Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Hierarchical relationships in Security Rules for Qlik Sense

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Andre_Sostizzo
Digital Support
Digital Support

Hierarchical relationships in Security Rules for Qlik Sense

Last Update:

Nov 11, 2021 10:17:06 AM

Updated By:

Sonja_Bauernfeind

Created date:

Feb 12, 2018 8:36:13 AM

Inside of Qlik Sense, user access is proscribed by the security rules which are configured in the deployment. When designing a security rule framework, it is important to understand the hierarchical relationships between different resource filters in order to ensure that the rule performs as intended.

 

Streams > Apps > App.Objects

User-added image

As illustrated above. Apps are in Streams. This means that you can use inheritance to cascade the intended action from the action assigned at the Stream level. This is used in this portion of the default Stream security rule:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))

The meaning of this condition is that the action will be applied to Apps where the user has read rights to the stream.

The same hierarchy exists in Apps <> App.Objects. App.Objects belong to apps and thus you can inherit rights from the App or Stream level. This is used in this portion of the default Stream security rule:

((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" 
and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

The meaning of this condition is that the action will be applied to an App's Objects where the object is (a) published and (b) not an app_appscript or loadmodel type of App.Object when the user has read rights on the stream.

Apps > Tasks

User-added image

As illustrated above, Tasks are applied to Apps. This means that you can use inheritance to cascade the intended action from the action assigned at the App level. For example:

Filter: ReloadTask*
Action: Read, Update, Delete
Condition: ((user.name="TaskAdmin"))and (resource.App.HasPrivilege("read"))

In this rule, the user with the name TaskAdmin is able to read / update / delete all tasks which are associated with Apps which they already have Read rights to.

  • Note: As of Qlik Sense April 2018, there is no logical relationship between tasks and triggers. So an administrator cannot use inheritance for this resource type.
Labels (1)
Version history
Last update:
‎2021-11-11 10:17 AM
Updated by: