Skip to main content Skip to complementary content
Close announcements banner

Roles and permissions for users and administrators

Users’ permitted actions in Qlik Cloud are determined by their roles. A role is a set of permissions that can be assigned to individuals or groups of users. By assigning roles, you can better organize your users and what they can do in the tenant. The roles can be changed at any time.

Information noteThis topic is applicable to Qlik Sense Enterprise SaaS, Qlik Sense Business, and Qlik Cloud Government. If you have a subscription for the Standard, Premium, or Enterprise edition of Qlik Cloud Analytics or Qlik Cloud Data Integration, see Managing users - Capacity-based subscriptions.

Access control in Qlik Cloud is divided between tenant-wide roles and space roles. Understanding how they interact is essential for effectively managing user access. Tenant-wide roles authorize actions across the entire tenant, and space roles grant access to content in specific spaces. The roles on tenant level include built-in security roles and custom roles created by administrators. Additionally, all users have a set of universally applied default permissions.

Security roles

Security roles provide access to different capabilities in Qlik Cloud. Security roles are divided into administrator roles and user roles.

  • Administrator roles enable management of tenant-wide functions that affect governance, performance, and security.

  • User roles enable access to features in the tenant and actions on resources, such as creating spaces or accessing personal content.

For more information about the permissions granted with each role, see Permissions granted by security roles.

User default permissions

The User Default role grants basic permissions to all users in the tenant. The role can't be unassigned or deleted, but administrators can modify the permissions. The default permissions decide what users can do in Qlik Cloud before any other roles are assigned.

Tenant administrators need to decide what permissions everyone should have and assign additional permissions based on users' work requirements through roles. As a best practice, follow these steps to ensure secure access control for specific features:

  1. Create a custom role tailored to users who require access to the feature, assigning them appropriate permissions.

  2. Adjust the User Default role by removing default access to the feature, thereby preventing unintended users from accessing it.

This approach ensures users have the right permissions to do their job without granting unnecessary access, and reduces disruptions for users who need to use the feature.

Editing User Default permissions

Tenant administrators can edit the permission levels in the User Default role.

Do the following:

  1. In the Management Console, go to Users & Groups > Permissions.

  2. On the User Default role, click More, and select Edit.

  3. Add or remove permissions as needed.

    Tip noteYou can use the List all and Selected buttons to show all available permissions or only the selected ones.
  4. Save the changes.

    Information note Users must log out and log in again for the changes to be applied.

The permission configuration options are described in Permissions in User Default and custom roles.

Custom roles

Custom roles give administrators the flexibility to define roles tailored to specific needs, for example access to capabilities where special knowledge is required or where capacity is limited. These roles complement the built-in security roles, providing additional granularity in managing permissions on both tenant level and individual level.

Custom roles extend permissions beyond those granted by the User Default role. When assigning a custom role to users, permissions can only be added, not removed.

For more information on how to create custom roles, see Managing custom roles.

Space roles

Space roles determine what a user can do with the content in a specific space. Spaces are sections of Qlik Cloud used to collaboratively develop and control access to resources such as apps or automations. The roles are defined at the space level and apply only to content within that space.

For more information on space roles, see:

How user default permission interact with custom roles

Custom roles add permissions beyond those allowed by the User Default, but can't revoke permissions. It's important to note that attempting to restrict a permission that is allowed in the User Default role will have no effect. The permission will still be allowed to everyone.

The table shows the permission levels that can be granted by a custom role, depending on the corresponding value in the User Default settings. You can also choose to inherit the User Default permission, shown as "User default (permission setting)". This means that the setting in the custom role will match whatever the default is set to.

How custom role permissions align with user default settings
Configured User Default permission level Possible custom role permission level
Allowed Allowed
Not allowed Any available permission level
Other permission levels The same or a higher permission level

For details on the permission levels, see Permissions in User Default and custom roles.

As an example, consider a scenario where the User Default role automatically grants a specific permission to all users. When creating a custom role, this permission appears as "User default (Allowed)" and doesn’t need explicit configuration as it’s already allowed by the User Default.

The permission is automatically allowed for all users via the User Default.

Illustration of how user defaults and custom role permissions interact

If you wish to restrict the permission only to certain users—say, Lisa and Tom—using a custom role, you must set the permission in the custom role explicitly to "Allowed" and change it to "Not allowed" in the User Default settings.

When the permission is set to "Not allowed" in the User Default, only users assigned the custom role have access.

Illustration of how user defaults and custom role permissions interact

How security roles interact with user entitlement

Users who join the tenant are assigned a user entitlement, either Professional entitlement or Analyzer entitlement. User entitlements divide users into content consumers and content creators. The user entitlement also determines which areas of the tenant are visible to a user. For more information, see Assigning user entitlements.

  • Users with Professional entitlement are both content consumers and content creators, which means they have access to the Add New button. This lets them create new resources like apps and spaces.

  • Users with Analyzer entitlement are strictly content consumers, as a result, the Add New button is hidden from their view.

However, administrator roles and user roles provide additional permissions beyond user entitlement permissions. For example, a user with Analyzer entitlement who is assigned a space creator role will gain access to the Add New button to create a space.

Information noteWhen designing your permission structure, provide Professional entitlement to any user who will be assigned a specific security role.

By default, the Shared Space Creator, Private Analytics Content Creator, and Data Services Contributor roles are assigned to all users with Professional entitlement. Tenant administrators can choose to turn off this automatic role assignment.

Do the following:

  1. In the Management Console, go to Settings > Entitlements.
  2. Toggle off Professional entitlements can create shared spaces, Professional entitlements can create private analytics content, or Professional entitlements can access Data Integration.

All users who have been automatically assigned the Shared Space Creator role, Private Analytics Content Creator role, or Data Services Contributor role will retain that role until an administrator manually removes it.

How security roles interact with the Data Integration subscription

The Data Integration subscription gives you access to the Data Integration home and to security roles specifically designed for data admins and data spaces.

Auditing user roles

Tenant administrators can audit the roles assigned to each user. All users can also see their own roles.

To audit a user’s roles, do the following:

  1. In the Management Console, go to Users > All users.

  2. Hover over Information in the Roles column to see a tooltip with all roles assigned to the user.

To view a tooltip listing your assigned roles, do one of the following:

  • Click your user profile icon and hover over your role name below the tenant name.

  • On your profile settings page, hover over Information below the tenant name.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!