Skip to main content Skip to complementary content

Managing permissions in managed spaces

Permissions in spaces are controlled by roles assigned to members when they are added to a space. A role gives that member a set of permissions in the space and on resources in the space.

Information noteManaged spaces are not available in Qlik Sense Business or Qlik Cloud Analytics Standard.

Members of a managed space can have multiple roles applied to them. This enables customized access to the space for each member. If groups are allowed in the tenant, groups of users can be added to a space with the same role. If a space member has different individual permission and group permission in a space, the highest permission level is applied.

Tenant and analytics admins, space owners, and members with the Can manage space role can add new members to the space and assign them permissions. Space permissions are managed in Space details > Members.

The space owner is assigned the Owner role. This space role cannot be removed from the space member without administrator action. It is not possible to remove space members with the Owner role from the space, unless you have access to the Management Console as an administrator.

Apps can be shared with non-space members. For more information, see Sharing apps with users who are not space members.

Information noteChanging a user's entitlement and roles can produce results that do not follow the expected behavior defined on this page.

Available roles in managed spaces

The following space roles are available in managed spaces:

  • Owner: Can manage the space and its members, as well as open apps in the space. This is not a role you can assign to other members of the space unless you are an administrator. This space role also cannot be removed from the space member without administrator action. It is not possible to remove a member with the Owner role from the space, unless you have access to the Management Console as an administrator.
  • Can manage: Can manage the space and its members.
  • Can publish: Can publish apps to the space. They cannot open apps in the space.
  • Can contribute: Can view and open apps in the space. Contributors can create private content in the app and make that content public.
  • Can view: Can view and open apps in the space.
  • Has restricted view: Can view and open apps in the space. They can export sheets or charts as images and PDFs, but they cannot export data.
  • Can consume data: Can consume data sources, but cannot create or edit data sources. They cannot create content or manage the space. See Managing data sources in spaces to learn about data sources inside a space.

Changing permissions for members in managed spaces

Member roles can be changed to give them new permissions in the space.

Tenant and analytics admins, space owners, and members with the Can manage role can change members' permissions.

Do the following:

  1. In the space, click Space details and select Members.
  2. Click the arrow Arrow down in the Role column for the member.
  3. Select the appropriate roles for the member.

When you make any changes to user's permissions for apps or scripts, these changes are not instantly reflected in actively opened apps and scripts. To ensure that the changes to the user's permissions are updated, the user must close all browser tabs belonging to the affected app or script and wait at least two minutes (app session's Time To Live), then re-open the app. This applies to app and script permissions in personal, shared, and managed spaces. Changes in permissions for newly opened apps are reflected instantly.

Space permissions and user entitlement

If you have a Qlik Sense Enterprise SaaS or Qlik Sense Business subscription, what you can do is determined by both your assigned space roles and your user entitlement—Professional or Analyzer. The permitted actions are more limited for users with Analyzer entitlement. We recommend that the space owner and members with Can manage role in the space have Professional entitlement.

In subscriptions with Full User entitlements, only the space roles determine what you can do in the space. The Full User entitlement is not linked to your permissions. Note that Basic Users can only have the role Has restricted view. Granting additional permissions to Basic Users automatically promotes them to Full Users.

Permissions for space members with Professional or Full User entitlement

The following tables outline what members with Professional or Full User entitlement can do in a space:

Space actions by space role in a managed space

Action

Owner

Can manage Can publish Can contribute Can view Has restricted view Can consume data
See the space exists Yes Yes Yes Yes Yes Yes Yes

Publish or republish apps and scripts to this space

Information note

If the app being published is in a shared space, you also need the Can edit space role or higher in that shared space in order to publish the app.

Yes No Yes No No No No
See apps and scripts they published to this space Yes Yes No Yes Yes Yes No
See all apps and scripts in the space Yes Yes No Yes Yes Yes No
Export apps in the space (Export without data option only) Yes Yes No No No No No
Share apps in the space with non-space members Yes Yes No No No No No
Remove app-only access to apps from non-space members Yes Yes No No No No No
Delete the space Yes Yes No No No No No
Add members to the space Yes Yes No No No No No

Change member permissions for the space

Information noteSpace owners can be changed by tenant and analytics administrators in the Management Console.
Yes Yes No No No No No
Remove members from the space Yes Yes No No No No No
Add and edit data sources in the space Yes Yes No No No No No
Create, edit, and delete generic links Yes Yes No No No No No

Add notes

Yes Yes

No

Yes Yes Yes No

List all notes in the space

Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them individually.
Yes Yes No No No No No

Delete notes in the space

Information noteThe note owner can also delete the note.
Yes Yes No No No No No

App actions by space role in a managed space

Action Owner

Can manage

Can publish Can contribute Can view Has restricted view Can consume data
Open an app Yes Yes No Yes Yes Yes No

Delete an app

Yes

Yes

No No No No No

Open Data model viewer

Yes Yes No No No No No
Edit app attributes (change name, description, and tags) Yes Yes No No No No No
Edit app properties (select theme, enable right-to-left reading order, set a bookmark as app default, and sheet title styling) Yes Yes No No No No No
Reload the app and create scheduled reloads Yes Yes No No No No No

View master items

Yes Yes No Yes Yes Yes No

View variables

Yes Yes No No No No No
View media library content Yes Yes No Yes No No No
Add private sheets to the app Yes Yes No Yes No No No
Add private bookmarks to the app Yes Yes No Yes Yes Yes No
Add private stories to the app Yes Yes No Yes Yes No No

Publish and unpublish your own private sheets, bookmarks, and stories to and from Community

Yes Yes No Yes No No No

Make all Community sheets, bookmarks, and stories private in the app (unpublish them)

Yes Yes No No No No No
Copy a link to a Public or Community bookmark Yes Yes No Yes No No No
Take snapshots in the app Yes Yes No Yes Yes No No
Monitor a visualization in the Qlik Cloud Analytics hub Yes Yes No Yes Yes No No
Search for app fields in Insight Advisor Chat Yes Yes No No No No No
Search for app master items in Insight Advisor Chat Yes Yes No Yes Yes Yes No
Add notes Yes Yes

No

Yes Yes Yes No

List all notes in the space

Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them individually.
Yes Yes No No No No No

Delete notes in the space

Information noteThe note owner can also delete the note.
Yes Yes No No No No No

Create, edit, rerun, view, and delete key driver analyses

Yes Yes No Yes Yes No No

Script actions by space role in a managed space

Action Owner

Can manage

Can publish Can contribute Can view Has restricted view Can consume data
Open a script Yes Yes No Yes Yes Yes No

Delete a script

Yes

Yes

No No No No No
View load script in Editor Yes Yes No No No No No
View script history in Editor Yes Yes No No No No No
Preview and download earlier versions in History Yes Yes No No No No No
Edit script attributes (change name, description, and tags) Yes Yes No No No No No
Reload the script and create scheduled reloads Yes Yes No No No No No

Data sources actions by space role in a managed space

Action Owner

Can manage

Can publish Can contribute Can view Has restricted view Can consume data
List and use data source in the space Yes Yes No No No No Yes
Create data source in the space Yes Yes No No No No No
Duplicate data files in the space Yes Yes No No No No No
Move data files between spaces Yes Yes No No No No No
Delete data source from the space Yes Yes No No No No No

Edit data connections in the space

Information note

User credentials are cleared each time a connection is edited.

Yes Yes No No No No No
Profile data source Yes Yes No No No No No
Edit and apply properties to data source in the space Yes Yes No No No No No
Create app from data source No No No No No No No
Open data connection or file for app reload Yes Yes No No No No Yes
Binary load from apps inside space Yes No No No No No Yes

Permissions on AutoML assets for users with Professional or Full User entitlement

The Automl Experiment Contributor and Automl Deployment Contributor security roles are used to control which users in the Qlik Cloud tenant can work with AutoML. Each role grants a different set of permissions on AutoML resources. The roles are assigned in the Management Console.

Users with Analyzer entitlement cannot view or work with AutoML assets.

ML experiments cannot be created in a managed space.

Permissions related to using prediction data (for example, opening or profiling the dataset, or using it in an app) are generally the same as data sources actions.

For more information about the AutoML security roles, see:

AutoML actions by space role in a managed space – Professional or Full User entitlement
Action Owner

Can manage

Can publish Can contribute Can view Has restricted view Can consume data Additional requirements
List ML deployments in the space Yes Yes No Yes No No No Automl Experiment Contributor or Automl Deployment Contributor required
Open ML deployment Yes Yes No Yes No No No Automl Experiment Contributor or Automl Deployment Contributor required
Create ML deployment Yes Yes No No No No No Automl Experiment Contributor or Automl Deployment Contributor required

Duplicate ML deployment

Information note

You cannot duplicate an ML deployment in a managed space.

No No No No No No No -
Delete ML deployment Yes Yes No No No No No Automl Deployment Contributor required

Edit ML deployment

Information note

Editing an ML deployment also encompasses the following actions:

  • Creating, editing, and deleting prediction configurations

  • Creating, editing, and deleting prediction schedules

  • Changing the owner of a prediction configuration (Make me the owner)

Yes Yes No No No No No Automl Deployment Contributor required
Run prediction configuration Yes Yes No No No No No Automl Deployment Contributor required
Move ML deployment to the space Yes Yes No No No No No Automl Deployment Contributor required
Move ML deployment to another space Yes Yes No No No No No Automl Deployment Contributor required

Permissions for members with Analyzer entitlement

The following tables outline what members with Analyzer entitlement can do in a managed space:

Space actions by space role in a managed space

Action Can manage Can publish Can contribute Can view Has restricted view Can consume data
See the space exists Yes Yes Yes Yes Yes No

Publish or republish apps and scripts to this space

Information note

If the app being published is in a shared space, you also need the Can edit space role or higher in that shared space in order to publish the app.

No No No No No No
See apps and scripts they published to this space Yes No Yes Yes Yes No
See all apps and scripts in the space Yes No Yes Yes Yes No
Export apps in the space (Export without data option only) Yes No No No No No
Share apps in the space with non-space members Yes No No No No No
Remove app-only access to apps from non-space members Yes No No No No No
Create, edit, and delete generic links Yes No No No No No
Add notes Yes

No

Yes Yes Yes No

List all notes in the space

Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them individually.
Yes No No No No No

Delete notes in the space

Information noteThe note owner can also delete the note.
Yes No No No No No

App actions by space role in a managed space

Action Can manage Can publish Can contribute Can view Has restricted view Can consume data
Open an app Yes No Yes Yes Yes No

Delete an app

Yes No No No No No
Add private sheets to the app No No No No No No
Add private bookmarks to the app Yes No Yes Yes Yes Yes
Add private stories to the app Yes No Yes Yes No No

Publish and unpublish your own private bookmarks and stories to and from Community

Yes No Yes No No No

Make all Community bookmarks and stories private in the app (unpublish them)

No No No No No No
Take snapshots in the app Yes No Yes Yes No No
Monitor a visualization in the Qlik Cloud Analytics hub Yes No Yes Yes No No
Search for app fields in Insight Advisor Chat Yes Yes No No No No
Search for app master items in Insight Advisor Chat Yes Yes No Yes Yes Yes
Add notes Yes No Yes Yes Yes No

List all notes in the space

Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them individually.
Yes No No No No No

Delete notes in the space

Information noteThe note owner can also delete the note.
Yes No No No No No

Create, edit, rerun, view, and delete key driver analyses

Yes No Yes Yes No No

Script actions by space role in a managed space

Action Can manage Can publish Can contribute Can view Has restricted view Can consume data
Open a script Yes No Yes Yes Yes No

Delete a script

Yes No No No No No

Data sources actions by space role in a managed space

Action

Can manage

Can publish Can contribute Can view Has restricted view Can consume data
List data source in the space Yes No No No No Yes
Create data source in the space No No No No No No
Duplicate data files in the space No No No No No No
Move data files between spaces No No No No No No
Delete data source from the space Yes No No No No No

Edit data connections in the space

Information noteThe user must be the connection owner.
Yes No No No No No
Profile data source Yes No No No No No
Edit and apply properties to data source in the space Yes No No No No No
Create app from data source No No No No No No
Open data connection or file for app reload Yes No No No No Yes
Binary load from apps inside space No No No No No Yes

Permissions for all user entitlements with business glossaries

The Steward user role, assigned in the Management Console, is used to create, update, and delete a glossary as well as edit and delete the term in verified state and change the state to verified. Users who have the Can view role in a space or have the glossary shared with them can view terms in the glossary. Users who have the Can contribute or Can manage permissions in the space can edit unverified terms.

Business glossary actions by space role and user role in a managed space

Action Owner Can manage Can contribute Can view Has restricted view Can consume data +Steward role
Create a glossary Yes Yes Yes No No No Required
Edit glossary settings and page Yes Yes Yes No No No Required
Delete a glossary Yes Yes Yes No No No Required
Add a term in glossary Yes Yes Yes No No No Not required
Edit term not in Verified state Yes Yes Yes No No No Not required
Edit term in Verified state Yes Yes Yes No No No Required
Delete term not in Verified state Yes Yes Yes No No No Not required
Delete term in Verified state Yes Yes Yes No No No Required
Change state of a term to/from Verified Yes Yes Yes No No No Required
Change state of a term between states other than Verified Yes Yes Yes No No No Not required
Create, edit, delete categories Yes Yes Yes No No No Not required
Viewing glossary and terms Yes Yes Yes Yes Yes No Not required

Permissions for tenant and analytics administrators

Tenant and analytics administrators, without specific permissions, have limitations to what they can and cannot do in a managed space. The following tables outline what tenant and analytics administrators can and cannot do without managed space permissions.

Tenant and analytics administrator space actions in a managed space
Action

Tenant and analytics admin supported

See the space exists in the Management Console Yes
See the space exists in the Qlik Cloud Analytics hub Yes
Publish/republish apps and scripts to this space No
See all apps and scripts in the space Yes
Delete the space Yes
Add members to the space Yes
Share apps in the space with non-space members No
Change member permissions for the space (Can manage, Can publish, Can contribute, Can view, Has restricted view) Yes
Remove members from the space Yes
Change space owner in the Management Console Yes

See data files

Yes
Delete data files Yes
Update data file (overwrite with same name) No
Move data files No
Create, edit, and delete generic links Yes
Add and manage apps and other content from this space in public collections Yes
Tenant and analytics administrator app actions in a managed space
Action

Tenant and analytics admin supported

Open an app No

Delete an app

Yes

Change app owner in the Management Console

Yes
Export an app No
Export an app from the Management Console No

Open Data model viewer

No
Edit app attributes (change name, description, and tags) No
Edit app properties (select theme, enable right-to-left reading order, set a bookmark as app default, and sheet title styling) No

View master items and variables

No
View media library content No
Add private sheets to the app No
Add private bookmarks and stories to the app No
Make private sheets, bookmarks, and stories public in the app No
Make public sheets, bookmarks, and stories private in the app No
Take snapshots in the app No
Monitor a visualization in the Qlik Cloud Analytics hub No
Create, edit, rerun, view, and delete key driver analyses No
Tenant and analytics administrator script actions in a managed space
Action

Tenant and analytics admin supported

Open a script No

Delete a script

Yes

Change script owner in the Management Console

Yes
Export a script from the Management Console No
Edit script attributes (change name, description, and tags) No
Tenant and analytics administrator AutoML actions in a managed space
Action

Tenant and analytics admin supported

List ML deployments in the space Yes
Open ML deployment Yes
Create ML deployment No
Duplicate ML deployment No
Delete ML deployment Yes

Edit ML deployment

Information note

Editing an ML deployment also encompasses the following actions:

  • Creating, editing, and deleting prediction configurations

  • Creating, editing, and deleting prediction schedules

  • Changing the owner of a prediction configuration (Make me the owner)

No
Run prediction configuration No
Move ML deployment to the space No
Move ML deployment to another space No

Learn more

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!