# Security rules In most cases, end users need to share a published app for doing comments on. This will require a few Security Rules to create a new Role - **Commenting Role**. When assigned with Commenting Role, users will be able to do comments directly in published apps. Just setup the below rules in Qlik Management Console and you are good to go. {% hint style="warning" %} If you have installed Kaptain, Komment will work without the security rule configuration. {% endhint %} {% hint style="info" %} For unpublished apps Komment will work without the security rule configuration. {% endhint %} ## Rule 1: ``` CommentingRole – App Resource Filter: App_* Actions: Update Condition: ((user.roles="CommentingRole") and resource.stream.HasPrivilege("read")) ``` > End user needs an ‘UPDATE’ permission on the app that needs to be commented (modified) via extension. ## Rule 2: ``` CommentingRole – AppObject Resource Filter: App.Object_* Actions: Read Condition: ((user.roles="CommentingRole")) ``` > End user needs a security rule in appObject with ‘READ’ permission to load script, in order to trigger partial reload (Qlik Sense by default blocks script access in published apps). ## Rule 3: ``` CommentingRole - DataConnection Resource Filter: DataConnection_* Actions: Read Condition: ((user.roles="CommentingRole")) ``` > End user also requires all data connection with ‘READ’ permission that appears in the load script (all data connections used in current app, no matter it will be executed or not when doing partial reload - unfortunately it is how Qlik works). {% hint style="success" %} Last step is to assign ‘CommentingRole’ to users who should be able to comment within published apps. This is done in the QMC. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.extendbi.com/komment/getting-started/security-rules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.