Security Rules were introduced with Vizlib Server v1.6.0. and can be created and maintained in the Vizlib Management Console (VMC). Security rules can be applied to features within Vizlib Collaboration and Vizlib Finance, including streams, destinations, workflows and user roles, helping you manage access to your server configuration and user data and set user permissions.
TABLE OF CONTENTS
Creating a New Security Rule
Security Rules are found in the VMC under Security Rules (Figure 1). Clicking the Description will open the rule for editing, while clicking New Rule will open the Create Security Rule window.
Figure 1: Security Rules Menu
When you create a security rule, you'll need to enter values for the items listed here.
- Description - A unique name for your security rule.
- Resource Type - The VMC feature which selects the security rule settings - Teamwork Stream, Finance Stream, Writeback Destination, Workflow, Integration, Teamwork Workspace, Finance Workspace, Lock Group, User Role (only available for Root Admin and Admin users) and Loop and Reduce Task.
- Resource ID - A list of Resource Type instances where your security rule is applied.
- Teamwork Stream/Finance Stream - select from a list of available streams.
- Teamwork Workspace/Finance Workspace - select from a list of available workspaces.
- Writeback Destination - select from a list of available destinations.
- Workflow - select from a list of available workflows.
- Integration - select from a list of available integrations.
- Lock Group - select from a list of available lock groups.
- User Role - select a VMC user role from Root Admin, Admin, or Content Admin. You can find our more about user roles here.
- Loop and Reduce Task - select from a list of loop and reduce tasks.
- Access Level - A property which controls the type of user access to the resource.
- Condition(s) - A logical condition describing when the security rule should be met (e.g. assigning access to a specific user) using the properties Attribute Type, Operator, and Value.
- Attribute Type - this list is defined by the values imported into the Qlik Repository Service (QRS), so if you are looking to integrate a user list into your security rules (e.g. Active Directory) you will need to integrate these values using the Qlik Management Console (QMC). You can find instructions on connecting a user directory here. Conditions can also be defined with user attributes - userId, userDirectory, name, roles and custom properties (starting with @).
- Operator - operators set the requirement the condition needs to meet to be classed as true - you can check for a value to be Equal or NotEqual, and include partial matches with StartsWith, EndsWith and SubstringOf. Figure 2 shows a rule where the Write access level for a Teamwork Stream is only granted to users where the userDirectory has the value VlZLIB, if the operator changed to StartsWith, access would be granted to all users where the name of the userDirectory starts with VIZLIB.
- Value - values are strings which are used to validate whether a condition is met. They can be lower or upper case, and can include letters, numbers and special characters.
Note : Dynamic user attributes (available only per session) are not supported.
Figure 2: Create Security Rule
Each Security Rule can contain one or more conditions. There are several actions you can perform on a condition to group them in unlimited ways (Figure 3).
Figure 3: Conditions Menu
- Create Child Group - Creates condition group one level below. Imagine that you have condition A and B. Creating a child group on condition A would result in creating brackets around it - (A) and B
- Move to Child Group - Considering condition (A) and B, the operation performed on condition B would result in (A and B)
- Move to parent group - Performing this operation while having (A and B) on condition A would result in A and (B)
- Move group up - Considering conditions (A and B) or (C and D), performing this operation on C would result in (A and B and C) or (D)
- Move group down - Works similar to the Move group up option, but in the other direction.
User Access Levels
Security rules can be created to help manage resources by applying an Access Level to users.
- Teamwork Stream / Finance Stream - If Secure Stream is enabled in the stream settings, users cannot access the stream without Read, Write or Admin permissions.
- Writeback Destination - If Secure Destination is enabled in the destination settings, users cannot access the destination without Write access.
- Workflow - If a workflow state has a Visibility setting of Limited, users cannot view these settings unless they are granted Approver permissions in a security rule.
- User Role - Access levels for users can be viewed in User Roles. For more information on user role permissions, please see our article here.
Resource owners can also create a rule which grants VMC Admin access to allow other Content Admin users to manage the resource. VMC Admin rights are available for streams, destinations, workspaces and integrations.
Figure 4 shows a Finance Stream with Secure Stream enabled, and the tooltip instructions to create a security rule to manage access.
Figure 4: Finance Stream User Access
Vizlib Server Migration (Below v1.6.0)
If you have a version of Vizlib Server below v1.6.0 installed, a migration will occur during the upgrade which will automatically create certain security rules, based on existing custom properties. This will allow you to safely upgrade without taking any further action. When the migration completes, your user access settings will be unchanged.