Qlik Sense Security Rules List
Transcription
Qlik Sense Security Rules List
Qlik Sense Security Rules List Qlik Sense 1.1 2015/04/06 Table of Contents Read Only Security Rules ............................................................................................................................................................................................................................. 2 App Data Segment .................................................................................................................................................................................................................................... 2 Content Library ......................................................................................................................................................................................................................................... 2 Extension ................................................................................................................................................................................................................................................... 3 File Reference ............................................................................................................................................................................................................................................ 3 Installed Static Content ............................................................................................................................................................................................................................ 3 Owned Resource ........................................................................................................................................................................................................................................ 4 Temporary Content ................................................................................................................................................................................................................................... 5 User (Service Account / Root Admin) ....................................................................................................................................................................................................... 5 Default Security Rules – General ................................................................................................................................................................................................................ 7 App.............................................................................................................................................................................................................................................................. 7 App Object .................................................................................................................................................................................................................................................. 7 Content Library ......................................................................................................................................................................................................................................... 8 Data Connection ........................................................................................................................................................................................................................................ 8 Extension ................................................................................................................................................................................................................................................... 8 Stream ........................................................................................................................................................................................................................................................ 9 Default Security Rules – Default Administrative User Group ................................................................................................................................................................ 10 Audit Admin ............................................................................................................................................................................................................................................. 10 Content Admin......................................................................................................................................................................................................................................... 10 Deployment Admin .................................................................................................................................................................................................................................. 12 Security Admin ........................................................................................................................................................................................................................................ 14 1 Read Only Security Rules App Data Segment If you have read rights on the app you should be able to read app data segments belonging to that app Name Resource filter Conditions Context Actions ReadAppDataSegments App.DataSegment_* resource.App.HasPrivilege("read") and !user.IsAnonymous() Both in hub Read and QMC If you have update rights on the app you should be able to create/update/read/delete app data segments belonging to that app Name Resource filter Conditions Context Actions UpdateAppDataSegments App.DataSegment_* resource.App.HasPrivilege("update") and !user.IsAnonymous() Both in hub Create and QMC Read Update Delete Content Library Allows everyone that can see a content library to see its corresponding files Name Resource filter Conditions Context Actions Content library content StaticContentReference_* resource.ContentLibrarys.HasPrivilege("Read") Both in hub Read and QMC Allows everyone that can update a content library to manage its corresponding files Name Resource filter Conditions Context Actions Content library manage StaticContentReference_* resource.ContentLibrarys.HasPrivilege("Update") Both in hub Create, and QMC Read content Update Delete 2 Extension Allows everyone that can update an extension to manage its corresponding files Name Resource filter Conditions Context Actions Extension manage content StaticContentReference_* resource.Extensions.HasPrivilege("Read") Both in hub Create, and QMC Read Update Delete Allows everyone that can see an extension to see its corresponding files Name Resource filter Conditions Context Actions Extension static content StaticContentReference_* resource.Extensions.HasPrivilege("Update") Both in hub Read and QMC File Reference Everyone is allowed to read file references Name Resource filter Conditions Context Actions ReadFileReference FileReference_* !user.IsAnonymous() Both in hub Read and QMC Installed Static Content Allows everyone to read installed static content Name Resource filter Conditions Context Actions Installed static content StaticContentReference_* ((resource.StaticContentSecurityType="Open")) Both in hub Read and QMC 3 Owned Resource The owner of a resource should be able to do all actions if the resource is not published to a stream Name Resource filter Conditions Context Actions Owner * resource.IsOwned() and (resource.owner = user Both in hub Read and !((resource.resourcetype = "App" and !resource.stream.Empty()) and QMC Update or (resource.resourcetype = "App.Object" and resource.published = Delete "true"))) Publish Change owner The owner of a resource should be able to publish an object Name Resource filter Conditions Context Actions OwnerPublish * resource.IsOwned() and resource.owner = user Both in hub Publish and !(resource.resourcetype = "App.Object") and QMC The owner of an app object should be able to unpublish an object unless it is approved Name Resource filter Conditions Context Actions OwnerPublishAppObject App.Object_* resource.IsOwned() and resource.owner = user and Both in hub Publish resource.resourcetype = "App.Object" and resource.approved = "false" and QMC The owner of a resource should be able to see the resource if it is published to a stream Name Resource filter Conditions Context Actions OwnerRead * resource.IsOwned() and resource.owner = user Both in hub Read and QMC 4 Temporary Content Allows everyone except anonymous users to create temporary content Name Resource filter Conditions Context Actions Temporary content TempContent_* !user.IsAnonymous() Both in hub Create and QMC User (Service Account / Root Admin) The service accounts should be able to do all actions Name Resource filter Conditions Context Actions ServiceAccount * user.UserDirectory = "INTERNAL" and (user.UserId = Both in hub Create "sa_repository" or user.UserId = "sa_proxy" or user.UserId = and QMC Read "sa_scheduler" or user.UserId = "sa_engine") Update Delete Export Publish Change owner Change role Export data 5 Root admin should have full access rights Name Resource filter Conditions Context Actions RootAdmin * ((user.roles="RootAdmin")) Both in hub Create and QMC Read Update Delete Export Publish Change owner Change role Export data 6 Default Security Rules – General App Everyone is allowed to create apps except anonymous users Name Resource filter Conditions Context Actions CreateApp App_* !user.IsAnonymous() Only in hub Create Everyone is allowed to export the app data they are allowed to see except anonymous users Name Resource filter Conditions Context Actions ExportAppData App_* !user.IsAnonymous() Only in hub Export data App Object If you have read rights on an published app you should be able to create sheets, stories, bookmarks and snapshots belonging to that app Name Resource filter Conditions Context Actions CreateAppObjectsPublishedApp App.Object_* !resource.App.stream.Empty() and Only in hub Create resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() If you have read rights on an unpublished app you should be able to create app objects belonging to that app Name Resource filter Conditions Context Actions CreateAppObjectsUnPublishedApp App.Object_* resource.App.stream.Empty() and Only in hub Create resource.App.HasPrivilege("read") and !user.IsAnonymous() 7 Content Library The default content library should be visible for all users Name Resource filter Conditions Context Actions Default content library ContentLibrary_365cddf2-1181-4204-8800-e9 true Both in hub Read a46fe3b127 and QMC Data Connection It should be possible to create data connections except of type folder Name Resource filter Conditions Context Actions DataConnection DataConnection_* ((resource.type!="folder")) Only in hub Create It should be possible for admins to create folder data connections Name Resource filter Conditions Context Actions FolderDataConnection DataConnection_* resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = Only in hub Create "ContentAdmin" or user.roles = "SecurityAdmin") Read Update Delete Extension Everyone can view extensions Name Resource filter Conditions Context Actions Default content library Extension_* ((resource.resourcetype="Extension")) Both in hub Read and QMC 8 Stream The user should see the resource if he/she has read access to the stream it is published to Name Resource filter Conditions Context Actions Stream App* (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) Both in hub Read or ((resource.resourcetype = "App.Object" and resource.published ="true") and QMC and resource.app.stream.HasPrivilege("read")) The default stream called Administration should be visible for default Administrators and they should be able to publish to it Name Resource filter Conditions Context Actions StreamAdministration Stream_a70ca8a5-1d59-4cc9-b5fa-6e207978d ((user.roles="RootAdmin" or user.roles="ContentAdmin" or Both in hub Read caf user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or and QMC Publish user.roles="AuditAdmin")) The default stream called Everyone should be visible for all users and all users should be able to publish to it Name Resource filter Conditions Context Actions StreamEveryone Stream_aaec8d41-5201-43ab-809f-3063750df !user.IsAnonymous() Both in hub Read and QMC Publish afd The default stream called Everyone should be visible for anonymous users Name Resource filter Conditions Context Actions StreamEveryoneAnonymo Stream_aaec8d41-5201-43ab-809f-3063750df true Both in hub Read us afd and QMC 9 Default Security Rules – Default Administrative User Group Audit Admin Audit admin should have access rights to audit related entities Name Resource filter Conditions Context Actions AuditAdmin Tag_* ((user.roles="AuditAdmin")) Only in QMC Create Read Update Delete Audit admin should have access rights to audit related sections Name Resource filter Conditions Context Actions AuditAdminQmcSections License_*,QmcSection_Tag,QmcSection_Audi ((user.roles="AuditAdmin")) Only in QMC Read t Content Admin Content admin should have access rights to content related entities Name Resource filter Conditions Context Actions ContentAdmin Stream_*,App*,ReloadTask_*,UserSyncTask ((user.roles="ContentAdmin")) Only in QMC Create _*,SchemaEvent_*,User*,CustomProperty*,T Read ag_*,DataConnection_*,CompositeEvent_*,E Update xtension_*,ContentLibrary_* Delete Publish Change owner Content admin should have access rights to content related sections Name Resource filter Conditions Context 10 Actions ContentAdminQmcSection License_*,QmcSection_Stream,QmcSection_ s App,QmcSection_App.Object,QmcSection_Da ((user.roles="ContentAdmin")) Only in QMC Read taConnection,QmcSection_Tag,QmcSection_ Audit,QmcSection_User,QmcSection_Custom PropertyDefinition,QmcSection_Task,QmcSe ction_Event,QmcSection_SchemaEvent,Qmc Section_CompositeEvent,QmcSection_Extens ion,QmcSection_ReloadTask,QmcSection_Us erSyncTask,QmcSection_ContentLibrary Content admin should have access rights to manage security rules for streams, data connections and content libraries Name Resource filter Conditions Context Actions ContentAdminRulesAccess SystemRule_* user.roles = "ContentAdmin" and resource.category = "Security" and Only in QMC Create (resource.resourcefilter matches Read "Stream_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or resource.resourcefilter Update matches "DataConnection_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or Delete resource.resourcefilter matches "ContentLibrary_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}") 11 Deployment Admin Deployment admin should have access rights to deployment related entities Name Resource filter Conditions Context Actions DeploymentAdmin ServerNodeConfiguration_*,Engine*,Proxy*, ((user.roles="DeploymentAdmin")) Only in QMC Create VirtualProxy*,Repository*,Scheduler*,User*, Read CustomProperty*,Tag_*,License*,ReloadTask Update _*,UserSyncTask_*,SchemaEvent_*,Composi Delete teEvent_* Deployment admin should have access rights to see and update apps in order to handle sync rules Name Resource filter Conditions Context Actions DeploymentAdminAppAcc App_* ((user.roles="DeploymentAdmin")) Only in QMC Read ess Update 12 Deployment admin should have access rights to deployment related sections Name Resource filter Conditions Context Actions DeploymentAdminQmcSec License_*,ServiceStatus_*,QmcSection_Tag, ((user.roles="DeploymentAdmin")) Only in QMC Read tions QmcSection_Templates,QmcSection_ServerN odeConfiguration,QmcSection_EngineService ,QmcSection_ProxyService,QmcSection_Virtu alProxyConfig,QmcSection_RepositoryServic e,QmcSection_SchedulerService,QmcSection_ License*,QmcSection_Token,LoadbalancingS electList,QmcSection_User,QmcSection_User Directory,QmcSection_CustomPropertyDefini tion,QmcSection_Certificates, QmcSection_Certificates.Export,QmcSection _Task,QmcSection_App,QmcSection_SyncRul e,QmcSection_Event, QmcSection_ReloadTask, QmcSection_UserSyncTask, QmcSection_Audit Deployment admin should have access rights to manage sync and license rules Name Resource filter Conditions Context Actions DeploymentAdminRuleAcc SystemRule_* user.roles = "DeploymentAdmin" and (resource.category = "Sync" or Only in QMC Create ess resource.category = "License") Read Update Delete 13 Security Admin Security admin should have access rights to security related entities Name Resource filter Conditions Context Actions SecurityAdmin Stream_*,App*,Proxy*,VirtualProxy*,User*, ((user.roles="SecurityAdmin")) Only in QMC Create SystemRule_*,CustomProperty*,Tag_*,Data Read Connection_*,ContentLibrary_* Update Delete Publish Change owner Security admin should have access rights to security related sections Name Resource filter Conditions Context Actions SecurityAdminQmcSection License_*,QmcSection_Stream,QmcSection_ ((user.roles="SecurityAdmin")) Only in QMC Read s App,QmcSection_App.Object,QmcSection_Sy stemRule,QmcSection_DataConnection,Qmc Section_Tag,QmcSection_Templates,QmcSect ion_Audit,QmcSection_ProxyService,QmcSec tion_VirtualProxyConfig,QmcSection_User,Q mcSection_CustomPropertyDefinition,QmcSe ction_Certificates,QmcSection_Certificates.E xport,QmcSection_ContentLibrary 14 Security admin should have read rights on ServerNodeConfiguration entity Name Resource filter Conditions Context Actions SecurityAdminServerNode ServerNodeConfiguration_* ((user.roles="SecurityAdmin")) Only in QMC Read Configuration 15