User permissions

A user role is a collection of specific permissions that apply to all users who have that role. When a user has more than one role, they are granted the permissions from each role. Permissions define what a user can see and do in Qlik Sense.

Permissions in the Management Console

Admin users with access to the Users section of the Management Console can access the Permissions tab. This view shows the user role assignments that are available in the tenant, the description of each user role, and the type of user role. From the Permissions tab of the Users section, click , the MC down arrow at the end of an assignment row to see all users who are assigned this role.

Permissions tab showing user role permissions

Permissions tab in Users section of the Management Console, showing user role permissions. — User permissions in the Management Console

Users view

The Users tab lists the users that have been assigned this role. Here, you can select users from the list to assign and unassign this role to users.

User permissions window with expanded view

Groups view

The Groups tab lists the groups that have been assigned this role. Groups are defined through your identity provider. They are not created from the Management Console. Here, you can select groups from the list to assign and unassign this role to groups. When you assign a user role to a group, every member of that group is granted the permissions defined by that user role.

User section of MC showing permissions tab under users

If a user is added to the tenant individually, and they are included in a group through the identity provider, it is possible that user is assigned the same role twice: once from their user assignment and once from their group assignment. To remove a user assignment for such a user, you must unassign the role from both the Users and Groups tab.

Permissions that make up user roles

Tenant administrator

Users with this role are full tenant administrators and have very few limitations in what they can do in the tenant, with the exception of creating API keys, which requires a developer role. A tenant administrator manages all aspects of the tenant, which includes assigning user roles to other users. A tenant admin can also assign and delete their own user roles.

Tenant administrators are the only administrators who can make edits in other users' personal space. They can do the following:

Apps: list, open, delete, and export (download).

Data connections: list, edit, delete, and open for app reload.

They can also open (read) data files for app reload.

A tenant administrator cannot delete their own TenantAdmin role.

Anyone who is provided with the tenant admin role may be provided with access to:

Information (which may include personal information) relating to all users in the tenant to which the tenant admin role is assigned; and
The subject (which is a unique string used to identify the user that is provided to Qlik Cloud by the configured Identity Provider) for users of other tenants which share the same Qlik license or subscription as the tenant on which the tenant admin role is assigned.

Analytics administrator

Users with this role are administrators with limited permissions to manage only some areas of Governance and Content. In the Management Console, they can access only the areas for which they have permissions. The table below lists all of the permissions that are granted with this role.

AnalyticsAdmin permissions
Resources	Permissions
Private apps	List, Delete Information noteIf the app is not published, the analytics administrator can also export the app, change the space of the app, and change the owner of the app.
Shared apps	List, Delete
Managed apps	List, Delete
Generic links	List, Create, Update, Delete
Data sets	List, Update, Delete
Data assets	List, Update, Delete
Private data files	Create, Read, Update
REST data files	List, Delete
Data connections	List, Delete
Shared spaces	Create, Read, Delete, Update
Managed spaces	Create, Read, Delete, Update
Extensions	Create, Read, Delete, Update
Automations	Enable, Disable, Delete, Change Owner
Management Console	Read
Themes	Create, Read, Delete, Update
Audit	Read
Sharing service task	Create, Read, Delete, Update

Audit administrator

Users who are assigned this role, in addition to the Developer role, can access app feedback and usage information captured as part of the Natural Language API. An audit administrator can view a variety of usage metrics for Insight Advisor and Insight Advisor Chat. This API enables evaluation of patterns in user interactions with apps, including feedback provided for analyses generated by Insight Advisor and Insight Advisor Chat. This information can be used to improve user experience through adjustments to the app, either within the data or in the app's business logic.

This API only returns app information from shared and managed spaces. An audit administrator does not have access to usage metrics data for personal spaces.

To view the usage metrics of an app, an audit administrator also requires one of the following permissions in the space in which the app is located:

Shared spaces:
- Owner
- Can manage
- Can edit
- Can view
Managed spaces:
- Is owner
- Can manage
- Can contribute
- Can view
- Has restricted view

The Natural Language API does not check section access controls in the app's load script. If an audit administrator has the Developer role and can open apps (as provided through the space permissions), they can view the app usage metrics.

For more information about how Insight Advisor user interaction data can be used to improve app usability, see Using feedback and usage metrics to improve app usability. For specifics about the Natural Language API, see Natural language.

For a tutorial on using the Natural Language API, see Collect and share Insight Advisor feedback.

AuditAdmin permissions
Resources	Permissions
Audit	Read
Management Console	Read
Filter action of the Natural Language API	Read
User	List, read

Data administrator

Users with this role are administrators with limited permissions for data spaces and data resources within those spaces. The table below lists all of the permissions that are granted with this role. In the Management Console, they can access only the areas for which they have permissions.

DataAdmin permissions
Resources	Permissions
Private data integration apps	List, Read, Delete, Change owner
Shared data integration apps	List, Create, Read, Update, Delete, Operate, Change owner
Private data sets	List, Read
Data integration data sets	List, Create, Read, Update, Delete
Private data assets	List, Read
Data integration data asset	List, Create, Read, Update, Delete
Private resource connection	List, Read
Data integration resource connection	List, Create, Read, Update, Delete
Private data store	List, Read
Data integration data store	List, Create, Read, Update, Delete
Data integration space	Create, Read, Update, Delete

Space creator roles

Users with one of the space creator roles have the permission to create a space of that type from the hub. The table below lists all of the permissions that are granted with this role.

Space creator permissions
Resources	Shared Space Creator	Managed Space Creator	Create Data Integration Spaces
Private spaces	Create
Managed spaces		Create
Data integration spaces			Create

By default, all users with a professional user allocation can create shared spaces. The tenant administrator can turn off this setting in the Management Console. Go to Settings > Entitlements, then toggle off the Professional entitlements can create shared spaces option. All users who obtain the SharedSpaceCreator role as a result of the Professional entitlements can create shared spaces option being turned on retain that role until an admin user manually removes the role.