Understanding the security rules included in the Qlik Sense default install

    This article is intended as a guide for those who are starting to work on Qlik Sense security rules to get familiar with the security rules included in the default install. By capturing an overall picture of security rules in a structured manner, you will be able to pin down the security rules you need to customize with less effort.

     

    The explanations here are based on the list of the Qlik Sense security rules uploaded to the following site:

     

    Qlik Sense Security Rules List (v3.2SR1)

     

    *For those who are new to Qlik Sense security rules, please refer to the Qlik Sense Security Overview white paper.

     

    Read only and default security rules


    In the high level, the security rules can be categorized into the following groups:

     

    • Read Only Security Rules
    • Default Security Rules
      • Resources
      • Administrative User Groups

     

    The security rules included in the default install are either read only or default. The read only rules cannot be modified nor disabled, so there is not much you can do with them for customizing except looking into them when you need to understand the predetermined system behaviors.

     

    Those you need to work on are default security rules in most of the cases, so let us focus on the default security rules below.

     

    Default security rules


    Among default security rules, there are two types of rules: Resources and Administrative User Group.

     

    Resources


    Security rules which falls into this category are those you need to work on most often. You can find a set of rules on each resource respectively as follows:

     

    • App
      • Who can create apps? -> CreateApp
      • Who can export data from apps? -> ExportAppData
      • Who can read which apps published to a stream -> Stream
    • App Object
      • Who can create which app objects (sheet, stories, bookmarks and snapshots)?
        • Published apps -> CreateAppObjectsPublishedApp
        • Unpublished apps -> CreateAppObjectsUnPublishedApp
    • Content Library
      • Who can read default content library? -> Default content library
    • Data Connection
      • Who can create data connections?
        • Folder connections -> FolderDataConnection
        • Connections other than folders -> DataConnection,
        • Who can upload file? -> File upload connection object
    • Extension
      • Who can view extensions? -> Extension
    • Stream
      • Who can view and publish to which streams?
        • Everyone stream -> StreamEveryone, StreamEveryoneAnonymous
        • Monitoring apps stream -> StreamMonitoringAppsPublish, StreamMonitoringAppsRead
    • Owned Resource
      • What owner of a resource can do to the resource -> Owner

     

    Other than these rules, these is HubSections rule which is to remove “Open Hub” link in app primarily for the solution of embedding app sheets in external web applications. There are also security rules reserved for cloud credentials and On-Demand App Generation (ODAG) which are not provided yet as out-of-box functions at the time of writing (March, 2017).

     

    Administrative User Groups


    When you would like to define your own group or role, it is convenient to create one base on existing security rules which fall into the category of Administrative User Groups. There are following four administrative user groups defined by security rules in the default install (The definition of RootAdmin is included in read only security rules):

     

    1. Audit Admin
    2. Content Admin
    3. Deployment Admin
    4. Security Admin

     

    Typically, two pairs of security rules are to be defined for each group. For example, there are following two security rules for Audit Admin:

     

    1. AuditAdmin – Control access rights to entities and resources. (For some other roles, rules on specific resources such as apps and security rules are defined separately.)
    2. AuditAdminQmcSections -  Control access rights to sections on QMC. (Without this rule, all sections on QMC are grayed out.)

     

    It is good to follow this structure of existing rules when you create your own custom user groups.

     

    Tips for creating custom rules


    With these knowledge on the overall structure of the security rules installed by default, here are some tips and information for creating custom rules.

     

    • It makes security rule management optimal and simple to use existing directory attributes or Qlik Sense custom properties instead of hard-coding ids and names of specific resources. You can find resources detailed on this topic at the following URLs:

     

     

    • You can shorten your path to what you want to achieve by utilizing examples. You can find some security rules examples at the following URLs:

     

     

    • With auditing function, you can execute queries to find out which security rules are affecting which resources. This is very useful when you would like to  identify the rules associate with a specific resource or when you make sure if your custom rule is working as expected.