Creating Team administrators in Qlik Sense

    Author: jbc

     

    Intro

    In Qlik Sense the QMC is used to administer content and perform certain administrative actions.  In many cases you may wish to allow a user self administer the content from a group of users (such as their department) without having access to the whole QMC or all the content.

    This document outlines how to set up a “Team Admin” role in the QMC. The target is:

    • To enable a user to be the administrator for a team of users/selection of apps
    • The user should be able to see the relevant sections in the QMC
      • Apps – including publishing, deleting and importing
      • Viewing App Content
      • Viewing and creating Tasks (but only for the above apps)
      • View data connections
      • View content libraries
    • The team admin needs to be able to see both apps published to set streams and any apps owned by a group of users

    To prevent having to create too many rules an approach needs to be identified to make the security rules generic.  The aim here is to make it so that you can have several admins for the same team, an admin for several teams or several admins each for their own team without having to keep maintaining rules or settings.  There are several ways to do this but using Custom Properties is likely to be the most efficient in many cases and this is used in the examples below.

    Identifying which published apps can be administered is simple (its just picking the right streams) but selecting apps which are not published means identifying a attribute for the user that owns the app and to pick something that avoids too much management.  In this example a group will be used – this could be a group from active directory/LDAP etc.

    Note: These instructions contain the use of a feature that was added in Qlik Sense 2.1.1, the rules are still valid for prior versions however the ability to add multiple values to custom properties allows for less complex rules and easier management.

    How to implement it

    Setting up Custom Properties

    Custom properties will be used to identify which content the user can administer. You will apply a custom property to a stream and to the user and these will need to match.

    Create the following custom properties:

    Name: TeamAdminFor

    Resource Types Applicable to:  Users

    Values:  Sales, Finance, Marketing   (specify your values here, ideally matching your group names too)


    Name: Department

    Resource Types Applicable to: Streams

    Values:  Sales, Finance, Marketing   (specify your values here, ideally matching your group names too)

    Now you have created these, apply the values to the users and streams.  To do this edit the Steam, select custom properties and apply the department value as needed and repeat for the user you want to be the team admin by setting the TeamAdminFor setting.  You can use multiple values in these lists too so you could make one user the admin for several departments (only with Sense 2.1.1 and above).

    Create the rules

    In this section you will create the rules to give the user access, it’s a good idea to test after each rule to make sure it is working as expected.    To keep the rules easier to read there are 4 rules created, one to define the sections visible in the QMC, one to define what the user can read, one for create and one for edit.

    1 - Access to sections in the QMC

    This rule dictates which elements in the QMC can be seen, it gives no access to any actual data.

    Item

    Value

    Comment

    Name

    TeamAdmin_QMCsections

     

    Resource Filter

    QmcSection_App, QmcSection_DataConnection, QmcSection_ContentLibrary,QmcSection_App.Object, QmcSection_Task, QmcSection_ReloadTask, QmcSection_Event, QmcSection_SchemaEvent, QmcSection_CompositeEvent

    It is giving access to apps, data connections, content libraries and tasks with all the associated parts.  Add and delete the sections if required

    Conditions

    ((!user.@TeamAdminFor.empty()))

    Here it is saying basically as long as you have set a none empty value in the TeamAdminFor property then they will have access to the QMC

    Context

    QMC Only

     

    Actions

    Read

     

    Test this rule and you should now see any user with the TeamAdminFor set can see some, but not all sections in the QMC but wont see much data (probably will see the same apps they see in the hub).

    2 - What the user can create

    This rule dictates what the user can create

    Item

    Value

    Comment

    Name

    TeamAdmin_Create

     

    Resource Filter

    App*,ReloadTask*, SchemaEvent*,CompositeEvent*, ExecutionResult*,DataConnection*

    This allows users to create apps and reload tasks (plus triggers).  If users can import apps then they will need to be able to create data connections too as these are done during import.

    Conditions

    ((!user.@TeamAdminFor.empty()))

    Here it is saying basically as long as you have set a none empty value in the TeamAdminFor property then they will have the ability to add the above

    Context

    QMC Only

     

    Actions

    Create

     

    After this rule you should now be able to see the create/import buttons appear in the QMC

    3 - What the user can Read

    This rule will dictate the entries the user can see listed in each of the QMC sections. Remember the aim in this example is to allow the team admin to see any published apps in the streams they look after AND any apps created by users in a specific group.

    The edit and read rules are very similar, however it is best to single out edit and read rights as different rules as you will most likely need to let the admin read values but not edit them

    Item

    Value

    Comment

    Name

    TeamAdmin_Read

     

    Resource Filter

    Stream*,App*,ReloadTask*, SchemaEvent*,Tag*, CompositeEvent*, ExecutionResult*,CustomProperty*

    This allows users to read apps and reload tasks (plus triggers).

    Conditions

    (

    ((resource.resourcetype="App" or resource.resourcetype="App.Object") and (resource.stream.@Department = user.@TeamAdminFor or resource.owner.group = user.@TeamAdminFor))

    or

    (resource.resourcetype="ReloadTask" and (resource.app.stream.@Department = user.@TeamAdminFor or resource.app.owner.group = user.@TeamAdminFor))

    or resource.resourcetype ="SchemaEvent" or resource.resourcetype ="CompositeEvent" or resource.resourcetype = "Tag" or resource.resourcetype ="ExecutionResult"

    )

    This rule says that if the resource is an App then either the streams Department or the app owners group must match the users TeamAdminFor value

    The rule is in two sections because we want to show both apps AND the tasks that belong to the apps

    Context

    QMC Only

    You could change this to Hub and QMC but that would mean the user would see the apps from everyone in their team in their hub which you might want to avoid

    Actions

    Read

     

    After this rule you should now be able to see all the applicable apps and associated tasks etc

    4 - What the user can Edit

    This rule will dictate the entries the user can edit (edit,publish,delete etc) in each of the QMC sections. Remember the aim in this example is to allow the team admin to administer any published apps in the streams they look after AND any apps created by users in a specific group.

    The edit and read rules are very similar, however it is best to single out edit and read rights as different rules as you will most likely need to let the admin read values but not edit them

    Item

    Value

    Comment

    Name

    TeamAdmin_Edit

     

    Resource Filter

    App*,Stream*,ReloadTask*,SchemaEvent*, CompositeEvent*,ExecutionResult*

    This allows users to edit apps and reload tasks (plus triggers).

    Conditions

    (

    ((resource.resourcetype="App" or resource.resourcetype="App.Object") and (resource.stream.@Department = user.@TeamAdminFor or resource.owner.group = user.@TeamAdminFor))

    or

    (resource.resourcetype="ReloadTask" and (resource.app.stream.@Department = user.@TeamAdminFor or resource.app.owner.group = user.@TeamAdminFor))

    or resource.resourcetype ="SchemaEvent" or resource.resourcetype ="CompositeEvent" or resource.resourcetype = "Tag" or resource.resourcetype ="ExecutionResult"

    )

    This rule says that if the object is an App then either the streams Department or the app owners group must match the users TeamAdminFor value

    The rule is in two sections because we want to show both apps AND the tasks that belong to the apps

    Context

    QMC Only

    You could change this to Hub and QMC but that would mean the user would see the apps from everyone in their team in their hub which you might want to avoid

    Actions

    Update, Delete, Export, Publish, Change owner

     

    After this rule the team admin should now be able to edit, delete, publish and change owner, etc on apps.

    Note the user may see apps in the QMC that they cannot perform the admin actions on, this is because they may have been given access to read apps in the hub and these will display in the QMC – however these will be read only.