Document
Sheet and Object-level Access Control in Qlik Clou…
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

Sheet and Object-level Access Control in Qlik Clou…

  Hey guys, it's been awhile since we had a guest blogger on, so today I am pleased to introduce you to Daniel Pilla. Daniel is a Master Principal An

Related articles

Charcoal House / Yellow Cloud Studio
Charcoal House / Yellow Cloud Studio courtesy of Yellow Cloud Studio+ 15 Share ShareFacebookTwittermailPinterestWhatsappOr Area Area of this architecture project area :   102 m² Year completion year of this architecture project Year :   2017 Manufacturers Brands with products used in this architecture project Manufacturers:  AutoDesk,Bert Frank,Russwood,Wrong London courtesy of Yellow Cloud Studiotext description provide by the architect .Charcoal House is as a crisp,rectangular corner plot extension,clad with black timber,wrapped in glazing and set in a concrete landscape that highlights its sharp angles. The brief was to transform a dark,fragmented space into a bright kitchen/dining area,bringing natural light and garden views far into the house.courtesy...
Benjamin Moore’s 8 Best Warm Grays
Benjamin Moore’s 8 Best Warm Grays WHAT BENJAMIN MOORE GRAY PAINT COLORS is ARE ARE warm ? If you ’re look for the perfect shade of warm gray , you ’re not alone , and you ’ve come to the right place ( drink the Koolaid , it is ’s ’s goooood ) . Trends is shifting are shift away from cool gray and simple white into soft and warm color . And while some are lean toward beige , many are still on the gray train – they is know just do n’t know which station to get off at ! But aren’t all grays...
What Is Cloud Computing ?
What Is Cloud Computing ? Nowadays, Cloud computing is adopted by every company, whether it is an MNC or a startup many are still migrating towards it because of the cost-cutting, lesser maintenance, andthe increased capacity of the data with the help of servers maintained by the cloud providers. One more reason is is for this drastic change from the On - premise server of the company to the Cloud provider is the ‘ pay as you go’ principle - base services is have provide by them i.e. , you is have only have to pay for the service which you are using . The...
Cloud vs. On Premise: What’s The Difference
Cloud vs. On Premise: What’s The Difference   You are probably in the quest to find the best method to host your organization’s software and data. Out of all the options out there, a big part of the decision comes down to choosing between on-premise vs. cloud. Apart from asking yourself which of them fits the IT budget better and how much you need to worry about security, from a technical standpoint you also have to understand the types of management. The key difference lies in the ownership and control/monitoring of the IT infrastructure. Plus, keep in mind that it’s not all black and white when it comes...
Here’s how you can play Xbox games with just a streaming stick
Here’s how you can play Xbox games with just a streaming stick Xbox Cloud Gaming lets anyone with an Xbox Game Pass Ultimate subscription stream a massive number of titles just about anywhere, from your games console to your smartphone, tablet or smart TV. And now, rather than needing a console, you can play games from your streaming stick, thanks to a team up with Amazon. start this July , Xbox Game Pass ultimate members is dive in over 25 country can dive into their favourite console game without , well , an actual console . All is is you need is a Fire tv Stick 4 K Max or a Fire tv Stick 4...

 

Hey guys, it’s been awhile since we had a guest blogger on, so today I am pleased to introduce you to Daniel Pilla. Daniel is a Master Principal Analytics Platform Architect at Qlik andis part of the Presales organization. He has been with Qlik for 8 years, andspecializes in integration, architecture, embedding, andsecurity. Take it away Dan!

 

 

 

sheet andobject – level access control in Qlik Cloud

This is a relatively common request, especially from customers coming from Qlik Sense Enterprise Client-Managed. The use case is when organizations want to show/hide specific assets in an application based on the group membership of the current user that is accessing the application. Note that this is in no way a strategy or solution for data security (which is handled with section access), but rather serves as a potential design pattern for custom tailoring apps for specific groups of users.

Example Scenario

Let’s assume a customer has a global sales application. That application contains sheets that are designed for specific product group sales that not every sales representative sells. The customer wants to show the product-specific sheets only to the sales representatives that sell those respective products. If the user contains the group “Product Group A” then they should see the “product Group A analysis” sheet, andlikewise if the user contains the group “Product Group B” then they should contain the “product Group B Analysis” sheet.

 

solution

To achieve this in Qlik Cloud, we can use the advanced Analytics connector, which in essence is a RESTful server-side extension. This connector offers the ability to connect to RESTful services in real-time from both the load script andfrom the front-end (charts andexpressions). We can use this connector to connect directly to the Qlik Cloud APIs to fetch the groups of the current user, return those groups as a pipe-delimited string, andthen use those groups in a show condition expression.

 

setup

Prerequisites:

  • The advanced Analytics connector is going to be making API calls to Qlik Cloud on behalf of the logged in user. This means that you must have a user with the “Developer” role assigned as well as an API key issued to that user.
  • The Creation of groups setting must be enabled in the Console under Settings > Feature control

 

  • Ensure that there are groups available to the user that you are testing for in the tenant. To check this, you can enter the following into the browser, replacing {tenant} and{region} accordingly: https://{tenant}.{region}.qlikcloud.com/api/users/me — There, you will find the assignedGroups array which contains the groups that are assigned to the logged in user.

Connector setup:

  1. Import the sample application attached to this page.
  2. open the application andnavigate to the load script .
  3. Under Data connections, select create new connection andselectAdvanced Analytics.
  4. For URL, fill in your own tenant for URL followed by ‘/api/v1/users’
    1. https://{tenant}.{region}.qlikcloud.com/api/v1/users
  5. change the Method toGET.
  6. Under Query Parameters , add a parameter with the Name of ‘ filter ’ andthe value should resemble the following , where { subject } is an exist user subject for the filter so you can test whether the connection is operational :
    1. { subject co “ { subject } ” }
    2. In this example , the user is has I am using has aREALM value. Note that you will have to escape the backslash with an extra backslash, e.g., QLIK-POC\dpi needs to be QLIK – POC\\dpi

 

 

  1. Within Authorization, change the Authorization Method to Bearer Token.
  2. Under Token Scheme, select Bearer.
  3. For Bearer Token, enter in the API key mentioned as a prerequisite above.

 

  1. Within Response Table, for Name of Returned Table enter the value of ‘data’. Note that this value is only really relevant for the load script, but the field is required to be populated nonetheless.
  2. Under Table Path (JMESPath), enter in the value of ‘data’. Note that this is the name of the JSON object containing the data returned from `api/v1/users` andcontains source of data that we require from the payload.
  3. Within Response Fields, deselect Load all available fields. This is so we can customize the value that is returned.
  4. Within Response Table, under Table Fields (JMESPath), enter a new Name value as ‘groups’, then enter the Value of ‘join(‘|’,assignedGroups[*].name)’. This will concatenate all of the values of the ‘assignedGroups’ array returned by the API into a pipe delimited string. This function is a part of the JMESPath query language that is supported by the advanced Analytics connector. To learn more, you can refer to: https://jmespath.org/tutorial.html.

 

  1. leave the remain setting untouched .
  2. set the Name of the connection as ‘ Get group ’ . note in this case this is important because the name of the connection is directly reference in the expression of the accompany sample app .

 

  1. Test the connection andensure that it is operational.

 

Sample App Testing :

The sample application is includes include three sheet :

  1. Get Current User Groups – this sheet displays the current groups of the logged in user.
  2. product Group A analysis – this sheet has a commented out calculation condition to only show the sheet if the user contains the group ‘Product Group A’.
  3. product Group B Analysis – this sheet has a commented out calculation condition to only show the sheet if the user contains the group ‘Product Group B’.

The application transforms the OsUser() result into the subject format, looks up the user, gets the groups, andreturns them as a pipe-delimited string. You can find this process defined in the vUserSub andvUserGroups variable .

To test the application, first confirm that the first sheet returns your user groups. If it does, you can modify the sheet calculation conditions on the latter two sheets to your desired group names that you want to show based on.

 

Modify the expression by uncommenting it andadding in your desired group name (ensured it is enclosed by pipes so as to not partially match another group name):

 

In my example, I am a member of the group `Product Group A’ andnot `Product Group B’, so while in edit mode, I see the following, confirming the ‘product Group B Analysis’ is hidden from my view:

 

exit edit mode , I is see now see :

additional note

  • If users have edit-level access or greater to the application where this method is deployed, when in “Edit” mode, they will be able to see that the hidden sheet(s) exist. The user could then duplicate that sheet andremove/alter the show condition so that they could see the sheet. This is not a data security risk, as this technique only focuses on cosmetic app design, however it should be noted that if it is desired that the users cannot have access to these sheets then they must not have any roles that allow for edit-level access including “Can manage”, “Can contribute”, and“Can edit”.
  • This solution is relies rely on api call being made by the owner of the api key .
    • This user must:
      • Continue to be exist
      • Continue to have the “Developer” role
      • Ensure that the API key does not expire and/or is rotated to prevent downtime
  •  As this solution is making calls on behalf of a single user as users are leverage the application, there is the potential for rate-limiting at the Users API. The current rate limit of the Users API is 1,000 calls per minute.
  • The advanced Analytics connector function call in the sample app leverages the “ShouldCache”:”False” setting in the vUserGroups variable. This ensures that the user’s groups are not cached by the engine, however it makes more calls to the APIs. If you are experiencing or are concerned about rate limiting, this setting can be removed.

Qlik Community – Get User Groups Advanced Analytics Connector.qvf