Qlik Community

Qlik Support Updates Blog

Important and useful support information about end-of-product support, new service releases, and general support topics.

Support
Support

Security rules are a very powerful tool intended to assist Qlik Sense administrators in managing access to Qlik Sense features. Using these rules administrators can manage not just the ability to access or create applications, but almost all features of the product including data connections, streams and even individual components of the Qlik Management Console.

 

This allows administrators to define user and administration roles that closely match unique organization needs rather than merely rely on an out of the box user model. Unfortunately, this comes at a cost, when a user logs in and access the system all the relevant security rules need to be evaluated to determine the correct access rights for the current screen. This can potentially lead to long load times and poor performance in especially in large systems.

 

This blog post will cover a summary of the default user model Qlik Sense ships with, along with a closer examination of how security rules are evaluated and cached and in doing so will provide a framework for administrators to ensure that they can get the most out of their system and where possible reduce unintentional performance impacts on users.

 

The Default Security Rules

Qlik Sense ships with a set of default security rules that provide a set of administration roles and user roles for organisations to use and modify to meet their own needs.

 

When you first log in to a fresh installation of Qlik Sense September 2019, you will be greeted with a set of 63 rules which all work together to create that initial user model.

 

Broadly speaking the model works as follows (Items in bold are unchangeable rules and are always true):

In the Hub:

  • Users can create apps
  • Owners of items can see those items
  • If you can read a stream, you can read all apps published to the stream
  • If you can read an app, you can read the content of that app
  • If you can update an app, you can update the contents of that app
  • If you can read an unpublished app, you can create objects that are part of that app
  • If you can read a published app, you can create some objects on that app
  • Everyone has access to the Everyone Stream
  • Administrators have access to the Monitoring Apps stream

 

In the QMC:

  • The Service Account has access to everything
  • The Root Administrator has access to everything
  • Audit Administrators have access to audit sections and entities
  • Content Administrators have access to content section, entities and connection related security rules
  • Deployment Administrators have access to deployment sections and entities, apps (to manage load balancing) and license rules
  • Security Administrators have access to security sections and entities

 

As you can see there are two separate contexts for rules and that, for the most part administrator roles only impact the Qlik Management Console. This is because all administration activity is expected to happen in the QMC and not the hub. It is possible, and in some cases desirable, for your root administrator to operate entirely without an assigned license, though this does prevent them from using the monitoring applications.

 

One final note about Security rules in Qlik Sense. Rules can only ever add privileges, they can never take them away. This is very important when trying to design your access model, try to think in terms of what users can do, rather than in terms of what they cannot do and the structure of your rules will flow much more easily.

 

Security Rule Evaluation

 

Let’s go a little deeper and focus on how the system evaluates security rules.

Every rule has a set of attributes that are used during evaluations:

  • Context (Does this rule apply in the QMC, the Hub or both)
  • Resource Filter (The parts of the system the rule covers)
  • Actions (The privileges the rule grants)
  • Conditions (The set of conditions that ultimately determine who is granted the actions)
  • A Score (A dynamically generated metric indicating how useful the rule is, the more

 

When a user accesses Qlik Sense, the system pulls only rules relevant to the current context and resources (for example, when accessing the hub, we need to evaluate the rules for a user’s apps, as well as the rules for streams).

 

The system also will retrieve the relevant resources (in this case all published applications, applications the user owns, and all streams) to evaluate the combination of rules, user and resources.

 

It runs through these rules in score order, these scores are stored in the Security Rule Evaluation Cache, which means the values are lost every time the system restarts.

 

Once it has finished evaluating the rules, the results are stored in the Security Rule Evaluation Cache so that the next time this user accesses the same page the system can simply retrieve the result of the calculation from the cache and if necessary only evaluate the rules on new apps.

 

The system will exit the evaluation early if the user has already been granted all the requested rights to a resource. For example: the Root Administrator will generally find most of the QMC will load very quickly because the rule evaluation is very simple. One of the oldest rules in any given system grants them all privileges on everything in the QMC, that rule will generally score very highly and so be evaluated very early and then there is no need to perform any further checking as rules can only add and not take away.

 

On the other hand, a limited user who has been granted access to only the Apps Section of the QMC and a small handful of applications may find that interface takes a very long time to load as the system will first need to evaluate enough rules to give access to the requested resource (i.e. in a system that has no previous evaluation, the less access the user has the longer the evaluation will take.

 

Finally, security rule evaluation takes place on a mixture of different nodes, some evaluations will take place on the node with the proxy you are connecting to, some will take place on the node with the engine, and some will take place on the central node.

 

In the case of QMC activity, all evaluations will take place on the central node, and in the case of very limited users, those evaluations will be relatively lengthy and complex. On larger systems this can lead to a rather slow user experience on the QMC. In extreme cases this can lead to the system becoming effectively unavailable on all nodes. In Qlik Sense September 2019 we have implemented 2 feature flags to increase the scalability of the QMC at the cost of reduced functionality.

 

See How to enable QMC Limits in Qlik Sense (KB 000086580) for details.

 

The Security Rule Evaluation Cache

 

In the previous section I mentioned the Security Rule Evaluation Cache Cache, which stores the results of security rule evaluations in order to speed up future access. Why then does your system seem to slow down as more users and apps are added? After all the cache should eventually cover all common system activities.

 

The cache is deliberately designed to be short lived, there are many circumstances under which it is either partially or wholly invalidated or discarded, meaning that a full rules evaluation needs to be completed once more. This is broadly because we need to know that the cache is correct, anytime something changes (or could have changed) we cannot rely on the cache and must revert to the slower approach.

 

There are basically 3 types of cache invalidation:

  1. Complete invalidation (The entire cache is discarded)
  2. User based invalidation
  3. Entity based invalidation

 

1. Complete Invalidation

  • Any change to security rules, load balancing or license rules
  • Any change to custom properties values (i.e. the potential possible values a custom property can be assigned)
  • When the system is restarted (the cache is never written to disk, and rules may have changed since the service last started)
  • If the connection to the database is disrupted

 

As these changes could have a wide ranging impact, the entire cache is discarded and must be rebuilt by user behavior.

 

When this cache is invalidated, the scores for every rule are also reset to 0, meaning that we also lose any optimizations gained since the session started.

 

2. User based invalidation

  • Any change to a user attribute (e.g. the user is added or removed from a group)
  • A user’s custom properties are changed

Rules are often based on user attributes, changes to that user mean we cannot ensure the cached results still apply, so we discard the cached results linked to that user.

3. Entity based invalidation

 

  • Almost any change to a single entity. (e.g. changing an app’s name or owner, approving a community sheet, renaming a data connection)

 

Much like with users, changing any aspect an entity or resource that can be addressed in a rule means that we cannot ensure the cached results still apply for that entity, so we discard the cached results linked to it.

 

In Qlik Sense February 2019, additional logging was implemented to record when a cache invalidation occurs along with its type (Complete, User, Entity)

 

Recommendations/Best Practices:

 

If you want to provide the best performance for your users try to make rule changes near scheduled downtime, when the cache is already going to be invalidated due to a service restart.

 

To reduce the number of evaluations that need to take place, try to ensure you have a regular clean up process where you export and delete old apps that are no longer in use.

 

Limited users in the QMC should also have a very limited scope, i.e. only get access to one or two sections. Where possible try to centralise QMC activities to a smaller number of administrators rather than expand access to the entire user base. In a large organization it is better to have a small number of administrators and a ticket system than to grant every developer access to the QMC for small scale task management.

12 Comments

Great content! Congratz.  🙂

Is there anything to complement about Load Balancing Rules? There are a few use cases that I've seen that I had trouble with. Examples:

- A specific Stream be linked to a specific Node;

- Unpublished apps linked to a specific Node;

- A group of users be able to share their unpublished apps;

Thanks in advance.

0 Likes
4,351 Views
Support
Support

Hi,

Checkout this video. Levi covers some of the about toward the end of video.

 

https://www.youtube.com/watch?v=h5nBdt969XI&t=1215s

Bill

4,297 Views
Support
Support

Hopefully that video is helpful Eduardo and you are right, load balancing rules are a good candidate for a similar post.

That said, your last scenario is not possible without a configuration change for the capability service. In order to improve hub performance we pre-filter the list of apps for the hub. We only evaluate the rules for apps the current user owns, and published apps. Otherwise the read rights would need to be checked for every single app, which can be much much slower once you have a large number of apps on your system.

If you do want to re-enable the old behaviour, you can follow the instructions on https://support.qlik.com/articles/000068297

4,185 Views

Thank you so much @Andrew_Delaney and @Bill_Britt  ! 🙂

0 Likes
4,162 Views
Carlos_Rodriguez
New Contributor

Great article Andrew

We are going through a problem here that seems related to security rules.  If we try to give a user a role, or access to a stream, this user does not get access.  It only seems to work after rebooting the server.  We might have an issue with our security rule evaluation cache.  Thank You for shedding some light on this issue!!

 

 

3,836 Views

Hi @Carlos_Rodriguez , we had a customer who was complaining about the exact same thing. If  @Andrew_Delaney  could give us a light on that it would be really helpful.

3,798 Views
rohitk1609
Valued Contributor III

I have few questions here:

1.  How to check the result about In Qlik Sense February 2019, additional logging was implemented to record when a cache invalidation occurs along with its type (Complete, User, Entity) ?

2. Can we check the score we talked about in article ?

3. As we talk about try to keep less admins as possible, is there any way that a user can access certain sections without having any role, like root, security admin ?

4. The article you suggested has two sections:

The first is QMC Start Page LImited. This flag turns off the counters present in the QMC, the ones intended to show the number of apps, app objects and other information about the system.

Can you tell me what extactly it turn off ? A snapshot is very helpful.

The second is QMC Self Service Limited and has a much more significant impact. This flag limits users who do not have a QMC Role to only ever be able to see apps that they own

Is it mean any user who has no admin role assigned but can access apps section if yes, how come a user access any QMC section without a role , I have created a ticket for same problem 

https://community.qlik.com/t5/Qlik-Sense-Deployment-Management/How-to-Enable-Stream-Section-in-QMC-b...

 

I am hoping a positive response from you

Thanks

Rohit Kumar


 

3,765 Views
Support
Support

@eduardo_palacios @Carlos_Rodriguez that would suggest that the notification about the changes to the rules are not propagating from the central node to at least one of the rim nodes. This was a rare, but rather frustrating bug on versions of Qlik Sense prior to September 2018. It is possible that it could have surfaced again.

@rohitk1609 

1. Make a rule change and check the repository log for the invalidation

2. Unfortunately the score is only ever held in memory, and is never written to disk or logged.

3. Access to sections of the QMC are determined by the security rules. You can using the rules allow any user access to anything, but evaluating those rules has a cost.

4. The counters turned off by QmcStartPageLimited are highlighted in the following screenshot (I downloaded this from google image search and modified it)Counters.JPG

As for QmcSelfServiceLimited, as stated before, using the security rules you can grant any user access to part or all of the QMC and many organisations do in order to address administration issues. For example allowing app developers access to the apps section of the QMC to let them import apps. If you search the community I am sure you will be able to find examples of how to do this based around custom properties, security groups or roles.

This flag will prefilter what these users will see when they access the apps section of the QMC.

0 Likes
3,305 Views
rohitk1609
Valued Contributor III

Thanks Andrew for your important note. No doubt you answred all my question but still few things are unclear at my end, let me ask them again once

for point 1, you said check the repository log for the invalidation, Can you please specify what extactly log note or message tells about cache discard ?

for point  3, I opened a discussion, more than 50+ views are there but none added a single input.

 https://community.qlik.com/t5/Qlik-Sense-Deployment-Management/How-to-Enable-Stream-Section-in-QMC-b...

My question here is, can we write a security rule without create a new role to make a user access Qlik Sense QMC apps or any resource accessible ? 

I know the way to create a new role and add resources but I am looking for a way without creating a new admin role, I hope I asked in proper way

I hope I will have a positive response 

Thanks,

Rohit

0 Likes
3,012 Views
analienx
New Contributor III

@Carlos_Rodriguez  - that usually happens when you customized Default or ReadOnly rule. In that case it is imperative to restart all the services too (usually dispatcher is just fine]

0 Likes
1,233 Views
analienx
New Contributor III

@rohitk1609surely you can do it. Especially if you have AD Groups associated to the users, then you can utilize logic for apps like:

resource.stream="StreamNameForApps" and user.group="NameOfTheADGroup"

Indeed creation of additional security rules when new app/stream is introducet is not best practice since you don't wante to change security rules, you want to have a definite set. In that case a better approach to be taken over custom properties>

resource.stream.@ADGroup=user.group

This way you assume a stream has assigned CP ADGroup . No need to assign anything to users CPs.

 

0 Likes
1,219 Views
rohitk1609
Valued Contributor III

HI Analienx,

I created the security rule similar to resource.stream="StreamNameForApps" and user.group="NameOfTheADGroup" for QMC but all the option in QMC is disabled for him. 

 

If this rule works at your side, can you share the screen shot of the concern user who can view any specific stream in QMC without having any admin role or custom admin role ?

 

Thanks,

Rohit

0 Likes
726 Views