Qlik Community

Qlik Design Blog

All about product and Qlik solutions: scripting, data modeling, visual design, extensions, best practices, etc.

QlikWorld, June 24-25, 2020. Free virtual event for Data Integration and Data Analytics gurus. Register Now


Hello Qlik Community, in this post I have the pleasure of introducing Marcus Spitzmiller. Marcus is a member of the Qlik Enterprise Architecture team focusing on enterprise deployments and best practices.  His areas of expertise include scalability and performance, deployment best practices, integration, and security.  Marcus has been with Qlik for 6.5 years. In this post he will introduce you to Qlik Sense Stream management, covering security rules and exception management.

Managing Qlik Sense Streams

At the center of Qlik Sense’s security is an attribute based access control component called the Security Rules Engine.  Qlk’s Product Manager for security, Fredrik Lautrup, ( flp )  does a great job of explaining just what that means here (https://community.qlik.com/blogs/qlikviewdesignblog/2015/03/10/why-security-rules-in-qlik-sense).

Administrators of Qlik Sense can leverage attributes about users, applications, streams, data connections and much more to govern user authorization (that is, who can do what) via the Security Rules Engine.

Qlik’s Michael Tarallo (@mto) has produced a number of great videos that describe the Qlik Management Console and the functions available within it here (https://community.qlik.com/docs/DOC-7144), and I would encourage you to review those videos in the “Management Console (QMC) Series” if you don’t yet have an understanding of concepts like Streams, Custom Properties, and User Directory Connectors.

In this video I show how you can effectively use the power of the Security Rules Engine to manage multiple groups of users, multiple streams, and do so with as little administrative maintenance as possible. 

Be on the lookout for the following best practices leveraged within this video:

  • - Build “Many to Many” Security rules to enable one stream security rule to govern many streams and many users at once.
  • - Use Custom Properties to avoid hard coding of values into Security Rules.
  • - Avoid changing the out of the box rules.  If you need to change a rule’s default behavior, disable the rule and make a copy of it.
  • - Finally, manage collections of things before you manage the thing itself.  With the concepts I detail in this video, you can manage many streams, many groups, (and by extension many data connections, and more) with little administrative overhead, and manage individual things (like applications) as an exception.

The Security Rules Engine is a tremendously powerful component of the Qlik Sense architecture, and your deployment requires planning.  As a general guideline, if you find yourself thinking “there has got to be a better way”, there probably is!  That is your cue to reach out to the many Qlik resources you have available to you through QlikCommunity, Qlik Education, Qlik Partners, Qlik Consulting, and Qlik Sales teams.

Enjoy the video!



Hi Marcus,

Thank you for this nice summary. I tried this approach and have a question on how to handle the admin roles if a custom property is used for security purposes.

The thing is that Content Admin can in fact assign a custom property value, and so essentially manage the security. Is there a solution for this situation, other then not using default Content Admin and creating a unique admin role?

Best regards,



Hi Radovan, sorry for the delay.  I didn't see this until now.

So whether you use the approach I described or out of the box behavior, it is true that ContentAdmin has access to custom properties, and really the intent of the ContentAdmin role is described well in the description of the ContentAdmin definition itself:

"Content admin should have access rights to manage security rules for streams, data connections, content libraries and extensions"

So this is just an extension of that intent.  If you would like some modified behavior of the ContentAdmin role, I suggest you look at the ContentAdmin, ContentAdminQmcSections, and ContentAdminRulesAccess rules to see how you might modify their function.  (I like to not change the default rules, but disable and create new with the same, but modified values.)

Does that help?


Not applicable

Hi msi‌ and thanks for this.

Trying to follow this example but can't figure out one thing.

I do everything as you do and I can decide weather a user should see a specific App or not... But that user can't see any sheets within the App, shouldn't that be the case?

I have Sense



Or do you just add, to the apps default rule, below?

Seems to work.



That will work, or you can just do "App*" as well. 

Not applicable

Great video to manage streams, apps !


Hi Marcus,

First of all, thank you for the great video ! That's exactly what I was searching for.

Now, I followed every step and noticed a thing; if I connect with a user which can't see the 'app3' (have no custom property 'appLevelMgmnt', to edit a sheet, I have to duplicate it (that's how it is supposed to be)

Now, if connect to the Hub with a user that have is an executive (who can see the app3), I noticed that I can edit the sheet directly without the need of duplicating it which can cause some troubles !

Moreover, the root admin with whom I've published the Apps in the streams, can see all the applications in every stream and edit any sheet without duplicating it. And I haven't associated him with any of my custom properties !

Here are my 2 rules:


(resource.resourcetype = "App" and resource.stream.HasPrivilege("read") and


or ((resource.resourcetype = "App.Object" and resource.published ="true")

and resource.app.stream.HasPrivilege("read"))



resource.stream.HasPrivilege("read") and ((user.@AppLevelManagement=resource.@AppLevelManagement))

What do I have to change to force every user to duplicate a sheet before editing it?