Tenant administrators assign permissions and entitlements to allow users to perform actions in Qlik Predict. Users and administrators can assign space roles to further control access to ML resources in shared and managed spaces.
Access control overview
The ability to perform actions in Qlik Predict is controlled by:
User entitlement (applies only to user-based subscriptions)
Assignment of built-in security roles
Assignment of permissions via the User Default and custom roles
Space roles
User entitlement
If you have a user-based subscription, users need Professional user entitlement for full Qlik Predict access. Users with Analyzer entitlement have limited permissions for running predictions.
The Automl Experiment Contributor and Automl Deployment Contributor roles are built-in security roles that provide user access to Qlik Predict functionality—specifically, working with experiments and deployments. These roles are assigned by tenant administrators on a per-user basis.
Built-in security roles provide similar permissions as the permissions available via the User Default and custom security roles. Conflicting permissions are handled as follows:
If a user does not have the required built-in security role, but has the equivalent permission via the User Default or a custom security role, they are granted the access to the functionality.
If a user has the required built-in security role, but does not the equivalent permission via the User Default or a custom security role, they are granted the access to the functionality.
In addition, the Tenant Admin and Analytics Admin roles provide administrator access to certain Qlik Predict actions. For a comparison of administrator privileges by role and permission, see Types of administrators for Qlik Predict.
For more information about built-in security roles, see:
Permissions in the User Default and custom security roles
User access to Qlik Predict can be controlled by permissions assigned via the User Default and custom security roles. Tenant administrators assign permissions by setting baseline permissions for all users, and then elevating the permissions for certain users as needed.
These permissions provide similar access as built-in security roles. Conflicting permissions are handled as follows:
If a user does not have the required permission, but has the equivalent built-in security role, they are granted the access to the functionality.
If a user has the required permission, but does not have the equivalent built-in security role, they are granted the access to the functionality.
Space roles
In addition to tenant-level permissions and built-in security roles, user access to working with ML resources in shared and managed spaces is further controlled by their space roles in these spaces. The administrator-assigned permissions are prerequisites for working with ML resources in spaces.
The Approve or reject your ML models permission has the following options:
Allowed: From any ML deployment they can access, users can activate and deactivate predictions for the source model.
Not allowed: From any ML deployment they can access, users cannot activate or deactivate predictions for the source model.
The Manage ML deployments permission has the following options:
Allowed: Users can view, manage, and delete, and run predictions with ML deployments. With sufficient permissions for the ML experiment, they can also deploy models to ML deployments. Additionally, users can view ML experiments.
Users with Allowed can manage ML deployments by adding and removing models, and activating and deactivating models for predictions.
Not allowed: Users cannot view, manage, delete, or run predictions with ML deployments. They also cannot deploy models to ML deployments.
Users with Not allowed cannot manage ML deployments by adding and removing deployed models to them, nor can they activate and deactivate these models for predictions.
Run ML API and connector predictions
The Run ML API and connector predictions permission has the following options:
Allowed: Users can run predictions from ML deployments using the real-time predictions endpoint in the Machine Learning API or the Qlik Predict analytics connector.
The Allowed permission does not provide any access to ML deployments beyond running predictions.
Not allowed: Users cannot run predictions from ML deployments using the real-time predictions endpoint in the Machine Learning API or the Qlik Predict analytics connector.
The Manage ML experiments permission has the following options:
Allowed: Users can view, create, manage, and delete ML experiments, including in-product access to GenAI for bias detection feature recommendations. They can also deploy models from experiments into ML deployments.
Manage ML experiments without GenAI: Users can view, create, manage, and delete ML experiments. They can also deploy models from experiments into ML deployments. They are blocked from using GenAI functionality in experiments—that is, using GenAI to recommend features for bias detection.
Not allowed: Users cannot view, create, manage, or delete ML experiments.
Admin permissions
The Approve or reject ML models admin permission has the following options:
Allowed: In the Administration activity center, users can activate and deactivate predictions for any deployed model in the tenant. From any ML deployment they can access, users can also activate and deactivate predictions for the source model.
Not allowed: In the Administration activity center, users cannot activate or deactivate predictions for any deployed model in the tenant. However, users can activate and deactivate predictions for the source model from any ML deployment they have access to.
The Manage ML experiments and deployments admin permission has the following options:
Allowed: Users can view, manage, and delete, and run predictions with ML deployments. With sufficient permissions for the ML experiment, they can also deploy models to ML deployments. Additionally, users can view ML experiments.
Not allowed: Users cannot list or delete experiments or deployments, or activate and deactivate deployed models. They cannot access the Qlik Predict section of the Administration activity center.
User access to ML experiments
Working with ML experiments generally involves two types of actions:
To list and open ML experiments, a user needs the following. Users meeting these requirements can also generate training reports and open lineage and impact analysis for the experiment.
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Experiment Contributor built-in security role
Automl Deployment Contributor built-in security role
Manage ML experiments permission set to Allowed or Manage ML experiments without GenAI via User Default or custom security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Manage ML experiments and deployments admin permission set to Allowed via custom security role
For experiments in shared spaces, one of the following space roles in the space where the ML experiment is located:
Owner (of the space)
Can manage
Can edit
Experiment creation, use, and management involves the following actions:
Creating ML experiments
Deleting ML experiments
Editing ML experiments
Moving ML experiments between spaces
To perform these actions, a user needs the following:
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Experiment Contributor built-in security role
Manage ML experiments permission set to Allowed or Manage ML experiments without GenAI via User Default or custom security role
For experiments in shared spaces, one of the following space roles in the space where the ML experiment is located:
Owner (of the space)
Can manage
Can edit
In the case of moving between spaces, the user needs one of the above roles in both the current space and the destination space.
Generative AI is integrated into bias detection in ML experiments. To work with this functionality, a user needs:
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Experiment Contributor built-in security role
Manage ML experiments permission set to Allowed via User Default or custom security role
For experiments in shared spaces, one of the following space roles in the space where the ML experiment is located:
Owner (of the space)
Can manage
Can edit
User access to ML deployments and predictions
Working with ML deployments and predictions involves the following action types:
To list and open ML deployments, a user needs the following. Users meeting these requirements can also generate training reports and open lineage and impact analysis from the ML deployment. For generating training reports, the user needs view access to the experiment in which the model was trained.
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Experiment Contributor built-in security role
Automl Deployment Contributor built-in security role
Manage ML experiments permission set to Allowed or Manage ML experiments without GenAI via User Default or custom security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Manage ML experiments and deployments admin permission set to Allowed via custom security role
For ML deployments in shared spaces, one of the following space roles in the space where the ML experiment is located:
Owner (of the space)
Can manage
Can edit
For ML deployments in managed spaces, one of the following space roles in the space where the ML experiment is located:
Owner (of the space)
Can manage
Model deployment and creation of ML deployments involves the following actions:
Deploying models into new ML deployments
Deploying models into existing ML deployments
Removing models from ML deployments
To deploy models to an ML deployment (new or existing), a user needs the following:
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Experiment Contributor built-in security role
Automl Deployment Contributor built-in security role
Manage ML experiments permission set to Allowed or Manage ML experiments without GenAI via User Default or custom security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Required space role in the space of the ML deployment
For deployments in shared spaces, one of the following:
Owner (of the space)
Can manage
Can edit
For deployments in managed spaces, one of the following:
Owner (of the space)
Can manage
Required space role in the space of the ML experiment:
For experiments in shared spaces, one of the following:
Owner (of the space)
Can manage
Can edit
To remove models from an ML deployment, a user needs the following:
Professional user entitlement (applies only to user-based subscriptions)
Automl Deployment Contributor security role
One of the following:
Automl Deployment Contributor built-in security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Required space role in the space of the ML deployment
For deployments in shared spaces, one of the following:
Owner (of the space)
Can manage
Can edit
For deployments in managed spaces, one of the following:
Owner (of the space)
Can manage
Managing ML deployments involves the following actions:
Editing ML deployment details
Creating, editing, deleting, and changing owner of batch prediction configurations
Creating, editing, and deleting prediction schedules
Creating, renaming, and deleting model aliases in an ML deployment
Moving ML deployments between spaces
To perform these actions, a user needs the following:
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Deployment Contributor built-in security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Required space role in the space of the ML deployment (or, in the case of moving between spaces, in the current and destination space)
For deployments in shared spaces, one of the following:
Owner (of the space)
Can manage
Can edit
For deployments in managed spaces, one of the following:
Owner (of the space)
Can manage
To delete ML deployments, a user needs the following:
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Deployment Contributor built-in security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Manage ML experiments and deployments admin permission set to Allowed via custom security role
Required space role in the space of the ML deployment (or, in the case of moving between spaces, in the current and destination space)
For deployments in shared spaces, one of the following:
Owner (of the space)
Can manage
Can edit
For deployments in managed spaces, one of the following:
Owner (of the space)
Can manage
To run batch predictions, a user needs the following:
Professional user entitlement (applies only to user-based subscriptions)
One of the following:
Automl Deployment Contributor built-in security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Required space role in the space of the ML deployment
For deployments in shared spaces, one of the following:
Owner (of the space)
Can manage
Can edit
For deployments in managed spaces, one of the following:
Owner (of the space)
Can manage
Permissions to store datasets in the desired space. To store datasets in your personal space, you need the Private Analytics Content Creator built-in security role.
To run real-time predictions via the real-time API endpoint, a user needs the following:
One of the following:
Automl Deployment Contributor built-in security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Run ML API and connector predictions permission set to Allowed via User Default or custom security role
Required space role in the space of the ML deployment
For deployments in shared spaces, one of the following:
Owner (of the space) (including Analyzer user)
Can manage
Can edit
Can consume data (including Analyzer user)
For deployments in managed spaces, one of the following:
Owner (of the space) (including Analyzer user)
Can manage
Can consume data (including Analyzer user)
To run predictions with the Qlik Predict analytics connector, a user with existing access to working with data connections needs the following:
One of the following:
Automl Deployment Contributor built-in security role
Manage ML deployments permission set to Allowed via User Default or custom security role
Run ML API and connector predictions permission set to Allowed via User Default or custom security role
For using the connector in an application or script in your personal space, you need the Private Analytics Content Creator built-in security role.
Required space role in the space of both the ML deployment and the Qlik Predict connection
In shared spaces, one of the following:
Owner (of the space) (including Analyzer user)
Can manage
Can edit
Can consume data (including Analyzer user)
In managed spaces, one of the following:
Owner (of the space) (including Analyzer user)
Can manage
Can consume data (including Analyzer user)
To activate and deactivate a model within an ML deployment, a user needs the following:
Professional user entitlement (applies only to user-based subscriptions).
One of the following sets of permissions:
Option 1 — all of the following:
Automl Deployment Contributor built-in security role
Approve or reject your ML models user permission set to Allowed via User Default or custom security role
Option 2 — one of the following:
Manage ML deployments user permission set to Allowed via User Default or custom security role
Manage ML experiment and deployments admin permission set to Allowed via custom security role
Approve or reject ML models admin permission set to Allowed via custom security role
Required space role in the space of the ML deployment
For deployments in shared spaces, one of the following:
Owner (of the space)
Can manage
Can edit
For deployments in managed spaces, one of the following:
Administering from Analytics or Insights activity centers
In the Analytics and Insightsactivity centers, administrators can perform various actions related to ML experiments and deployments. Possible actions for administrators can be:
A reference pointing to a model within an ML deployment. Predictions from ML deployments are directed to an alias rather than a specific model. This allows flexible and dynamic prediction workflows where models can easily be replaced without requiring configuration or API call updates. An ML deployment can contain up to 10 aliases, including the default alias.
Data connections are used to load data from external data sources into Qlik Cloud for the purpose of creating analytics, in the form of applications and scripts. Data connections can load data from databases and remotely stored files.
Activity centers are the central point of access for applications, spaces, and other content. There are four activity centers in Qlik Cloud: Insights, Analytics, Qlik Talend Data Integration, and Administration. Activity centers were formerly known as hubs.
