Security and data governance principles
Qlik Catalog security includes user authentication and authorization through groups and role-based permissions. Qlik Catalog leverages enterprise security technologies such as Active Directory identity services and domain management and LDAP to query and dynamically synchronize active groups and personnel. Support for impersonation and enforcement of file system access control methods enable incisive control and integration of existing security policies. The combination of these features and support provided an enterprise with the flexibility to roll out a data lake with confidence in all aspects of security.
Qlik Catalog authentication and authorization implementation is based on the following key concepts:
- Group: An association of entities or fields accessible by user groups created by a group administrator. The administrator adds users to groups as required by role and access permissions. An entity can belong to multiple data groups. When a group is created, existing groups can be added to the new group as a sub-group. (Note that in the case of QVDs, groups are automatically generated, named, and synced by capturing the Qlik Sense Connector Globally Unique ID which is 36 characters with hyphens removed to comply with Linux Group name 32-character limit.)
- Permission: Permission is an operation or function (ex.,view a source, create, edit, delete, etc.) Permissions are granted to users in the context of groups.
- Role: A role defines which features of the application will be accessible to a user. Hence a role is a collection of permissions. The following five pre-defined roles are supported:
- Analyst: Analysts create and export selected views and datasets from within the Discover module. An analyst inherits the data access levels of the user group to which they have been assigned.
- Master Analyst: Master analysts have analyst permissions with added permission to edit metadata.
- Master Analyst Obfuscator: Master analysts obfuscator have analyst permissions with added permission to edit metadata and modify obfuscation.
- Admin: Admins have access to all areas of the application including security except for being able to add and edit groups. Admins have access to add and edit users to groups for data sources they manage.
- SuperUser: A superuser can disable any existing user and has full access to all groups with all privileges.