Qlik Community

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

Announcements
QlikWorld, June 24-25, 2020. Free virtual event for DI and DA gurus. Register Now
Employee
Employee

When we developed the security rules for Qlik Sense, I didn’t anticipate the wide adoption of these for defining new administrative roles in the QMC. But now that Qlik Sense has been in the market for a while we can see that the need for distributing administrative tasks to users is something that is widely needed and used.

It is not strange that this is a requested feature as when we introduce self-service concept for the client why would you not want to have the same experience for administration.

So in this post I would like to share two tips and tricks that will help you create these distributed administration roles.

The first thing I’m going to cover is the general structure of defining an administration role.

Admin role.jpg

There are three parts to an administrative role: Defining the role using rules, assigning it to a user and defining the scope they should be able to administrate.

To define who should be admin we can use things like custom properties, roles and user directory attributes. Each having its own pros and cons.

To define the role, you may need up to five rules. One each to define what you are allowed to read, create, edit and delete and then you need a fifth rule to define the sections in the QMC that the user is allowed to see. Sometimes you can collapse multiple rules into one, such as when the user is allowed to read and delete the same resources, then you only need one rule. The only rule that you should keep separate is the create rule, this will avoid some simple mistakes.

For the custom roles you often want to limit their scope by using some type of filter on resources. Typical things we see customers filter on is custom properties, streams, ownership and name. For example, to create a document admin you could filter on name of app or if you want to create a stream admin you will filter resources base on which stream they refer to.

You can find example roles in our documentation

The second thing I wanted to cover is that there are some common things that an administrator like to be able to do that require multiple permissions to resources. One example is duplicate. The table below should help you understand for what tasks multiple permissions are needed.

Adminstrative taskAppStreamApp.ObjectData ConnectionUserSyncTaskReloadTaskUserDirectory
ImportCreate and UpdateCreate (if new data connection in the imported app)
Start UserSyncTaskReadUpdate
Start Reload TaskUpdateRead
Duplicate app in QMCRead and CreateRead (Otherwise App will be duplicated but only app objects that the user has read access on will be included on duplicated app)
Publish appRead and PublishRead and PublishRead (Otherwise App will be published but only app objects that the user has read access on will be published)
Publish and replaceRead, Update and PublishRead and PublishRead and Update

I hope that you found these tips on creating custom administrative roles helpful. If you have questions on this blog post or have ideas of what you want to read about in the future, please don’t hesitate to add comments to post

8 Comments
Employee
Employee

Thanks Fredrik for this super usefull post. 

0 Likes
719 Views
Partner
Partner

As usually a really good post from you Fredrik, thanks a lot..

//Gonza

0 Likes
719 Views
Creator
Creator

Thanks for the post.

Do you know if it's possible to make a person and admin, capable of duplicate app's in the hub also?

0 Likes
719 Views
Luminary
Luminary

Fredrik is the authority here, but from what I have seen you can only duplicate apps that you own yourself. No way around this in current Sense versions, AFAIK. Would love to be corrected on this though - I am also missing that feature.

719 Views
Employee
Employee

It is currently only possible for a owner of an app to duplicate app in the hub even if you grant them the same permissions that enable them to do in the QMC.

719 Views
Employee
Employee

Create a tsak is not present What right are needed ?
- Access QMC Menu

- Read, Update APP

- and what more ?

0 Likes
719 Views