserAccess
• Description / Explanation: This rule will grant read and update rights to specific app objects which scope to the load script of an app based on the inherited Read rights on the app provided elsewhere.
• Resource filter(s): App.Object_*
• Action(s): Read, Update
• Conditions: ((resource.objectType="loadmodel" or resource.objectType="app_appscript")) and resource.app.HasPrivilege("read")
  • Note: In this example we are using a statically defined user.name value. In a realistic scenario you would want to have a more robust user selection criteria (e.g. user.group="BI Developers" if there is group membership which selects the specific users which you want to target).

Sample with Screenshots:

1. Before applying above rules, User 2 has "Read" Access to the Stream where App "12345" is in. "12345" is owned by another user. So User 2 has no access to Data Load Editor:
   
   
2. Create the 1st rule, which grants "update" to User2 on App 12345:
   
   
   
   
   
3. At this point User2 still cannot access Script Editor of App 12345(Even though Data model viewer shows up):
   
   
4. Now create the 2nd rule:
   
   
5. Now, User2 has access to Data Load Editor(and Data Manager) of App 12345: