Security Rules (introduced with Vizlib Server v1.6.0) are created and maintained in the Vizlib Management Console (VMC).
Security rules can be applied to features within Vizlib Collaboration and Vizlib Finance, including streams, destinations, workflows, and user roles, helping you manage access to your:
- server configuration
- user data
- user permissions.
TABLE OF CONTENTS
- Creating a New Security Rule
- User Access Levels
Creating a New Security Rule
Security Rules are found in the VMC under Security Rules (Figure 1). Clicking the Description opens the rule for editing while clicking New Rule opens the Create Security Rule window.
Figure 1: Security Rules Menu
When you create a security rule, you'll need to enter values for the items listed here.
- Description - A unique name for your security rule.
- Resource Type - The VMC feature which selects the security rule settings - Teamwork Stream, Finance Stream, Writeback Destination, Workflow, Integration, Teamwork Workspace, Finance Workspace, Lock Group, User Role (only available for Root Admin and Admin users), and Loop & Reduce Tasks.
- Resource ID- A list of Resource Type instances where your security rule is applied.
- Teamwork Stream/Finance Stream - select from a list of available streams.
- Teamwork Workspace/Finance Workspace - select from a list of available workspaces.
- Writeback Destination - select from a list of available destinations.
- Workflow - select from a list of available workflows
- Integration - select from a list of available integrations.
- Lock Group - select from a list of available lock groups
- User Role - select a VMC user role from Root Admin, Admin, or Content Admin. You can find more about user roles in our article on Vizlib Management Console User Roles.
- Loop and Reduce Task - select from a list of Loop & Reduce tasks.
- Access Level - A property that controls the type of user access to the resource.
- Condition(s) - A logical condition describing when the security rule should be met (for example, assigning access to a specific user) using the properties Attribute Type, Operator, and Value. The conditions are detailed below.
Security Rules don't support Dynamic User attributes
Security rules must be based on a user attribute or custom property in the repository because Dynamic User Attributes (available only per session) are not supported.
Each Security Rule can contain one or more conditions.
The Attribute type list is defined by the values imported into the Qlik Repository Service (QRS).
Please note: If you want to integrate a user list into your security rules (for example, Active Directory (AD)), you must integrate these values using the Qlik Management Console (QMC).
You can manage user access to Qlik Sense using Security Assertion Markup Language (SAML) AD groups. The steps are to:
- Load the SAML attributes in Qlik from the QRS. Vizlib Server uses these attributes to create the security rules and makes them available in the VMC.
- Check all attributes are loaded correctly in the QMC. In the QMC, click Users and then the information icon (i) to view all the corresponding attributes which can be added to the VMC security rules as defined by the 'Attribute Type.'
Please see the Qlik instructions on connecting a user directory. Conditions can also be defined with user attributes - userId, userDirectory, name, roles, and custom properties (starting with @).
Operators set the requirement the condition needs to meet to be classed as true - you can check for a value to be Equal or NotEqual, and include partial matches with StartsWith, EndsWith, and SubstringOf.
Figure 2 shows a rule where the Write access level for a Teamwork Stream is only granted to users where the userDirectory has the value VlZLIB.
If the operator changed to StartsWith, access would be granted to all users where the name of the userDirectory starts with VIZLIB.
Figure 2: Create a Security Rule
Values are strings used to validate whether a condition is met. They can be lower or uppercase and can include letters, numbers, and special characters.
Please note: Dynamic user attributes (available only per session) are not supported.
There are several actions you can perform on a condition to group them in unlimited ways (Figure 3).
Figure 3: Conditions Menu
- Create Child Group - Creates condition group one level below. Imagine that you have condition A and B. Creating a child group on condition A would result in creating brackets around it - (A) and B
- Move to Child Group - Considering condition (A) and B, the operation performed on condition B would result in (A and B)
- Move to parent group - Performing this operation while having (A and B) on condition A would result in A and (B)
- Move group up - Considering conditions (A and B) or (C and D), performing this operation on C would result in (A and B and C) or (D)
- Move group down - Works similar to the Move group up option but in the other direction.
User Access Levels
Security rules can be created to help manage resources by applying an Access Level to users.
- Teamwork Stream / Finance Stream - If Secure Stream is enabled in the stream settings, users cannot access the stream without Read, Write, or Admin permissions.
- Writeback Destination - If Secure Destination is enabled in the destination settings, users cannot access the destination without Write access.
- Workflow - If a workflow state has a Visibility setting of Limited, users cannot view these settings unless they are granted Approver permissions in a security rule.
- User Role - Access levels for users can be viewed in User Roles. For more information on user role permissions, please see our article on Vizlib Management Console User Roles.
Resource owners can also create a rule which grants VMC Admin access to allow other Content Admin users to manage the resource. VMC Admin rights are available for streams, destinations, workspaces, and integrations.
Figure 4 shows a Finance Stream with Secure Stream enabled and the tooltip instructions to create a security rule to manage access.
Figure 4: Finance Stream User Access