Understanding the security rules included in the Qlik Sense default install
This article is intended as a guide for those who are starting to work on Qlik Sense security rules to get familiar with the security rules included in the default install. By capturing an overall picture of security rules in a structured manner, you will be able to pin down the security rules you need to customize with less effort.
The explanations here are based on the list of the Qlik Sense security rules uploaded to the following site:
In the high level, the security rules can be categorized into the following groups:
Read Only Security Rules
Default Security Rules
Administrative User Groups
The security rules included in the default install are either read only or default. The read only rules cannot be modified nor disabled, so there is not much you can do with them for customizing except looking into them when you need to understand the predetermined system behaviors.
Those you need to work on are default security rules in most of the cases, so let us focus on the default security rules below.
Default security rules
Among default security rules, there are two types of rules: Resources and Administrative User Group.
Security rules which falls into this category are those you need to work on most often. You can find a set of rules on each resource respectively as follows:
Who can create apps? -> CreateApp
Who can export data from apps? -> ExportAppData
Who can read which apps published to a stream -> Stream
Who can create which app objects (sheet, stories, bookmarks and snapshots)?
What owner of a resource can do to the resource -> Owner
Other than these rules, these is HubSections rule which is to remove “Open Hub” link in app primarily for the solution of embedding app sheets in external web applications. There are also security rules reserved for cloud credentials and On-Demand App Generation (ODAG) which are not provided yet as out-of-box functions at the time of writing (March, 2017).
Administrative User Groups
When you would like to define your own group or role, it is convenient to create one base on existing security rules which fall into the category of Administrative User Groups. There are following four administrative user groups defined by security rules in the default install (The definition of RootAdmin is included in read only security rules):
Typically, two pairs of security rules are to be defined for each group. For example, there are following two security rules for Audit Admin:
AuditAdmin – Control access rights to entities and resources. (For some other roles, rules on specific resources such as apps and security rules are defined separately.)
AuditAdminQmcSections - Control access rights to sections on QMC. (Without this rule, all sections on QMC are grayed out.)
It is good to follow this structure of existing rules when you create your own custom user groups.
Tips for creating custom rules
With these knowledge on the overall structure of the security rules installed by default, here are some tips and information for creating custom rules.
It makes security rule management optimal and simple to use existing directory attributes or Qlik Sense custom properties instead of hard-coding ids and names of specific resources. You can find resources detailed on this topic at the following URLs:
With auditing function, you can execute queries to find out which security rules are affecting which resources. This is very useful when you would like to identify the rules associate with a specific resource or when you make sure if your custom rule is working as expected.