Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Nov 11, 2021 9:50:57 AM
Jan 2, 2017 7:57:16 PM
This article explains the concept of security rules in Qlik Sense.
Before you can use the Qlik Sense system, in most cases you want to know who the user is, we call this authentication.
The next step is that based on this userId you want to assign the user access rights, we call this authorization. Both developers and users communicate with Sense via the Proxy (see this as a webserver which performs the authentication step: who are you?).
After the authentication (who are you?) you need to think how you want to integrate the authorization (what can you do and see?). The keys you want to protect in Sense are called resources. Example resources are
In the client side, called the hub context:
In the admin side, called the management console (QMC) context
There is no mandatory structure you have to follow in Sense. Qlik have designed a very flexible approach in which each "thing" in Sense is a resource. And if you want to "use" it you need to have a "key" that allows you to access that resource. In Sense, security rules protects the resources above, and it has the following logic:
In other words:
Example Admin 1
Example End-user 1
Let's illustrate this with the example of a city (a Sense server), it consists of
Most people can only enter 1 house and all rooms. But in order to arrive at your room, you will have to drive through your street, open the house and enter your room.
Minimum requirements of the security rule
You always need access to a stream before you can open the app, or view the resources inside an app:
Import to remember: If you want to see a chart, you always need to create one or more security rules that together provide access to all the above resources. (stream, app, app.object)
Each resource knows always who its parent is. So you can make a security rule that says
Now the user is authorized to see the stream. The next step is to grant him access to the app and app.object with this rule:
Sense security is based on Attribute-Based Access Control ABAC. Each time a user requests access to a resource, Qlik Sense evaluates the request against the security rules in the Qlik Sense system. If at least one rule evaluates to True then Qlik Sense will provide the user with access according to the conditions and actions described in the security rule. If no rules evaluate to True then the user will be denied access. The fact that Qlik Sense security rules are property-based makes Qlik Sense very scalable as you can build rules based on properties that apply to groups of users. In most BI systems you need to create a role for each organizational value (Spain, France etc.), this is not needed with Sense. Qlik Sense just use a variable to variable comparison: e.g. If your Active directory group (or group provided by ticket/SAML) matches some property of the stream/dashboard you are allowed access. For more information about Security rules see this video or the Qlik Sense help
If you don't have a key you won't get in, same like your house. If you have a key you can enter your house, and all rooms inside it. (Access to stream, Yes? Ok, than you might see all the dashboards)
So for Qlik Sense, if you have access to a stream maybe you want to show the user all dashboards inside the stream. In this way you keep the security concept very simple and effective. As a starting point it is recommended to give each department (HR, Finance) or customer (Customer A, Customer B) its own stream.
So Qlik Sense can give users access to a dashboard, and define whether he/she can use/edit/create Sheets, Stories, bookmarks etc. For example, if the user does not have access, that is a security rule that evaluates to true, he/she won't see the edit or bookmark button in Sense.