Skip to main content Skip to complementary content

User permissions

A user role is a collection of specific permissions that apply to all users who have that role. When a user has more than one role, they are granted the permissions from each role. Permissions define what a user can see and do in Qlik Sense.

Permissions in the Management Console

Admin users with access to the Users section of the Management Console can access the Permissions tab. This view shows the user role assignments that are available in the tenant, the description of each user role, and the type of user role. From the Permissions tab of the Users section, click , the MC down arrow at the end of an assignment row to see all users who are assigned this role.

Permissions tab showing user role permissions

User permissions in the Management Console

Permissions tab in Users section of the Management Console, showing user role permissions.

Users view

The Users tab lists the users that have been assigned this role. Here, you can select users from the list to assign and unassign this role to users.

User permissions window with expanded view

Tab for individual users within Users view

User permissions window with expanded view

Groups view

The Groups tab lists the groups that have been assigned this role. Groups are defined through your identity provider. They are not created from the Management Console. Here, you can select groups from the list to assign and unassign this role to groups. When you assign a user role to a group, every member of that group is granted the permissions defined by that user role.

User section of MC showing permissions tab under users

Tab for user groups within Users view

User section of MC showing permissions tab under users

If a user is added to the tenant individually, and they are included in a group through the identity provider, it is possible that user is assigned the same role twice: once from their user assignment and once from their group assignment. To remove a user assignment for such a user, you must unassign the role from both the Users and Groups tab.

Permissions that make up user roles

Tenant administrator

Users with this role are full tenant administrators and have very few limitations in what they can do in the tenant, with the exception of creating API keys, which requires a developer role. A tenant administrator manages all aspects of the tenant, which includes assigning user roles to other users. A tenant admin can also assign and delete their own user roles.

Tenant administrators are the only administrators who can make edits in other users' personal space. They can do the following:

  • Apps: list, open, delete, and export (download).

  • Data connections: list, edit, delete, and open for app reload.

    They can also open (read) data files for app reload.

Information noteA tenant administrator cannot delete their own TenantAdmin role.
Warning note

Anyone who is provided with the tenant admin role may be provided with access to:

  • Information (which may include personal information) relating to all users in the tenant to which the tenant admin role is assigned; and

  • The subject (which is a unique string used to identify the user that is provided to Qlik Cloud by the configured Identity Provider) for users of other tenants which share the same Qlik license or subscription as the tenant on which the tenant admin role is assigned.

Analytics administrator

Users with this role are administrators with limited permissions to manage only some areas of Governance and Content. In the Management Console, they can access only the areas for which they have permissions. The table below lists all of the permissions that are granted with this role.

AnalyticsAdmin permissions
Resources Permissions
Private apps

List, Delete

Information noteIf the app is not published, the analytics administrator can also export the app, change the space of the app, and change the owner of the app.
Shared apps List, Delete
Managed apps List, Delete
Generic links List, Create, Update, Delete
Data sets List, Update, Delete
Data assets List, Update, Delete
Private data files Create, Read, Update
REST data files List, Delete
Data connections List, Delete
Shared spaces Create, Read, Delete, Update
Managed spaces Create, Read, Delete, Update
Extensions Create, Read, Delete, Update
Automations Enable, Disable, Delete, Change Owner
Management Console Read
Themes Create, Read, Delete, Update
Audit Read
Sharing service task Create, Read, Delete, Update

Audit administrator

Users who are assigned this role, in addition to the Developer role, can access app feedback and usage information captured as part of the Natural Language API. An audit administrator can view a variety of usage metrics for Insight Advisor and Insight Advisor Chat. This API enables evaluation of patterns in user interactions with apps, including feedback provided for analyses generated by Insight Advisor and Insight Advisor Chat. This information can be used to improve user experience through adjustments to the app, either within the data or in the app's business logic.

This API only returns app information from shared and managed spaces. An audit administrator does not have access to usage metrics data for personal spaces.

To view the usage metrics of an app, an audit administrator also requires one of the following permissions in the space in which the app is located:

  • Shared spaces:

    • Owner

    • Can manage

    • Can edit

    • Can view

  • Managed spaces:

    • Is owner

    • Can manage

    • Can contribute

    • Can view

    • Has restricted view

 

Information noteThe Natural Language API does not check section access controls in the app's load script. If an audit administrator has the Developer role and can open apps (as provided through the space permissions), they can view the app usage metrics.

For more information about how Insight Advisor user interaction data can be used to improve app usability, see Using feedback and usage metrics to improve app usability. For specifics about the Natural Language API, see Natural language.

For a tutorial on using the Natural Language API, see Collect and share Insight Advisor feedback.

AuditAdmin permissions
Resources Permissions
Audit

Read

Management Console Read
Filter action of the Natural Language API Read
User List, read

Data administrator

Users with this role are administrators with limited permissions for data spaces and data resources within those spaces. The table below lists all of the permissions that are granted with this role. In the Management Console, they can access only the areas for which they have permissions.

DataAdmin permissions
Resources Permissions
Private data integration apps

List, Read, Delete, Change owner

Shared data integration apps List, Create, Read, Update, Delete, Operate, Change owner
Private data sets List, Read
Data integration data sets List, Create, Read, Update, Delete
Private data assets List, Read
Data integration data asset List, Create, Read, Update, Delete
Private resource connection List, Read
Data integration resource connection List, Create, Read, Update, Delete
Private data store List, Read
Data integration data store List, Create, Read, Update, Delete
Data integration space Create, Read, Update, Delete

Space creator roles

Users with one of the space creator roles have the permission to create a space of that type from the hub. The table below lists all of the permissions that are granted with this role.

Space creator permissions
Resources Shared Space Creator Managed Space Creator Create Data Integration Spaces
Private spaces Create  

 

Managed spaces   Create  
Data integration spaces     Create
Information noteBy default, all users with a professional user allocation can create shared spaces. The tenant administrator can turn off this setting in the Management Console. Go to Settings > Entitlements, then toggle off the Professional entitlements can create shared spaces option. All users who obtain the SharedSpaceCreator role as a result of the Professional entitlements can create shared spaces option being turned on retain that role until an admin user manually removes the role.