Permissions granted by security roles
A security role grants a set of permissions to all users who have been assigned the role. When a user is assigned to more than one role, they are granted the permissions from each role. Permissions define what a user can see and do in Qlik Cloud.
Security roles control actions and access rights for users and administrators in the tenant. In addition to the tenant-level security roles, there are also space roles that control user actions on content within spaces. For more information about the different types of roles, see Roles and permissions for users and administrators.
You can assign the following security roles.
Role | Type | Permissions | Access granted with role |
---|---|---|---|
Tenant Admin | Administrator | An administrator with full permissions to manage and administer all aspects of the tenant. | Access to the Administration activity center from the navigation menu |
Analytics Admin | Administrator | An administrator with limited permissions to manage only some areas of governance and content. | Access to the Administration activity center from the navigation menu |
Audit Admin | Administrator |
An administrator with limited permissions, including:
|
Access to the Administration activity center from the navigation menu |
Data Admin | Administrator | Administrator with limited permissions to manage only data spaces. | Access to the Administration activity center from the navigation menu |
Developer | User | A user who can generate API keys. | API keys option on the user profile menu |
Data Space Creator | User | A user who can create data spaces. | Create data space option in the Home page in the Qlik Talend Data Integration activity center. |
Managed Space Creator | User | A user who can create managed spaces. | Space option in the Create page of the Analytics activity center |
Shared Space Creator | User | A user who can create shared spaces. | Space option in the Create page of the Analytics activity center |
Data Services Contributor | User | A user who has access to Data Integration services | Access to the Qlik Talend Data Integration activity center from the navigation menu |
Private Analytics Content Creator | User | A user who can create private analytics content. | Personal space option in the Space list when adding new content |
Automation Creator | User | A user who can create private automations. |
Automation option in the Create page of the Analytics activity center. |
Collaboration Platform User | User | A user who can communicate with Qlik Cloud through external collaboration platforms. | Can add external environments and use these environments to communicate with their Qlik Cloud apps. |
Steward | User | A user who can create, update, and delete a glossary, and approve, edit, and delete terms. |
Glossary option in the Create page of the Analytics activity center. |
Embedded Analytics User | User |
A user who can only access apps directly in embedded use cases. They are blocked from accessing activity centers and other interfaces, except if they also have an administrator role. |
This role restricts access to all other parts of Qlik Cloud. |
Automl Experiment Contributor | User | A user who can view, create, use, and manage ML experiments. They can also deploy models trained within an experiment into ML deployments. | Ability to view ML resources. Full access to using ML experiments. |
Automl Deployment Contributor | User | A user who can view, create, use, and manage ML deployments. They can also view the ML experiments in a space, if they have the required permission in the space. | Ability to view ML resources. Full access to using ML deployments. |
Permissions for tenant administrators
Users who are assigned the Tenant Admin role have broad permissions to manage a tenant. This includes managing users, access control, and tenant configuration.
For certain actions, the tenant administrator needs additional permissions. You need the Developer role to create API keys and you need to be a member of a space to access data and apps in that space.
Tenant administrators are the only administrators that can take ownership of and delete other users' personal content. Tenant admins cannot export apps from other users' personal spaces, but they can take ownership of these apps and then export them. See: Changing owner of apps and Exporting apps.
The table lists the permitted actions on content in other users' personal spaces.
Resources | Permissions |
---|---|
Apps |
List, Open, Delete, Change owner |
Data connections |
List, Edit, Delete, Open (for app reload) Can also open (read) data files for app reload. |
ML experiments |
List, Open, Delete |
ML deployments |
List, Open, Delete, Move (change space), Approve deployed models |
Anyone assigned the Tenant Admin role may be granted access to content, including personal content, relating to all users within the tenant to which the Tenant Admin role is assigned.
Permissions for analytics administrators
Users who are assigned the Analytics Admin role are administrators with limited permissions. They have access to parts of the Administration activity center, such as managing shared and managed spaces, extensions, and themes.
Analytics administrators cannot manage users in the Users section of the Administration activity center. They can manage space members in space types that they are allowed to manage.
Analytics administrators can manage user resources for analytics services within shared and managed spaces. They cannot access content in other users' personal spaces. This includes apps, data files, data assets, and data connections.
The tables list the permissions that are granted by this role.
Resources | Permissions |
---|---|
Shared spaces | Create, Read, Update, Delete |
Managed spaces | Create, Read, Update, Delete |
Extensions | Create, Read, Update, Delete |
Automations | Enable, Disable, List, Delete, Change owner |
Themes | Create, Read, Update, Delete |
Sharing service task | Create, Read, Update, Delete |
Resources | Permissions |
---|---|
Apps | List, Delete |
Generic links | Create, Read, Update, Delete |
Data sets | Read, Delete |
Data assets | Read, Delete |
REST data files | List, Delete |
Data connections | List, Delete |
Assistants | Read, List, Delete |
Knowledge bases | Read, List, Delete |
Permissions for data administrators
Users who are assigned the Data Admin role are administrators with limited permissions for data spaces and data resources within those spaces. In the Administration activity center, they can access only the areas for which they have permissions.
Data administrators cannot manage users in the Users section of the Administration activity center. They can manage space members in space types that they are allowed to manage.
Data administrators cannot access content in other users' personal spaces.
The tables list the permissions that are granted by this role.
Resources | Permissions |
---|---|
Data space | Create, Read, Update, Delete |
Resources | Permissions |
---|---|
Data sets | List, Read, Delete |
Data assets | List, Read, Delete |
Resource connections | List, Create, Read, Update, Delete |
Data stores | List, Read, Delete |
Permissions for audit administrators
Users who are assigned the Audit Admin role can:
-
Access app feedback and usage information captured as part of the Natural Language API (requires the Developer role)
-
Access and view conversations in Qlik Answers assistants to review feedback.
App feedback and usage
With the addition of the Developer role, an audit administrator can view a variety of usage metrics for Insight Advisor and Insight Advisor Chat captured as a part of the Natural Language API. This API enables evaluation of patterns in user interactions with apps, including feedback provided for analyses generated by Insight Advisor and Insight Advisor Chat. This information can be used to improve user experience through adjustments to the app, either within the data or in the business logic of the app.
This API only returns app information from shared and managed spaces. An audit administrator does not have access to usage metrics data for personal spaces.
To view the usage metrics of an app, an audit administrator must also be assigned one of the following space roles in the space where the app is located.
Roles in shared spaces:
-
Owner
-
Can manage
-
Can edit
-
Can view
Roles in managed spaces:
-
Is owner
-
Can manage
-
Can contribute
-
Can view
-
Has restricted view
For more information about how Insight Advisor user interaction data can be used to improve app usability, see Using feedback and usage metrics to improve app usability. For specifics about the Natural Language API, see Natural language, and for a tutorial on using the Natural Language API, see Collect and share Insight Advisor feedback.
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
Audit |
Read |
Filter action of the Natural Language API | Read |
Qlik Answers
With Qlik Answers, audit administrators can view and review conversations users have had with assistants. They can view the feedback left by users as well as the sources used by the assistants. For more information, see Reviewing assistant conversations.
To view Qlik Answers conversations, audit administrators require the View assistants permission. In addition, they must be also assigned one of the following space roles in space where the assistant is located:
Roles in shared spaces:
-
Owner
-
Can manage
-
Can edit
Roles in managed spaces:
-
Is owner
-
Can manage
-
Can contribute
-
Can view
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
Assistant-audit |
Read, Audit |
Permissions for space creators
Users with one of the space creator roles have the permission to create a space of that type from the Create page in the Analytics activity center.
The table lists the permissions that are granted by the roles.
Resources | Permissions |
---|---|
Data spaces | Create |
Resources | Permissions |
---|---|
Managed spaces | Create |
Resources | Permissions |
---|---|
Private spaces | Create |
For new tenants, the Shared Space Creator role is automatically assigned to all users by default. To turn off this automatic role assignment, toggle off the following settings in the Administration activity center:
-
Auto assign under Users > Permissions.
-
Full Users can create shared spaces under Settings > Entitlements.
For more information about the settings, see Assigning security roles and custom roles to everyone in the tenant.
Permissions for private analytics content creators
Users with the Private Analytics Content Creator role can create analytics content in personal spaces. Users without this role can still create monitored charts, alerts, subscriptions, and notes in their personal space.
The table lists the permissions that are granted by this role on resources in personal spaces.
Resources | Permissions |
---|---|
Qlik Sense apps |
Create, Duplicate, Import, Source |
QlikView apps |
Duplicate, Import, Source |
Data connections | Create, Update, Change space |
Data files |
Create, Update |
Data sets | Create, Update, Profile |
Note that tenant administrators must also have the Private Analytics Content Creator role to perform the actions in the table.
For new tenants, the Private Analytics Content Creator role is automatically assigned to all users by default. To turn off this automatic role assignment, toggle off the following settings in the Administration activity center:
-
Auto assign under Users > Permissions.
-
Full Users can create private content under Settings > Entitlements.
For more information about the settings, see Assigning security roles and custom roles to everyone in the tenant.
As you can see in the table above, this role does not control all actions on the resources. If you remove the role from a user who has analytics content in their personal space, the user can still use that content. Any already existing data connections and data files can be selected and used, and scripts can be updated and reloaded.
If a scheduled reload task, that has a binary load or store in the script and is located in a personal space, stops working, the user of the personal space needs to log in. By logging in, the Private Analytics Content Creator role is automatically assigned to the user, which solves the reload issue.
Permissions for automation creators
Users with the Automation Creator role can create automations in personal spaces.
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
Qlik Application Automation |
Create, Update, Run, Enable, Disable, Duplicate |
For new tenants, the Automation creator role is automatically assigned to all users by default. Tenant administrators can turn off this automatic role assignment by toggling off the Auto assign option under Users > Permissions in the Administration activity center. See:
-
Assigning security roles and custom roles to everyone in the tenant (capacity-based subscriptions)
-
Assigning security roles and custom roles to everyone in the tenant (user-based subscriptions)
-
Assigning security roles and custom roles to everyone in the tenant (Qlik Anonymous Access subscriptions)
Permissions for collaboration platform users
Users with the Collaboration Platform User role in the tenant can interact with the Insight Advisor Chat service in external collaboration platforms.
The Collaboration Platform User role is assigned on an opt-in basis, meaning that tenant administrators must assign the role to specific users who need it. The Auto assign option is off by default for this user role. Tenant administrators can turn on this automatic role assignment by toggling the option on under Users > Permissions in the Administration activity center. See Assigning security roles and custom roles to everyone in the tenant. See:
-
Assigning security roles and custom roles to everyone in the tenant (capacity-based subscriptions)
-
Assigning security roles and custom roles to everyone in the tenant (user-based subscriptions)
-
Assigning security roles and custom roles to everyone in the tenant (Qlik Anonymous Access subscriptions)
Permissions for developers
You need the Developer role to generate API keys. Users with this role have an API keys section on their user profile menu. For more information, see Managing API keys.
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
API keys |
List, Create, Read, Update, Delete |
Permissions for data services contributors
You need the Data Services Contributor role to work with Qlik Cloud Data Integration. Users with this role can access the Qlik Cloud Data Integration home by selecting Data Integration from the navigation menu .
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
Data services |
Read |
For new tenants, the Data Services Contributor role is automatically assigned to all users by default. To turn off this automatic role assignment, toggle off the following settings in the Administration activity center:
-
Auto assign under Users > Permissions.
-
Full Users can access Data Integration under Settings > Entitlements.
For more information about the settings, see Assigning security roles and custom roles to everyone in the tenant.
Permissions for business glossary stewards
With the Steward role, you can create, update, and delete a glossary as well as edit or delete a term in Verified state or change the term status to Verified. In addition to the Steward role, you must also be assigned the Can edit space role in the space where the glossary is located.
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
Business glossaries |
Create, Read, Update, Delete |
Glossary terms | Change status |
For new tenants, the Steward role is automatically assigned to all users by default. Tenant administrators can turn off this automatic role assignment by toggling off the Auto assign option under Users > Permissions in the Administration activity center. See Assigning security roles and custom roles to everyone in the tenant.
Permissions for embedded analytics users
The Embedded Analytics User role is a limiting user role. This role provides access to apps and app content while blocking access to all other parts of Qlik Cloud, such as the Qlik Cloud Analytics activity centers, Application Automation, Data Integration, and profile settings. However, if a user has both an administrator role and the Embedded Analytics User role, these restrictions do not apply. The user will still have full access.
Users with the Embedded Analytics User role can access apps and sheets via direct links, for example, in embedded use cases. What the user is permitted to do with apps is based on the user's other security roles and space roles.
The Embedded Analytics User role is disabled for all users by default. Tenant administrators can turn on automatic assignment of the role to all users by toggling on the Auto assign option under Users > Permissions in the Administration activity center. See Assigning security roles and custom roles to everyone in the tenant.
Permissions for AutoML experiment contributors
The Automl Experiment Contributor role allows a user to work with ML experiments. With this role, you can create and manage ML experiments. You can also create ML deployments from models trained in an experiment, and view the ML deployments in a space where you have the required permissions.
Note that to work with ML experiments, you must meet all other user requirements as well. For a list of requirements for working with Qlik AutoML, see Who can work with Qlik AutoML.
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
ML experiments |
Read, Create, Update, Delete, Move |
ML deployments | Read, Create |
This role is automatically assigned to all users by default. Tenant administrators can turn off this automatic role assignment by toggling off the Auto assign option under Users > Permissions in the Administration activity center. See Assigning security roles and custom roles to everyone in the tenant.
Permissions for AutoML deployment contributors
The Automl Experiment Contributor role allows a user to work with ML deployments. With this role, you can create and manage ML deployments. You can also view the ML experiments in a space where you have the required permissions.
Note that to work with ML experiments, you must meet all other user requirements as well. For a list of requirements for working with Qlik AutoML, see Who can work with Qlik AutoML.
The table lists the permissions that are granted by this role.
Resources | Permissions |
---|---|
ML experiments |
Read |
ML deployments | Read, Create, Edit, Delete, Move, Run (use in predictions) |
This role is automatically assigned to all users by default. Tenant administrators can turn off this automatic role assignment by toggling off the Auto assign option under Users > Permissions in the Administration activity center. See Assigning security roles and custom roles to everyone in the tenant.