Security rules are a very powerful tool intended to assist Qlik Sense administrators in managing access to Qlik Sense features. Using these rules administrators can manage not just the ability to access or create applications, but almost all features of the product including data connections, streams and even individual components of the Qlik Management Console.
This allows administrators to define user and administration roles that closely match unique organization needs rather than merely rely on an out of the box user model. Unfortunately, this comes at a cost, when a user logs in and access the system all the relevant security rules need to be evaluated to determine the correct access rights for the current screen. This can potentially lead to long load times and poor performance in especially in large systems.
This blog post will cover a summary of the default user model Qlik Sense ships with, along with a closer examination of how security rules are evaluated and cached and in doing so will provide a framework for administrators to ensure that they can get the most out of their system and where possible reduce unintentional performance impacts on users.
The Default Security Rules
Qlik Sense ships with a set of default security rules that provide a set of administration roles and user roles for organisations to use and modify to meet their own needs.
When you first log in to a fresh installation of Qlik Sense September 2019, you will be greeted with a set of 63 rules which all work together to create that initial user model.
Broadly speaking the model works as follows (Items in bold are unchangeable rules and are always true):
In the Hub:
Users can create apps
Owners of items can see those items
If you can read a stream, you can read all apps published to the stream
If you can read an app, you can read the content of that app
If you can update an app, you can update the contents of that app
If you can read an unpublished app, you can create objects that are part of that app
If you can read a published app, you can create some objects on that app
Everyone has access to the Everyone Stream
Administrators have access to the Monitoring Apps stream
In the QMC:
The Service Account has access to everything
The Root Administrator has access to everything
Audit Administrators have access to audit sections and entities
Content Administrators have access to content section, entities and connection related security rules
Deployment Administrators have access to deployment sections and entities, apps (to manage load balancing) and license rules
Security Administrators have access to security sections and entities
As you can see there are two separate contexts for rules and that, for the most part administrator roles only impact the Qlik Management Console. This is because all administration activity is expected to happen in the QMC and not the hub. It is possible, and in some cases desirable, for your root administrator to operate entirely without an assigned license, though this does prevent them from using the monitoring applications.
One final note about Security rules in Qlik Sense. Rules can only ever add privileges, they can never take them away. This is very important when trying to design your access model, try to think in terms of what users can do, rather than in terms of what they cannot do and the structure of your rules will flow much more easily.
Security Rule Evaluation
Let’s go a little deeper and focus on how the system evaluates security rules.
Every rule has a set of attributes that are used during evaluations:
Context (Does this rule apply in the QMC, the Hub or both)
Resource Filter (The parts of the system the rule covers)
Actions (The privileges the rule grants)
Conditions (The set of conditions that ultimately determine who is granted the actions)
A Score (A dynamically generated metric indicating how useful the rule is, the more
When a user accesses Qlik Sense, the system pulls only rules relevant to the current context and resources (for example, when accessing the hub, we need to evaluate the rules for a user’s apps, as well as the rules for streams).
The system also will retrieve the relevant resources (in this case all published applications, applications the user owns, and all streams) to evaluate the combination of rules, user and resources.
It runs through these rules in score order, these scores are stored in the Security Rule Evaluation Cache, which means the values are lost every time the system restarts.
Once it has finished evaluating the rules, the results are stored in the Security Rule Evaluation Cache so that the next time this user accesses the same page the system can simply retrieve the result of the calculation from the cache and if necessary only evaluate the rules on new apps.
The system will exit the evaluation early if the user has already been granted all the requested rights to a resource. For example: the Root Administrator will generally find most of the QMC will load very quickly because the rule evaluation is very simple. One of the oldest rules in any given system grants them all privileges on everything in the QMC, that rule will generally score very highly and so be evaluated very early and then there is no need to perform any further checking as rules can only add and not take away.
On the other hand, a limited user who has been granted access to only the Apps Section of the QMC and a small handful of applications may find that interface takes a very long time to load as the system will first need to evaluate enough rules to give access to the requested resource (i.e. in a system that has no previous evaluation, the less access the user has the longer the evaluation will take.
Finally, security rule evaluation takes place on a mixture of different nodes, some evaluations will take place on the node with the proxy you are connecting to, some will take place on the node with the engine, and some will take place on the central node.
In the case of QMC activity, all evaluations will take place on the central node, and in the case of very limited users, those evaluations will be relatively lengthy and complex. On larger systems this can lead to a rather slow user experience on the QMC. In extreme cases this can lead to the system becoming effectively unavailable on all nodes. In Qlik Sense September 2019 we have implemented 2 feature flags to increase the scalability of the QMC at the cost of reduced functionality.
See How to enable QMC Limits in Qlik Sense (KB 000086580) for details.
The Security Rule Evaluation Cache
In the previous section I mentioned the Security Rule Evaluation Cache Cache, which stores the results of security rule evaluations in order to speed up future access. Why then does your system seem to slow down as more users and apps are added? After all the cache should eventually cover all common system activities.
The cache is deliberately designed to be short lived, there are many circumstances under which it is either partially or wholly invalidated or discarded, meaning that a full rules evaluation needs to be completed once more. This is broadly because we need to know that the cache is correct, anytime something changes (or could have changed) we cannot rely on the cache and must revert to the slower approach.
There are basically 3 types of cache invalidation:
Complete invalidation (The entire cache is discarded)
User based invalidation
Entity based invalidation
1. Complete Invalidation
Any change to security rules, load balancing or license rules
Any change to custom properties values (i.e. the potential possible values a custom property can be assigned)
When the system is restarted (the cache is never written to disk, and rules may have changed since the service last started)
If the connection to the database is disrupted
As these changes could have a wide ranging impact, the entire cache is discarded and must be rebuilt by user behavior.
When this cache is invalidated, the scores for every rule are also reset to 0, meaning that we also lose any optimizations gained since the session started.
2. User based invalidation
Any change to a user attribute (e.g. the user is added or removed from a group)
A user’s custom properties are changed
Rules are often based on user attributes, changes to that user mean we cannot ensure the cached results still apply, so we discard the cached results linked to that user.
3. Entity based invalidation
Almost any change to a single entity. (e.g. changing an app’s name or owner, approving a community sheet, renaming a data connection)
Much like with users, changing any aspect an entity or resource that can be addressed in a rule means that we cannot ensure the cached results still apply for that entity, so we discard the cached results linked to it.
In Qlik Sense February 2019, additional logging was implemented to record when a cache invalidation occurs along with its type (Complete, User, Entity)
If you want to provide the best performance for your users try to make rule changes near scheduled downtime, when the cache is already going to be invalidated due to a service restart.
To reduce the number of evaluations that need to take place, try to ensure you have a regular clean up process where you export and delete old apps that are no longer in use.
Limited users in the QMC should also have a very limited scope, i.e. only get access to one or two sections. Where possible try to centralise QMC activities to a smaller number of administrators rather than expand access to the entire user base. In a large organization it is better to have a small number of administrators and a ticket system than to grant every developer access to the QMC for small scale task management.
Hello Qlik Sense Users
We are pleased to announce a pilot program called Patch Wednesdays*. The aim of the new program is to have a more consistent delivery timeline and better planning within Global Products. Patches will be released every two weeks, and you guessed it, on Wednesdays! With that being said, we'd like to note that the following patches were released today and are now available on the download site.
November 2019 Patch 1 - details on included fixes can be found hereSeptember 2019 Patch 2 - details on included fixes can be foundhereJune 2019 Patch 6 - details on included fixes can be foundhereApril 2019 Patch 5 - details on included fixes can be foundhereNovember 2018 Patch 8 - details on included fixes can be foundhere
Thank you for choosing Qlik software. As always, please follow best practices when upgrading any software and make sure you back up your system before making changes.
Kind regards,Global Support
*The terms of this program are under review and are subject to change.
UPDATE TO PREVIOUS POST - December 5, 2019
Following the statement below we have received quite a bit of feedback from passionate Qlik users and partners who are getting a great amount of daily value out of Qlik’s products and services. As a result of this feedback we would like to share with you the following information and updates regarding key areas of concern.
API Developer access to development tool:
We realize that Qlik Sense Desktop is an integral part of many API developers in our community, and a solution will be provided prior to June 2020 that will provide similar or better ability to develop with Qlik's APIs and will be communicated via our Qlik developer community, Qlik Branch.
Ability to easily try Qlik Sense for extended periods of time:
We will continue to invest in making it easier and faster for anyone (not just Windows users) to try Qlik Sense via a cloud-based trial approach with Qlik Sense Business.We recognize that it is not always possible to make a decision in 30 days, so trial users will be able to extend their trial for an additional 15 days on their own.If additional time is needed to make a decision, trials can be extended further, we only ask our trial users to engage with a salesperson who can assist with your evaluation of Qlik Sense.
Ability to keep data offline while trying (and using) Qlik Sense:
We have prioritized enabling Qlik Sense Desktop to authenticate via Qlik Cloud Services which would enable Qlik Sense Business users to also use Qlik Sense Desktop.This will enable paid and trial users to keep their data local if they choose.
Access to Qlik Sense for key influencers and promoters of Qlik:
We will continue our investments in e-commerce capabilities so we can grant faster, easier and more customized access to Qlik Sense.This capability is much more than the ability to just buy Qlik Sense via a credit card, also giving Qlik the ability to efficiently service special groups via programs such as ourAcademic Program,Corporate Responsibility Programsoftware grants and ourPartner Program.
Thank you all for the on-going feedback, suggestions, and dialogue. Qlik is very thankful to have a vibrant and passionate community. We are listening and appreciate all the feedback.
Posted December 3, 2019
To adapt to changing customer preferences and in alignment with enterprise cloud vendors industry practice, Qlik is moving away from a ‘freemium’ model for both its cloud and desktop versions of Qlik Sense, in favor of a time-limited trial. This means that both Qlik Sense Cloud Basic and Qlik Sense Desktop will cease to be free. It is important to note that Qlik Sense Desktop will remain a supported part of our Qlik Sense product family.
We began this process in August with the launch of Qlik Sense Business and migration of Qlik Sense Cloud users and now we are beginning the process for Qlik Sense Desktop. We are aware this is a change for many of Qlik Sense Desktop users so we will be making these changes progressively over several months to allow you to plan accordingly. We will start by removing the download from qlik.com, then Qlik Sense Desktop will notify users of the change and finally, free use of Qlik Sense Desktop will stop.
Key Changes and Dates:
December 2019 through January 2020: Free downloads of Qlik Sense Desktop will be removed from Qlik’s websites. During and after this period, Qlik Sense Desktop will still be available via the customer download site. If you do not have access to the customer download site then you can use this temporary download link to get the most recent version of Qlik Sense Desktop and continue free use. During this period there will be no physical changes to Qlik Sense Desktop.
February 2020: When launching Qlik Sense Desktop, it will display an alert of the upcoming changes (and linking to this posting). This display will be generated in all versions of Qlik Sense Desktop (including previously released versions). At this time, users can continue to use Qlik Sense Desktop for free however we strongly recommend users start transitioning to a paid edition of Qlik Sense either by starting a trial of Qlik Sense Business or by authenticating Qlik Sense Desktop against Qlik Sense Enterprise on Windows.
30 June 2020: Free access to Qlik Sense Desktop will cease. To continue to use Qlik Sense Desktop users must authenticate against Qlik Sense Enterprise on Windows. Users will still be able to access the Qlik Sense App (QVFs) via their local file system and copy the files to other editions of Qlik Sense.
After 30 June 2020: Qlik Sense Desktop will continue to receive updates and will remain a fully supported Qlik Sense client of paid deployments using Qlik Sense Enterprise on Windows.
Can I use Qlik Sense Business to unlock Qlik Sense Desktop?
No, currently the only option is to authenticate Qlik Sense Desktop against Qlik Sense Enterprise on Windows. We are working to provide authentication via Qlik Cloud Services including Qlik Cloud Business.
Can I use an older version of Qlik Sense Desktop and continue free use?
No, all versions of Qlik Sense Desktop will no longer allow free access after 30 June 2020.
Can I buy Qlik Sense Desktop as a standalone?
No, to continue to use Qlik Sense you will need to subscribe to Qlik Sense.
Can I still use Qlik Sense Desktop for app development and/or offline access as part of a wider Qlik Sense Enterprise deployment?
Yes, however, you must authenticate Qlik Sense Desktop against Qlik Sense Enterprise on Windows.
How do I try Qlik Sense if I cannot upload my data to the cloud?
Please contact our sales team to discuss our multi-cloud capabilities which give you the choice of where your data resides.
I’m an API developer and I use Qlik Sense Desktop for my development work, how will I do this after June 2020?
We realize that Qlik Sense Desktop is an integral part of many API developers in our community, a solution will be provided prior to June 2020 that will provide similar or better ability to develop with Qlik's APIs and will be communicated via our Qlik developer community, Qlik Branch.
Hello All Qlik Customers,
November has been a busy month for Qlik Sense releases. So, as we embark upon the holiday season, we want to take a moment to highlight those new releases.
Qlik Sense November 2019 introduces expanded cloud connectivity, new visualization capabilities, enhancements to cloud hub, reporting improvements and more. To learn more about what this release has to offer, please be sure to visit our Qlik Product Innovation Blog. For additional details, including product defect fixes, please review the release notes here.
Qlik Sense NPrinting 2019 introduces the Qlik NPrinting Migration tool, Improvements in On-Demand Reporting and Variable logic. To learn more about this release, including product defect fixes, please review the release notes here.
Qlik Sense PatchesDuring the month of November, we have also released a number of Qlik Sense patches as shown below.
Qlik Sense November 2018 Patch 7 - details on included fixes can be found here Qlik Sense February 2019 Patch 5 - details on included fixes can be found hereQlik Sense April 2019 Patch 4 - details on included fixes can be found hereQlik Sense June 2019 Patch 5 - details on included fixes can be found hereQlik Sense September 2019 Patch 1 - details on included fixes can be found here
As always when upgrading any software, make sure that you backup your system and applications before doing any installation and follow upgrading best practices. Thank you for choosing Qlik software.
We wish you a Happy Holiday Season!
When purchased, our Qlik products are delivered with a 16-digit license key. How that key is applied may differ depending on your requirements or the version of the product.
We’re here to tell you a little about that.
Generally, you’ll have two activation options:
The Signed License key (SLK), available for Qlik Sense, and ABDI.
And a combination of the 16-digit key, a control number, and the License Enabler File (LEF)
Note: These license activation methods cannot be mixed. A license activated with an SLK cannot also be activated using the key + control number method.
Customers who have been using Qlik the longest are likely familiar with the LEF method already, while the SLK may not be as widely known yet, which is why we frequently get questions around it.
In this blog post, we will cover the differences between the two activation methods, as well as what benefits the Signed License key brings to the table. Details on how to activate them will follow in the second post to this short series.
What is a Signed License Key (SLK)?
The SLK is an encrypted JSON web token used to activate Qlik Sense Enterprise or ABDI. It contains product information, available access types for users, and any applicable product add-ons or limitations.
An SLK is currently optional for Qlik Sense Enterprise on Windows and should not be used with license tokens.
You cannot change from an SLK activated system to a LEF activated system.
The SLK requires online connectivity to our licensing server for both activation and continued operation.
For information on how to apply an SLK, see How to Apply a Signed License Key
The SLK is mandatory for:
The use of Qlik Sense Analyzer Capacity licenses
Any deployments using Qlik Sense Enterprise on Kubernetes or Qlik Sense Enterprise on Cloud Services, as well as Multi-Cloud (a combination of Qlik Sense Enterprise on Windows and Cloud offerings)
Unified Licenses, which combine Qlik Sense and QlikView
See Qlik product licenses for more information.
What is a License Enabler File (LEF)?
Every license has a LEF. Each 16-digit license number that you get can be translated into a LEF, regardless of the method used to activate the license. The LEF itself contains all the instructions for the Qlik Product, such as license level, numbers of users, access types available for assignment, as well as all the limitations or add-on.
When applying your license using the license number and control number, the LEF will be downloaded to the product during activation. It will be updated with each refresh request.
The first line of the LEF is always your 16-digit license number and it ends with a checksum so that an unauthorized alteration of the content is impossible.
It requires a control number for activation
You can change from a LEF activated system to an SLK activated system (but not the other way around). Always use LEF activation if your license has tokens.
The LEF can be activated offline and used offline, see How to license a QlikView or Qlik Sense server without Internet access for details.
The LEF activation method is currently required for:
And token-based licenses
See Qlik product licenses for more information.
How do I get an SLK?
Your signed license key will be sent to you in the license delivery email.
If you did not receive your SLK via email, please contact Customer Support. Please make sure to provide the corresponding 16-digit license key and the Support team will be able to get the SLK for you.
There is no way to get the SLK from the Support Portal at this time.
Benefits of using an SLK
Using the Signed License Key makes more product and deployment options available to you.
Examples of these are:
Multi-site deployments, such as connecting a Qlik Sense Enterprise site with a QlikView Server deployment using Qlik Sense Enterprise license options. This is enabled by accepting a Dual-Use offer for each QlikView deployment that should be enabled for a Unified License scenario.
Multi-geo deployments, such as having Qlik Sense Enterprise sites in different locations using the same list of users.
Qlik Sense Enterprise for Kubernetes and Qlik Cloud Services. Either stand-alone or in a multi-cloud setup.
Consumption-based licenses, such as Qlik Sense Enterprise Analyzer Capacity. This additional user license is possible to use in a single or multi-cloud scenario.
All the above is enabled by the use of the Signed License Key. This is made possible by the local deployment syncing all entitlement data (assigned users access, etc.) with all available deployments sharing the same SLK. The synchronization is done using the Qlik Licensing Services and our license backend hosted in Qlik Cloud.
If you are curious about more information around the Qlik Licensing Service, see the Qlik Licensing Service Reference Guide.
How do I get a LEF?
You can get the LEF and control number from the Support Portal by following the steps outlined in How to request a control number and LEF.
And this is it for an overview of our available license types and activation methods. We’ll follow this up with part two soon, detailing the move from a LEF activated license to an SLK. Until then, give this post a like if you found it helpful! And please let us know if you have any questions or feedback in the comments.
Did you know the QCC, Qlik Continuous Classroom, offers self-service learning, 24/7? Choose what, how, and when you want to learn with material for all skill levels. The QCC offers webinars, instructor-led trainings, online courses, and certifications.
Want to grow your knowledge but don’t know where to start? Select the Content Library in the QCC for suggested topics like Free Courses, Business Analyst, Data Literacy Courses, and more. The Course Calendar is a great place to find global, course, group, and user events.
Anatomy of a Learning Module
Learning is organized into 'modules' which may be completed within a single sitting, allowing you to choose the best time to focus your attention on a particular topic. Each module has seven components:
A mix of slides and demonstrations where you should follow along using example files
Download the files which will be used for the video demonstrations and exercises
Instructions are provided so that you can use example files to complete the exercise
Important notes from the video presentation
Complete a 5-question quiz
Shows which version the module was built on and provides links to previous versions
Your link to forums and office hours (available with subscription)
Are you a Qlik expert and want to go beyond the QCC courses? You can earn a qualification!
After learning from the many courses in the Continuous Classroom or taking an associated instructor-led training course, consider earning a Qlik Sense Qualification (certificate and digital badge) to prove your fundamental skills and knowledge of Qlik Sense.
These Qualifications are earned after building a Qilk Sense application and completing an exam which tests your fundamental and applied knowledge. This is available with a paid subscription, instructor-led training course purchase, or as a member of the Academic Program.
What's the difference between a Qualification Exam and a Qlik Certification?
Qualification Exams are fundamental-level exams taken within the Qlik Continuous Classroom. Qualification Exams are offered for Qlik Sense Business Analysts and Data Architects only. They are included in a paid subscription to the Qlik Continuous Classroom, or by attending one of our associated instructor-led training classes. The content in these aforementioned resources is sufficient to pass the Qualification Exams.
Qlik Certification Exams are designed for experienced Qlik experts. The QlikView and Qlik Sense Certification Exams are expert-level exams for Business Analysts, Data Architects, and System Administrators. These exams cost $250 USD each and are delivered by Pearson VUE. Training, plus hands-on experience in several production environments is needed to pass the Qlik Certification Exams. Qlik Certification Exams are a requirement of the Qlik Partner Program for most partner types.
QCC > about > learn more - https://qcc.qlik.com/course/view.php?id=308
25% off QCC for a limited time - https://support.qlik.com/articles/000085753
Follow us on social media!
Qlik LinkedIn - https://www.linkedin.com/company/qlik/
Qlik Twitter - @qlik
Qlik Facebook – https://www.facebook.com/qlik/
Things are always changing in the digital world. Join the last Qlik Insider webinar of the year on November 20th to stay up to speed. - https://go.qlik.com/QlikInsider?sourceID1=CKM Don't get left behind! Sign up with the link today.
If you have any questions, let us know in the comments section. Thanks!
The Support Portal –
What is the Support Portal? The Support Portal is a resource that links users to all their support needs from knowledge articles to creating a case with the Support team.
What does the Support Portal have to offer?
All users have access to view public knowledge articles, quick links to the help site, community, training, and more.
Users enabled with Support Portal access will be able to login to the Support Portal and can access all that is mentioned above. Those users can also view licenses, see individual cases, and all cases linked to the company account.
Who can access the Support Portal? Any user can go to support.qlik.com to view public knowledge articles or submit a case as a guest, but only those with Qlik Accounts enabled with Support Portal access can login to the Support Portal to gain account and case information as well as manage cases online.
The Partner Portal
What is the Partner Portal? The Partner Portal is the gateway into Qlik for partners. It has all the information a partner needs to be successful in their partnership with us.
What does the Partner Portal have to offer? The Partner Portal has a few different access levels. Users can view leads, access marketing materials, access training and more. All users with a Qlik Account that are linked to a company with Partner Status will automatically be enabled with Partner Portal access. Other aspects of the Partner Portal that vary based on access level include:
Partner Green Line – a smooth enablement / Learning tool for partners
Commerce – a Sales tool to manage Leads, Opportunities, and Quotes
QED – Qlik Education
QPMS – Qlik Partner Marketing Services
MDF Tool – Marketing Development Fund
How to access the Qlik Support Portal - https://support.qlik.com/articles/000050443
How to create a case - https://support.qlik.com/articles/000043153
How to access the Partner Green Line: https://support.qlik.com/articles/000048387
How to access the Qlik Partner portal: https://support.qlik.com/articles/000070418
How to Request Access to Qlik Market (for Partners) - https://support.qlik.com/articles/000029396
How to Access and Update your Profile Page in the Partner Portal - https://support.qlik.com/articles/000029396
If you need assistance with Support Portal or Partner Portal access, please contact Customer Support via live chat or by creating a case in the Support Portal.
Things are always changing in the digital world. Join the last Qlik Insider webinar of the year on November 20th to stay up to speed. - https://go.qlik.com/QlikInsider?sourceID1=CKM - Don't get left behind! Sign up with the link today.
Please like this post if you found it helpful and let us know if you have any questions in the comments below. Thanks for reading!
Hello All Qlik Sense Users,
If you are using Core Based licenses, we have been alerted that a high number of end users are encountering the following error:
"You cannot access Qlik Sense because you have no access pass"
At this time, the issue is under investigation with our Internal Licensing team and updates will be provided as soon as we understand the cause.
For additional updates, we ask that you refer to the following article Core Base License error "You cannot access Qlik Sense because you have no access pass"
Learn as you go with self-paced learning
Subscribe today and enjoy big savings
With Qlik, there’s always something new you can learn. And the Qlik Continuous Classroom is the perfect place to do it.
For a limited time, we’re offering 25% off your new full-year subscription if you purchase by December 31, 2019*.
Whether you’re a BusinessAnalyst or Data Architect, our role-based learning makes it easy to get up to speed and sharpen your skills – from anywhere, anytime.
Your subscription gets you:
24/7 on-demand learning that’s self-service and self-paced
Hands-on exercises, quizzes, assessments and quick reference guides
Cutting edge content added and updated regularly
Advanced search for all content, even within videos
Live chat with instructors during webinars and one-on-ones
The chance to validate your skills with a Qlik Sense Qualification
Subscribe today and access all the learning content that’s right for you in the Qlik Continuous Classroom for 12 months. And save 25% while doing it.
Purchase by December 31, 2019* to save 25% off your full-year subscription.
Be sure to use promotion code LEARN2019
More Ways to Save:
Empower your team or your entire organization with a 25% off discount on Corporate Subscriptions until December 31st*.
Corporate Subscriptions available for up to 10, 50, 250, 1000 Users or Unlimited access to Qlik Continuous Classroom.
To benefit from our 25% off discount in addition to the bulk savings in our Corporate Subscriptions,contact your regional Education team.
Subscribe today using promotion codeLEARN2019
* Valid only on new, 12-month individual and corporate subscriptions. Previously purchased subscriptions are not eligible for this discount and no credits or refunds will be given on prior purchases. Offer expires December 31, 2019.