José Barrantes Contact QlikWebsites¥ Logout (/api/logout) Qlik@ | Partner Portal Qlik Technical Sales Tools (/) (https://partners.qlik.com/) Technical Insights (/answers) ing Advisor (/sizing) QM (/qmi) Presentation Explorer (/slidesgen) ‘€ Back to Search () (OEM) Security Integration (ticketing and security rules) Created together with Raymond Neves (https://confluence.qliktech.com/display/~RNV), with help from Unknown User (rfn) (https://confluence.qliktech.com/display/~rfn), Johan Backlin (https://confluence.qliktech.com/display Piet ‘Also make sure you see (and like) our security videos (https://www.youtube.com/channel /UCmPkKeVbxeNyvEbe21VGWyA) or the presentations below ‘© Partner day - Security Overview.pptx (/answers/\attachments\52745324 \Partner20day20-20Security200verview.pptx) ‘© OEMSecurity v2.6 mb.pptx (/answers/\attachments\52745324\OEMSecurity20v2.620mb.pptx) Introduction In OEM software integration cases, users and their authorizations are stored usually in a SQL table and the OEM website already does the authentication step. So the key thing we have to explain you in this article is how do we transfer the user and his rights to Qlik Sense? The short answer is: We usually do this by using a ticket (https://community.qlik.com /docs/D0C-8159) (token based) mechanism. This ticket can be seen as a passport for the user. It contains his userld, and the groups/roles which define his authorizations.Qlik Sense integrated web and security flow Qlik Sense Authorization Steams Ap TT SILLS Mh =m LK s3°1 81 SR AelemROL=12] OMIA o OL UBL complete integration flow. A user logs in into your Saas platform. Authentication Before you can use the Qlik Sense system, in most cases you want to know who the user is, we call this authentication. The next step is that based on this userid you want to assign the user access rights, we call this authorization. Both developers and users communicate with Sense via the Proxy (see this as a webserver which performs the authentication step: who are you?}. For each type of authentication we can create a virtual proxy. So normally we would create a virtual proxy for each authentication mechansim your company needs: * Internal users using Active Directory * External users using ticketing ‘ External users using SAML Authorization using the security rules and section access After the authentication (who are you?) you need to think how you want to integrate the authorization (what can you do and see?]. The keys you want to protect in Sense are called resources. Example resources are In the client side, called the hub context: © Streams © Apps © Objects inside an app © Sheets © Stories © Script © Datamodel viewer In the admin side, called the management console (QMC) context © Reload tasks ‘© Security configuration © Apps © Streams© Users There is no mandatory structure you have to follow in Sense. We have designed a very flexible approach in which each “thing” in Senses a resource. And if you want to “use” it you need to have a "key" that allows you to access that resource. In Sense we protect the resources above with security rules, and it has the following logic: Allow the USER to do ACTION on the RESOURCE provided CONDITION In other words: * Ifyou want to dojseea resource ‘* You need at least 1 rule that evaluates to true ‘+ Note: that this rule must provide access (resource filter to all resources you need. if you want to see a chart, you need access to © The stream © The app © The app.object Example Admin 1 Ifyour Active Directory group = Admin ‘© Then you are allowed to access all resources in the context of the QMC Example End user 1 ‘* If your Active Directory group not equal to Admin ‘© Then you are allowed to access all resources in the context of the Hub In most OEM cases we give each customer its own stream, and therefore we create a rule like this to split the customers in the system *# Allow a user to view (Action), « all dashboards inside a stream (Resource) ‘* Provided that the group (e.g. a customer name) of the user matches the name of the stream Lets illustrate this with the example of a city (a Sense server), it consists of «© streets (streams) which are used to * group houses (apps), and a * house consists of rooms (app.objects) Most people can only enter 1 house and all rooms. But in order to arrive at your room, you will have to drive though your street, open the house and enter your room. And that is exactly the same way with an OEM security setup in Sense. SaaS security setup Most times you have a SaaS solution with a lot of customers in 1 system. You want to divide this. So, we start with giving each customer its own stream, and once you have access to the stream you are allowed to view all apps. Off course we can limit also the access to apps and even sheets, the script and database connections, This is possible because everything is a resource is Sense. And before a user can access a resource he needs at least one security rule that evaluates to true for the