Qlik Community

Qlik Sense Enterprise Documents & Videos

Documents & videos about Qlik Sense.

Creating Team administrators in Qlik Sense

Employee
Employee

Creating Team administrators in Qlik Sense

Author: jbc

Intro

In Qlik Sense the QMC is used to administer content and perform certain administrative actions.  In many cases you may wish to allow a user self administer the content from a group of users (such as their department) without having access to the whole QMC or all the content.

This document outlines how to set up a “Team Admin” role in the QMC. The target is:

  • To enable a user to be the administrator for a team of users/selection of apps
  • The user should be able to see the relevant sections in the QMC
    • Apps – including publishing, deleting and importing
    • Viewing App Content
    • Viewing and creating Tasks (but only for the above apps)
    • View data connections
    • View content libraries
  • The team admin needs to be able to see both apps published to set streams and any apps owned by a group of users

To prevent having to create too many rules an approach needs to be identified to make the security rules generic.  The aim here is to make it so that you can have several admins for the same team, an admin for several teams or several admins each for their own team without having to keep maintaining rules or settings.  There are several ways to do this but using Custom Properties is likely to be the most efficient in many cases and this is used in the examples below.

Identifying which published apps can be administered is simple (its just picking the right streams) but selecting apps which are not published means identifying a attribute for the user that owns the app and to pick something that avoids too much management.  In this example a group will be used – this could be a group from active directory/LDAP etc.

Note: These instructions contain the use of a feature that was added in Qlik Sense 2.1.1, the rules are still valid for prior versions however the ability to add multiple values to custom properties allows for less complex rules and easier management.

How to implement it

Setting up Custom Properties

Custom properties will be used to identify which content the user can administer. You will apply a custom property to a stream and to the user and these will need to match.

Create the following custom properties:

Name: TeamAdminFor

Resource Types Applicable to:  Users

Values:  Sales, Finance, Marketing   (specify your values here, ideally matching your group names too)


Name: Department

Resource Types Applicable to: Streams

Values:  Sales, Finance, Marketing   (specify your values here, ideally matching your group names too)

Now you have created these, apply the values to the users and streams.  To do this edit the Steam, select custom properties and apply the department value as needed and repeat for the user you want to be the team admin by setting the TeamAdminFor setting.  You can use multiple values in these lists too so you could make one user the admin for several departments (only with Sense 2.1.1 and above).

Create the rules

In this section you will create the rules to give the user access, it’s a good idea to test after each rule to make sure it is working as expected.    To keep the rules easier to read there are 4 rules created, one to define the sections visible in the QMC, one to define what the user can read, one for create and one for edit.

1 - Access to sections in the QMC

This rule dictates which elements in the QMC can be seen, it gives no access to any actual data.

Item

Value

Comment

Name

TeamAdmin_QMCsections

Resource Filter

QmcSection_App, QmcSection_DataConnection, QmcSection_ContentLibrary,QmcSection_App.Object, QmcSection_Task, QmcSection_ReloadTask, QmcSection_Event, QmcSection_SchemaEvent, QmcSection_CompositeEvent

It is giving access to apps, data connections, content libraries and tasks with all the associated parts.  Add and delete the sections if required

Conditions

((!user.@TeamAdminFor.empty()))

Here it is saying basically as long as you have set a none empty value in the TeamAdminFor property then they will have access to the QMC

Context

QMC Only

Actions

Read

Test this rule and you should now see any user with the TeamAdminFor set can see some, but not all sections in the QMC but wont see much data (probably will see the same apps they see in the hub).

2 - What the user can create

This rule dictates what the user can create

Item

Value

Comment

Name

TeamAdmin_Create

Resource Filter

App*,ReloadTask*, SchemaEvent*,CompositeEvent*, ExecutionResult*,DataConnection*

This allows users to create apps and reload tasks (plus triggers).  If users can import apps then they will need to be able to create data connections too as these are done during import.

Conditions

((!user.@TeamAdminFor.empty()))

Here it is saying basically as long as you have set a none empty value in the TeamAdminFor property then they will have the ability to add the above

Context

QMC Only

Actions

Create

After this rule you should now be able to see the create/import buttons appear in the QMC

3 - What the user can Read

This rule will dictate the entries the user can see listed in each of the QMC sections. Remember the aim in this example is to allow the team admin to see any published apps in the streams they look after AND any apps created by users in a specific group.

The edit and read rules are very similar, however it is best to single out edit and read rights as different rules as you will most likely need to let the admin read values but not edit them

Item

Value

Comment

Name

TeamAdmin_Read

Resource Filter

Stream*,App*,ReloadTask*, SchemaEvent*,Tag*, CompositeEvent*, ExecutionResult*,CustomProperty*

This allows users to read apps and reload tasks (plus triggers).

Conditions

(

((resource.resourcetype="App" or resource.resourcetype="App.Object") and (resource.stream.@Department = user.@TeamAdminFor or resource.owner.group = user.@TeamAdminFor))

or

(resource.resourcetype="ReloadTask" and (resource.app.stream.@Department = user.@TeamAdminFor or resource.app.owner.group = user.@TeamAdminFor))

or resource.resourcetype ="SchemaEvent" or resource.resourcetype ="CompositeEvent" or resource.resourcetype = "Tag" or resource.resourcetype ="ExecutionResult"

)

This rule says that if the resource is an App then either the streams Department or the app owners group must match the users TeamAdminFor value

The rule is in two sections because we want to show both apps AND the tasks that belong to the apps

Context

QMC Only

You could change this to Hub and QMC but that would mean the user would see the apps from everyone in their team in their hub which you might want to avoid

Actions

Read

After this rule you should now be able to see all the applicable apps and associated tasks etc

4 - What the user can Edit

This rule will dictate the entries the user can edit (edit,publish,delete etc) in each of the QMC sections. Remember the aim in this example is to allow the team admin to administer any published apps in the streams they look after AND any apps created by users in a specific group.

The edit and read rules are very similar, however it is best to single out edit and read rights as different rules as you will most likely need to let the admin read values but not edit them

Item

Value

Comment

Name

TeamAdmin_Edit

Resource Filter

App*,Stream*,ReloadTask*,SchemaEvent*, CompositeEvent*,ExecutionResult*

This allows users to edit apps and reload tasks (plus triggers).

Conditions

(

((resource.resourcetype="App" or resource.resourcetype="App.Object") and (resource.stream.@Department = user.@TeamAdminFor or resource.owner.group = user.@TeamAdminFor))

or

(resource.resourcetype="ReloadTask" and (resource.app.stream.@Department = user.@TeamAdminFor or resource.app.owner.group = user.@TeamAdminFor))

or resource.resourcetype ="SchemaEvent" or resource.resourcetype ="CompositeEvent" or resource.resourcetype = "Tag" or resource.resourcetype ="ExecutionResult"

)

This rule says that if the object is an App then either the streams Department or the app owners group must match the users TeamAdminFor value

The rule is in two sections because we want to show both apps AND the tasks that belong to the apps

Context

QMC Only

You could change this to Hub and QMC but that would mean the user would see the apps from everyone in their team in their hub which you might want to avoid

Actions

Update, Delete, Export, Publish, Change owner

After this rule the team admin should now be able to edit, delete, publish and change owner, etc on apps.

Note the user may see apps in the QMC that they cannot perform the admin actions on, this is because they may have been given access to read apps in the hub and these will display in the QMC – however these will be read only.

Tags (1)
Comments
Not applicable

Hi Marcus,

This was very helpful. I would like to add something as it may be a pain point for others. After I implemented the rules, unfortunately the triggers were not exposed for the tasks for the team admins. In order to open up the task triggers in the QMC, I had to add the following to the end of the Resource Filter of the TeamAdmin_QMCsections security rule: , SchemaEvent_*. Hope this helps!

Mark

0 Likes
bruno_martins_l
Contributor

Hello,

I have a problem when I wish that User TeamAdmin whant to Publish and replace another application in the Stream, he don't have the rigths can you have an idea ?

Kind regards,

Bruno

0 Likes
somenathroy
Contributor III

Hi Marcus,

Thanks for a very helpful post.

I am facing a problem that while a department admin trying to publish an app, only 'Everyone' stream is coming in the drop down. How could we get all Streams applicable for this user in this drop down .

Untitled.png

Thanks,

Som

0 Likes
Not applicable

Hi Marcus - really useful post, thanks!

When I implement this, I'm having issues changing the application owner.  I'm able to delete the existing owner, however I don't get the drop down list of users, and if I free type the owner, I get the red error box saying "This is not a valid value".

Thanks,

Sean

0 Likes
Partner
Partner

Hello,

I have an error when creating the reload taskCapture.PNG

Any one have idea on this error?

Best Regards,

Loiuis

0 Likes
nauzaddoctor
New Contributor

Hi Sean,

I've got the same issue as yourself. The ContentAdmins can't change the ownership of an App currently. Have you figured out what's causing this?

Regards,

Nauzad

0 Likes
karthiks_dwbi
Contributor III

I have same issue. I do see only everyone stream. How can I see other streams. ?

0 Likes
Not applicable

Hi.

For the stream to be available in the selection list this example worked for me, combined with QMC access rights as explained above:

Security rules example: Creating QMC content admin roles ‒ Qlik Sense.

I hope it helps you too.

Alexandra

0 Likes
kchap
New Contributor

Hello- We implemented these security rules in our Qlik Sense environment and it was working fine until the June 2017 upgrade, since then it is extremely slow for some users, and for others it returns an error message stating "The 'GetCount' operation failed". Is anyone using this in the June 2017 release?

0 Likes
briangaines
New Contributor

Can you explain how this concept could be implemented using AD groups instead of or in conjunction with Custom Properties?

0 Likes
Version history
Revision #:
1 of 1
Last update:
‎2015-12-23 03:00 PM
Updated by:
Employee