QMC Security Rules:
One can remodel the security to enable only consumers to manage objects of published apps of their names and in Streams corresponding to their UserDirectory, that disable access to data load editor for security.
You can access the Security Rules window from the main QMC dropdown list under “Manage Resources”.
For example, one can a create viewer role to distinguish it from consumer (the new author role).
You can access one rule by double clicking on it:
You can choose who can do what to which resource. The “Who” is in the “User” attributes. The “Do what” is the Actions. The “Resource” can be set in the Resource Filter part of the Advanced section or the filters section in the Basics.
There are two editors for rules: Basic (which has a user-friendly input) and Advanced (which has a scripting input). The basic editor only has a small set of options. You can check a wide filter options by checking the full list of rules and their “resource filters” field (see screenshot above).
Saving your rules:
You can modify your rule then save it. A good practice for safe modification of security rules: disabling them and creating a copy of them and enabling this copy. For example: Disable the CreateApp security rule and create CreateApp2 instead to limit app creation to a certain group of users.
Another example: CreateAppObjectsPublishedApp (for data templates for each consumer) can be overridden to limit adding published-app objects to consumers holding same name: Enable Consumers (not viewers) to create objects to the apps that hold same name as their names. E.g. enable the user Tom to create sheets on the app that’s named Amir.
Notes about Security Rules:
1. Duplicate permission is granted with Create access. And thus a Create against a stream is a create from this stream (duplicate) and not create to this stream (publish).
2. “Update” action: enables the data Reload tasks.
4. To make any action (duplicate, publish, etc.) for any (one’s own, or others) Apps in QMC one needs to get full access to: QmcSection_App.
5. To disable consumers from creating their own apps, one needs to disable or limit CreateApp security rule.
6. In order to duplicate an app, one should have a permission to create an app from within the same security rule that enables duplicating that app. So this should apply: (resource.owner.name=user.name).
7. One can develop a security rule to allow users of any user directory to access the stream of its company (user.userDirectory=resource.name).
8. I finally achieved a security rule: Allow Authors to Duplicate Data Template Apps.
10. I disabled “TRC-JV: Consumer access to “DMS” Stream” and created a new security rule: