Security Rules Optimization

    Author: jog

    Design and deploy scalable access control

    Published: 3-Aug-2015, Revision: 1.0Valid for Qlik Sense Version: 2.0.2+

     


    Why It's Important


    Qlik Sense security rules offer granular control of resources and capabilities within a Qlik Sense deployment using attributes from enterprise directory services and custom properties.  Proper planning regarding access control will simplify writing security rules and potentially reduce the overall rules required to manage a Qlik Sense deployment.

    Best Practice

    Leverage existing directory attributes to create rules to govern access in Qlik Sense.  The most commonly used attribute with Qlik Sense is the Group attribute because existing groups generally map to access control in the enterprise.

     

    In these screenshots, two different stream access rules have been created.
    • The QlikReadOnlyUsers group has Read access to the stream.
    • The QlikPowerUsers have Read and Publishaccess.

    Using existing group attributes in an Active Directory, LDAP, or custom database
    enables easy creation of specific rules and built-in scaling managed by the source directory.

    1.png2.png

    Create roles to define access control and assign users to roles.  Doing so reduces the opportunity for "rule creep" and avoids granular level user access control.

    2015-12-23 14_23_45-Untitled - Paint.png

    Use provided security rules as templates; copy definitions, disable rules, and create new entries with copied definitions.  This sequence ensures a back out plan if created rules do not work as intended.  Qlik Sense supplied rules carry a type of Read only or Default.

    2015-12-23 14_28_43-Presentation3 - Microsoft PowerPoint.png

    Use Qlik Sense resource properties in security rules to define access to specific resources without creating specific rules for each resource.

     

    In this example for the supplied resource filters, if the name of the owner on the resource equals the name of the logged in user grant the Actions checked to that user.

    This rule results in users having the ability to access and administer the content they own in the Hub and QMC.

    The application of this rule has far reaching impact because there is no hard coded condition.

    3.png

     

    Improve performance by selecting context.  Rules created for hub and qmc context are necessary, however, keep in mind rules running in both context have increased overhead. 

    4.png

    Summary

    The overall goal with security rules implementation in Qlik Sense is efficiency, flexibility, and scalability.  Following the best practice tips above prevent rule creep, take advantage of included expressions and properties, and use existing user directory attributes to deploy a governed Qlik Sense environment.