This session will address the following:
- Getting the most for your users
- Deep dive into how rules work
- Tips and Tricks
- How to scale
Resource Links:
Performance
Resource Filters
Operators and Functions
Conditions
Security Rule Examples
Guide for Setting Up Rules
Security Rules for Streams
Q and A
Q: Can you briefly address how to use rules to hide sheets? For instance, an app reload performance sheet for only the dev needs to be visible in work and published versions of the app, but not visible to users.
A: Hiding sheets is not possible via rules as that would be a deny, rather than a grant.
To grant specific accounts access to specific sheets you would need to unwind the existing rules granting access to sheets. Under the default rules, I believe you get access to objects you own, as well as approved objects in the app.
You would need to build new rules that granted rights to regular users to see the sheets they need to see, and any sheets they have created, and a set of rules that grant the developers access to the sheets they need.
This is a surprisingly complex undertaking and you should make sure you do careful testing.
Q: Hi Andrew, is there a way to proxy as another user to test if rules are working as expected?
A: IPortal is a tool on branch that lets you set up dummy users with particular profiles and log in as them https://developer.qlik.com/garden/5762c5b17648a784afb6f321
You can also use the ticket API on the proxy to log in as a user, this KB article has a handy PowerShell script for this Qlik Sense: Generate a ticket with Qlik proxy API (Powershell)
Q: How are the rules execution sequenced?
A: As noted in the presentation, first we filter out all irrelevant rules (I.e. rules whose resource filter or context does not match), then we test the rules in score order. Highest score first, if two rules have equal scores (just after a system restart for example) the execution order is not guaranteed.
Q: Can object level access be achieved?
A: Yes, but it can be difficult, you cannot see all objects in the QMC, and you cannot set custom properties for Objects.
Q: Which is the first rule that gets executed when a user accesses the system and how are the other rules sequenced?
A: As noted in the presentation, first we filter out all irrelevant rules (I.e. rules whose resource filter or context does not match), then we test the rules in score order. Highest score first, if two rules have equal scores (just after a system restart for example) the execution order is not guaranteed.
Q: Which service will handle security rules?
A: Security rules are always handled by the Qlik Repository Service.
Q: Why exactly do custom properties do not work with app objects, e.g. sheets? would be awesome to hide specific sheets in an app based on user departments
A: Unfortunately, I cannot answer why custom properties cannot be assigned to sheets. I know that you can use other properties to generate rules, but they are a lot more cumbersome as you cannot use custom properties.
Q: Can you grant a Read Only rule and still allow the user the ability to use the Storyboard feature?
A: Stories are a type of object, so you would need to grant the user the ability to create those objects
Q: Is there a list of all available Resource Filters and what they apply to?
A: Yes, our help covers this. Available resource filters
Q: Can we set rule based on Tags, similar like custom property.
A: Unfortunately, no, tags are not in the addressable conditions
Q: Can you grant access to a specific custom property in the edit user/app window?
A: Probably, but it would be complicated, you would need to look at the rules that grant access to the custom properties that currently exist and alter them first.
Q: We have a need to allow end users to reload an app via a Reload Button extension, but do not want these users to have full script access to the app - what resources can control that action?
A: It depends on how the extension works, if the extension works by initiating a task, then you would need to grant privileges for the task.
Q: We use Qlik integrated in our own application, with an Iframe. Would it also be possible to only give directly access to an app instead of access to the hub? Because we don't like to show the hub for only read users
A: I’m not sure that this is possible, it would likely require a significant rebuild of the default rules if it is. It is probably easier to put a reverse proxy in place and prevent hub access that way.
Q: How often does that cache get updated when there are multiple nodes involved? I've had a situation where the rules aren't getting properly propagated to all nodes in our environment (2 nodes)
A: Caches are local, when changes to rules and objects are made the rim nodes are notified to invalidate portions or all their cache.
If this is not happening in your environment, please file a case so we can try to investigate further.
Q: Security cache - is the cache "thrown out" if we create new values in custom properties, new streams etc.? i.e. not only change in them?
A: New custom property values will invalidate the entire cache, much like creating a new rule.
Creating a new stream does not invalidate the cache but creating a rule to provide access to it will.
Q: When the apps is published, or the app is reloaded. Does that trigger a refresh of the cache?
A: Publishing an app will result in a narrow cache invalidation (cache regarding the app), but a reload of an app will not.
Q: How to limit Prof users to see apps created by them instead of all the apps in the Work area
A: This should occur normally in the more recent versions of Qlik Sense, as we pre-filter the list of apps,
Q: When is the new interface for task management coming?
A: Improvements to the task interface (and rules execution in generation) are still in progress. I am hoping they will be here in the April release, but no guarantees.
Q: Where can you view the security rule score?
A: Nope, there is no way to view the score of a security rule
Q: Is there an API to evaluate security rules for use in custom extensions?
A: I don’t believe so, other than the audit calls. However, it should be noted that any time you request resources you are implicitly making a request to evaluate the rules relating to access for that resource.
Q: Is there a tool to help optimize rules or discover rules that are non-performant?
A: The best tool you have right now is the audit interface, but that will not highlight a rule, it will merely indicate which access is slow, you will then have to go through
Q: What is the best way to grant access to single app within a stream that has several apps
A: It is hard to say, first you need to change or disable the default rule that grant access to apps, as that grants access to apps in streams you have access to.
Then you would need to build a rule that grants access to just the apps that are requested for the users that are relevant.
Q: Are expensive queries for security rules documented on Qlik help site?
A: Not yet, though there is a white paper being created on this topic that will be available at some point tin the future.
Q: Is there a complete list of appobjects? I saw examples of appobject types that are not documented in the help!
A: As extensions can create their own objects and object types, there isn’t really a complete list. The QMC will not show all AppObjects either, only a subset of specific types.
Q: We have noticed that sometimes rules take a while to go into effect on Rim Nodes, what could be a cause of that? Using Qlik Sense Server February 2019 Patch 2
A: If you are encountering this please file a support case so we can investigate further, this should not be happening.
Q: Is it possible to get a verbose log of the evaluation of rules?
A: Unfortunately, no.
Q: How to manage security for organizations for more than 1000 Users, is custom property an ideal way to do it?
A: Generally, I see large organizations using a combination of Groups, custom properties (as a stream cannot be a member of a group) and sometimes also roles.
Q: Can you load balance tasks on specific servers?
A: Yes, but it is a bit annoying. A task will run on any node which has the app available and has a scheduler. So, you need to build your load balancing rules to ensure that only specific apps go to specific nodes.
These rules also govern which apps are visible in the hub, so any engine that can display an app will also be able to reload it if it has a scheduler.
Also, by default the central node also runs scheduled tasks, and there is an immutable rule that says all apps are available on the central node, so you will need to set the scheduler on the central node to master only.
Q: Follow up on the What would then be the best way to create a rule to give access developer to the Task section?
A: Ideally do not give developers access to the general tasks section, make them go via the apps and related items, it is more clicks, but it is faster and less resource intensive.
Q: Do you have any example Professional user rules or Analyzer specific rules?
A: Often these rules end up looking very simple, things like:
User.group = “QS_Professional”
Q: How (what rules are needed) to allow developers collaborate by sharing apps thru publishing to a dedicated SharedWork stream?
A: You will need to create a rule that grants greater access to apps published to that stream. You will want to edit and update privileges, but double check our help for more info.
Q: Hi, is there a way to grant access to apps based on stream id instead of stream name?
A: I think stream IDs should be usable in the filter, so you could create a rule that is specific to that stream, generally speaking I prefer to use names as they are more readable and move better between systems.
Q: Is there a way to automatically set custom properties on app objects when a user creates them?
A: Unfortunately, no.
Q: If a user is not granted access to an app, do they still see the app? Is there a way to completely hide an app from certain users who have access to the stream?
A: If a user does not have read access to an app, they will not see it in the hub.
Q: AUDIT is currently useless for rules for objects inside an app. Is there a way to audit this? e.g. sheet-visibility
A: I’m not sure, you might be able to do this with the audit API
Q: How can I do set user rights access of data from an app? like to in QV "Section Access”?
A: You would use Section Access for that.
Q: Is it possible to transfer rules from development environment to production environment?
A: Not within Qlik Sense itself, but there are tools out there which facilitate that, I know some people do it via Qlik-CLI
Q: Is there plans to enable roles to user groups
A: I am not sure what you mean by this
Q: Why Qlik do not configure 4-5 global profile? (Reader, publisher, admin, etc....)
A: Qlik Sense on Windows does come with several administrator roles. I can’t speak as to why we do not provide default profiles for the hub, but I suspect this is because we don’t really provide any default apps either beyond ones intended for administrators
Q: Is it possible to give Root Admin roles to the user via pgAdmin?
A: You can, but I am not sure why you would do this as it is better assigned via the QMC
Q: Doesn't it get complex to manage access rights to users without AD groups and using roles and custom properties?
A: Not all environments have easy access to AD groups, but it is a bit more manual work yes.
Q: Can you limit visible custom properties in the edit user section? (i.e. seeing one of many custom properties)
A: I am not sure, the default users with access to this section are administrators, so have a lot of privileges, you may be able to reduce the access via the rules, I have not seen an organization try to do so.
