Qlik Sense Security Rules List

Transcription

Qlik Sense Security Rules List
Qlik Sense Security Rules List
Qlik Sense 1.1
2015/04/06
Table of Contents
Read Only Security Rules ............................................................................................................................................................................................................................. 2
App Data Segment .................................................................................................................................................................................................................................... 2
Content Library ......................................................................................................................................................................................................................................... 2
Extension ................................................................................................................................................................................................................................................... 3
File Reference ............................................................................................................................................................................................................................................ 3
Installed Static Content ............................................................................................................................................................................................................................ 3
Owned Resource ........................................................................................................................................................................................................................................ 4
Temporary Content ................................................................................................................................................................................................................................... 5
User (Service Account / Root Admin) ....................................................................................................................................................................................................... 5
Default Security Rules – General ................................................................................................................................................................................................................ 7
App.............................................................................................................................................................................................................................................................. 7
App Object .................................................................................................................................................................................................................................................. 7
Content Library ......................................................................................................................................................................................................................................... 8
Data Connection ........................................................................................................................................................................................................................................ 8
Extension ................................................................................................................................................................................................................................................... 8
Stream ........................................................................................................................................................................................................................................................ 9
Default Security Rules – Default Administrative User Group ................................................................................................................................................................ 10
Audit Admin ............................................................................................................................................................................................................................................. 10
Content Admin......................................................................................................................................................................................................................................... 10
Deployment Admin .................................................................................................................................................................................................................................. 12
Security Admin ........................................................................................................................................................................................................................................ 14
1
Read Only Security Rules
App Data Segment
If you have read rights on the app you should be able to read app data segments belonging to that app
Name
Resource filter
Conditions
Context
Actions
ReadAppDataSegments
App.DataSegment_*
resource.App.HasPrivilege("read") and !user.IsAnonymous()
Both in hub
Read
and QMC
If you have update rights on the app you should be able to create/update/read/delete app data segments belonging to that app
Name
Resource filter
Conditions
Context
Actions
UpdateAppDataSegments
App.DataSegment_*
resource.App.HasPrivilege("update") and !user.IsAnonymous()
Both in hub
Create
and QMC
Read
Update
Delete
Content Library
Allows everyone that can see a content library to see its corresponding files
Name
Resource filter
Conditions
Context
Actions
Content library content
StaticContentReference_*
resource.ContentLibrarys.HasPrivilege("Read")
Both in hub
Read
and QMC
Allows everyone that can update a content library to manage its corresponding files
Name
Resource filter
Conditions
Context
Actions
Content library manage
StaticContentReference_*
resource.ContentLibrarys.HasPrivilege("Update")
Both in hub
Create,
and QMC
Read
content
Update
Delete
2
Extension
Allows everyone that can update an extension to manage its corresponding files
Name
Resource filter
Conditions
Context
Actions
Extension manage content
StaticContentReference_*
resource.Extensions.HasPrivilege("Read")
Both in hub
Create,
and QMC
Read
Update
Delete
Allows everyone that can see an extension to see its corresponding files
Name
Resource filter
Conditions
Context
Actions
Extension static content
StaticContentReference_*
resource.Extensions.HasPrivilege("Update")
Both in hub
Read
and QMC
File Reference
Everyone is allowed to read file references
Name
Resource filter
Conditions
Context
Actions
ReadFileReference
FileReference_*
!user.IsAnonymous()
Both in hub
Read
and QMC
Installed Static Content
Allows everyone to read installed static content
Name
Resource filter
Conditions
Context
Actions
Installed static content
StaticContentReference_*
((resource.StaticContentSecurityType="Open"))
Both in hub
Read
and QMC
3
Owned Resource
The owner of a resource should be able to do all actions if the resource is not published to a stream
Name
Resource filter
Conditions
Context
Actions
Owner
*
resource.IsOwned() and (resource.owner = user
Both in hub
Read
and !((resource.resourcetype = "App" and !resource.stream.Empty())
and QMC
Update
or (resource.resourcetype = "App.Object" and resource.published =
Delete
"true")))
Publish
Change owner
The owner of a resource should be able to publish an object
Name
Resource filter
Conditions
Context
Actions
OwnerPublish
*
resource.IsOwned() and resource.owner = user
Both in hub
Publish
and !(resource.resourcetype = "App.Object")
and QMC
The owner of an app object should be able to unpublish an object unless it is approved
Name
Resource filter
Conditions
Context
Actions
OwnerPublishAppObject
App.Object_*
resource.IsOwned() and resource.owner = user and
Both in hub
Publish
resource.resourcetype = "App.Object" and resource.approved = "false"
and QMC
The owner of a resource should be able to see the resource if it is published to a stream
Name
Resource filter
Conditions
Context
Actions
OwnerRead
*
resource.IsOwned() and resource.owner = user
Both in hub
Read
and QMC
4
Temporary Content
Allows everyone except anonymous users to create temporary content
Name
Resource filter
Conditions
Context
Actions
Temporary content
TempContent_*
!user.IsAnonymous()
Both in hub
Create
and QMC
User (Service Account / Root Admin)
The service accounts should be able to do all actions
Name
Resource filter
Conditions
Context
Actions
ServiceAccount
*
user.UserDirectory = "INTERNAL" and (user.UserId =
Both in hub
Create
"sa_repository" or user.UserId = "sa_proxy" or user.UserId =
and QMC
Read
"sa_scheduler" or user.UserId = "sa_engine")
Update
Delete
Export
Publish
Change owner
Change role
Export data
5
Root admin should have full access rights
Name
Resource filter
Conditions
Context
Actions
RootAdmin
*
((user.roles="RootAdmin"))
Both in hub
Create
and QMC
Read
Update
Delete
Export
Publish
Change owner
Change role
Export data
6
Default Security Rules – General
App
Everyone is allowed to create apps except anonymous users
Name
Resource filter
Conditions
Context
Actions
CreateApp
App_*
!user.IsAnonymous()
Only in hub
Create
Everyone is allowed to export the app data they are allowed to see except anonymous users
Name
Resource filter
Conditions
Context
Actions
ExportAppData
App_*
!user.IsAnonymous()
Only in hub
Export data
App Object
If you have read rights on an published app you should be able to create sheets, stories, bookmarks and snapshots belonging to that app
Name
Resource filter
Conditions
Context
Actions
CreateAppObjectsPublishedApp
App.Object_*
!resource.App.stream.Empty() and
Only in hub
Create
resource.App.HasPrivilege("read") and (resource.objectType =
"userstate" or resource.objectType = "sheet" or resource.objectType =
"story" or resource.objectType = "bookmark" or resource.objectType =
"snapshot" or resource.objectType = "embeddedsnapshot" or
resource.objectType = "hiddenbookmark") and !user.IsAnonymous()
If you have read rights on an unpublished app you should be able to create app objects belonging to that app
Name
Resource filter
Conditions
Context
Actions
CreateAppObjectsUnPublishedApp
App.Object_*
resource.App.stream.Empty() and
Only in hub
Create
resource.App.HasPrivilege("read") and !user.IsAnonymous()
7
Content Library
The default content library should be visible for all users
Name
Resource filter
Conditions
Context
Actions
Default content library
ContentLibrary_365cddf2-1181-4204-8800-e9
true
Both in hub
Read
a46fe3b127
and QMC
Data Connection
It should be possible to create data connections except of type folder
Name
Resource filter
Conditions
Context
Actions
DataConnection
DataConnection_*
((resource.type!="folder"))
Only in hub
Create
It should be possible for admins to create folder data connections
Name
Resource filter
Conditions
Context
Actions
FolderDataConnection
DataConnection_*
resource.type = "folder" and (user.roles = "RootAdmin" or user.roles =
Only in hub
Create
"ContentAdmin" or user.roles = "SecurityAdmin")
Read
Update
Delete
Extension
Everyone can view extensions
Name
Resource filter
Conditions
Context
Actions
Default content library
Extension_*
((resource.resourcetype="Extension"))
Both in hub
Read
and QMC
8
Stream
The user should see the resource if he/she has read access to the stream it is published to
Name
Resource filter
Conditions
Context
Actions
Stream
App*
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read"))
Both in hub
Read
or ((resource.resourcetype = "App.Object" and resource.published ="true")
and QMC
and resource.app.stream.HasPrivilege("read"))
The default stream called Administration should be visible for default Administrators and they should be able to publish to it
Name
Resource filter
Conditions
Context
Actions
StreamAdministration
Stream_a70ca8a5-1d59-4cc9-b5fa-6e207978d
((user.roles="RootAdmin" or user.roles="ContentAdmin" or
Both in hub
Read
caf
user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or
and QMC
Publish
user.roles="AuditAdmin"))
The default stream called Everyone should be visible for all users and all users should be able to publish to it
Name
Resource filter
Conditions
Context
Actions
StreamEveryone
Stream_aaec8d41-5201-43ab-809f-3063750df
!user.IsAnonymous()
Both in hub
Read
and QMC
Publish
afd
The default stream called Everyone should be visible for anonymous users
Name
Resource filter
Conditions
Context
Actions
StreamEveryoneAnonymo
Stream_aaec8d41-5201-43ab-809f-3063750df
true
Both in hub
Read
us
afd
and QMC
9
Default Security Rules – Default Administrative User Group
Audit Admin
Audit admin should have access rights to audit related entities
Name
Resource filter
Conditions
Context
Actions
AuditAdmin
Tag_*
((user.roles="AuditAdmin"))
Only in QMC
Create
Read
Update
Delete
Audit admin should have access rights to audit related sections
Name
Resource filter
Conditions
Context
Actions
AuditAdminQmcSections
License_*,QmcSection_Tag,QmcSection_Audi
((user.roles="AuditAdmin"))
Only in QMC
Read
t
Content Admin
Content admin should have access rights to content related entities
Name
Resource filter
Conditions
Context
Actions
ContentAdmin
Stream_*,App*,ReloadTask_*,UserSyncTask
((user.roles="ContentAdmin"))
Only in QMC
Create
_*,SchemaEvent_*,User*,CustomProperty*,T
Read
ag_*,DataConnection_*,CompositeEvent_*,E
Update
xtension_*,ContentLibrary_*
Delete
Publish
Change
owner
Content admin should have access rights to content related sections
Name
Resource filter
Conditions
Context
10
Actions
ContentAdminQmcSection
License_*,QmcSection_Stream,QmcSection_
s
App,QmcSection_App.Object,QmcSection_Da
((user.roles="ContentAdmin"))
Only in QMC
Read
taConnection,QmcSection_Tag,QmcSection_
Audit,QmcSection_User,QmcSection_Custom
PropertyDefinition,QmcSection_Task,QmcSe
ction_Event,QmcSection_SchemaEvent,Qmc
Section_CompositeEvent,QmcSection_Extens
ion,QmcSection_ReloadTask,QmcSection_Us
erSyncTask,QmcSection_ContentLibrary
Content admin should have access rights to manage security rules for streams, data connections and content libraries
Name
Resource filter
Conditions
Context
Actions
ContentAdminRulesAccess
SystemRule_*
user.roles = "ContentAdmin" and resource.category = "Security" and
Only in QMC
Create
(resource.resourcefilter matches
Read
"Stream_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or resource.resourcefilter
Update
matches "DataConnection_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or
Delete
resource.resourcefilter matches
"ContentLibrary_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}")
11
Deployment Admin
Deployment admin should have access rights to deployment related entities
Name
Resource filter
Conditions
Context
Actions
DeploymentAdmin
ServerNodeConfiguration_*,Engine*,Proxy*,
((user.roles="DeploymentAdmin"))
Only in QMC
Create
VirtualProxy*,Repository*,Scheduler*,User*,
Read
CustomProperty*,Tag_*,License*,ReloadTask
Update
_*,UserSyncTask_*,SchemaEvent_*,Composi
Delete
teEvent_*
Deployment admin should have access rights to see and update apps in order to handle sync rules
Name
Resource filter
Conditions
Context
Actions
DeploymentAdminAppAcc
App_*
((user.roles="DeploymentAdmin"))
Only in QMC
Read
ess
Update
12
Deployment admin should have access rights to deployment related sections
Name
Resource filter
Conditions
Context
Actions
DeploymentAdminQmcSec
License_*,ServiceStatus_*,QmcSection_Tag,
((user.roles="DeploymentAdmin"))
Only in QMC
Read
tions
QmcSection_Templates,QmcSection_ServerN
odeConfiguration,QmcSection_EngineService
,QmcSection_ProxyService,QmcSection_Virtu
alProxyConfig,QmcSection_RepositoryServic
e,QmcSection_SchedulerService,QmcSection_
License*,QmcSection_Token,LoadbalancingS
electList,QmcSection_User,QmcSection_User
Directory,QmcSection_CustomPropertyDefini
tion,QmcSection_Certificates,
QmcSection_Certificates.Export,QmcSection
_Task,QmcSection_App,QmcSection_SyncRul
e,QmcSection_Event,
QmcSection_ReloadTask,
QmcSection_UserSyncTask,
QmcSection_Audit
Deployment admin should have access rights to manage sync and license rules
Name
Resource filter
Conditions
Context
Actions
DeploymentAdminRuleAcc
SystemRule_*
user.roles = "DeploymentAdmin" and (resource.category = "Sync" or
Only in QMC
Create
ess
resource.category = "License")
Read
Update
Delete
13
Security Admin
Security admin should have access rights to security related entities
Name
Resource filter
Conditions
Context
Actions
SecurityAdmin
Stream_*,App*,Proxy*,VirtualProxy*,User*,
((user.roles="SecurityAdmin"))
Only in QMC
Create
SystemRule_*,CustomProperty*,Tag_*,Data
Read
Connection_*,ContentLibrary_*
Update
Delete
Publish
Change
owner
Security admin should have access rights to security related sections
Name
Resource filter
Conditions
Context
Actions
SecurityAdminQmcSection
License_*,QmcSection_Stream,QmcSection_
((user.roles="SecurityAdmin"))
Only in QMC
Read
s
App,QmcSection_App.Object,QmcSection_Sy
stemRule,QmcSection_DataConnection,Qmc
Section_Tag,QmcSection_Templates,QmcSect
ion_Audit,QmcSection_ProxyService,QmcSec
tion_VirtualProxyConfig,QmcSection_User,Q
mcSection_CustomPropertyDefinition,QmcSe
ction_Certificates,QmcSection_Certificates.E
xport,QmcSection_ContentLibrary
14
Security admin should have read rights on ServerNodeConfiguration entity
Name
Resource filter
Conditions
Context
Actions
SecurityAdminServerNode
ServerNodeConfiguration_*
((user.roles="SecurityAdmin"))
Only in QMC
Read
Configuration
15