.png)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Security Rule example: Disable custom connector for particular user group for Qlik Sense
Nov 18, 2024 3:47:22 AM
Feb 24, 2018 6:47:40 PM
This article describes an example of how to disable custom connectors for a particular user group for Qlik Sense.
The example is provided as is. Further customisation or adaptation to a specific use case scenario can be obtained by engaging Qlik's Professional Services.
Setup example
- Domain\alex: Domain user account, belong to Windows user Group “Sydney”
- Domain\bob: Domain user account, belong to user Group “Sydney”
- Domain\craig: Domain user account, belong to none of user Group
- Above three users account are already fetched into Qlik Sense via UDC and Token is assigned.
Goal
- Users in user group “Sydney” CANNOT create “custom” data connection.
- Users in other group CAN create “custom” data connection.
Steps
- Go to QMC > Security Rules
- Select Security Rule Name DataConnection and press Edit button.
- Tick Disable and press Apply button.
- Press Create new button to create a new Security rule. Enter below.
Name: DisableCustomConnectors Description: This custom rule disables Custom Connectors for user group “Sydney” Resource filter: DataConnection_* Action: Create Condition: ((resource.type!="folder" and resource.type!="Custom") and (user.group="Sydney")) Context: Only in hub
- Press Apply button
- Press Create new button to create new Security rule. Enter below and press Apply button.
Name: DataConnectionForNormalUsers Description: This custom rule is for Data Connections except User Group “Sydney”. Custom Connection creation enabled. Resource filter: DataConnection_* Action: Create Condition: ((resource.type!="folder" and user.group!="Sydney")) Context: Only in hub
- Press Apply button

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi, @Sonja_Bauernfeind. Is it possible to restrict the use of a specific custom connector and not all of them? If we use the "type" of the connection (which is the connector's .exe file name) it allows users to choose the connector, follow the wizard and it only fails when actually trying to create the connection at the end. We would like to remove the connector from the screen altogether, but only that one connector, for specific users.

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @cjgorrin
This is likely a question that'll need to go to our Professional Services or which is better served in the forums. But let me reach out internally to see if I can get you some information.
All the best,
Sonja

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @cjgorrin
For us to be able to review this effectively, please go into as much detail as possible and explain the exact use case.
All the best,
Sonja

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
We have developed a couple custom connectors that we have deployed in our Qlik Sense Enterprise on Windows server.
With these connectors, when you create the connection you must select the folder from which to read the files. Our idea is that only admins should create such connections, because we don't want people to be able to access any file they want in our server.
So, we changed the security rules to try to prevent users from creating these types of connections. However, people can try to create the connection, following the connector's wizard, which will fail only at the end of the process. But in an intermediate step, they can see all folders on the server.
We would like to be able to remove the connector from the screen altogether. That they cannot even start the wizard.
One of those connectors is G2Q (GAMS2Qlik), which we developed in-house. And our security rule looks like this:
((resource.type!="folder" and resource.type!="QvGamsConnector.exe"))
Again, it prevents the creation of the connection in the last step, but it allows them to start the connection creation wizard, which we don't want.
Also, we cannot do anything on the connector's side, since the connector does not know who is calling it and what their permissions are. The restriction must be places on the Qlik Sense side.
I hope this clarifies the issue. Thanks again.