Managing permissions in managed spaces
Permissions in spaces are controlled by roles assigned to members when they are added to a space. A role gives that member a set of permissions in the space and on resources in the space.
Members of a managed space can have multiple roles applied to them. This enables customized access to the space for each member. If groups are allowed in the tenant, groups of users can be added to a space with the same role. If a space member has different individual permission and group permission in a space, the highest permission level is applied.
Tenant and analytics admins, space owners, and members with the Can manage space role can add new members to the space and assign them permissions. Space permissions are managed in Space details > Members.
The space owner is assigned the Owner role. This space role cannot be removed from the space member without administrator action. It is not possible to remove space members with the Owner role from the space, unless you have access to the Administration activity center as an administrator.
Apps can be shared with non-space members. For more information, see Sharing apps with users who are not space members.
For details about the actions permitted by each available space role, see:
-
Managed space permissions for users with Professional or Full User entitlement
-
Managed space permissions for users with Analyzer entitlement
Available roles in managed spaces
The following space roles are available in managed spaces:
- Owner: Can manage the space and its members, as well as open apps in the space. This is not a role you can assign to other members of the space unless you are an administrator. This space role also cannot be removed from the space member without administrator action. It is not possible to remove a member with the Owner role from the space, unless you have access to the Administration activity center as an administrator.
- Can manage: Can manage the space and its members.
- Can publish: Can publish apps to the space. They cannot open apps in the space.
- Can contribute: Can view and open apps in the space. Contributors can create private content in the app and make that content public.
- Can view: Can view and open apps in the space.
-
Has restricted view: Can view and open apps in the space.
- Can consume data: Can consume data sources, but cannot create or edit data sources. They cannot create content or manage the space. See Adding and managing your analytics data to learn about data sources inside a space.
- Can operate: Can reload apps and create scheduled reloads.
Changing permissions for members in managed spaces
Member roles can be changed to give them new permissions in the space.
Tenant and analytics admins, space owners, and members with the Can manage role can change members' permissions.
When you make any changes to user's permissions for apps or scripts, these changes are not instantly reflected in actively opened apps and scripts. To ensure that the changes to the user's permissions are updated, the user must close all browser tabs belonging to the affected app or script and wait at least two minutes (app session's Time To Live), then re-open the app. This applies to app and script permissions in personal, shared, and managed spaces. Changes in permissions for newly opened apps are reflected instantly.
Do the following:
- In the space, click Space details and select Members.
- Click the arrow in the Role column for the member.
- Select the appropriate roles for the member.
Common use cases
The following sections outline some common approaches you might want to follow when assigning roles to space members.
I want users to be able to create analytics without accessing data sources
To achieve this result, assign the Can contribute role to users in the managed space. These users will be able to create new sheets and visualizations in an app, but they cannot manage the data sources in the space.
I want to allow a user to publish content to the space without having access to its data
A managed space typically contains data with higher security and governance requirements than the source space in which it is developed. You might have a team of app developers who are in charge of developing the app data model and base sheets, but are only given mock data to do this. The developers of the app might not necessarily be the same users as those who will be consuming and analyzing its production data.
You might want the app developers responsible for completing the app to be responsible for publishing it as well. To achieve this, assign the Can publish role to these users. The app developers can then publish the content to the managed space, but cannot access the data and content from the managed space.
Space permissions and data sources
A data source in one space can be used in another space. For example, a user can create an app in a shared space using a data connection from their personal space. Certain space actions, however, require space members other than the resource owner to have access to the data source. In the previous example, other space members would not be able to reload the app as it uses a data connection from a personal space. Depending on your use case, this access control may or may not be desirable.
Generally, the owner of a data source is not granted any exemptions to the permissions governed by space roles. The only exception to this is the action of editing a data connection. Only the data connection owner can edit a connection. Each time a connection is edited, the user must re-authenticate themselves on the connection.
If the owner of a data connection loses the required access to the space or leaves the tenant, entities that rely on the connection will no longer be able to fetch new data from that connection. If the connection owner leaves the tenant, contact a tenant administrator to reassign connection ownership and move it to a new space as needed. If the connection owner is simply no longer a space member, another space member can re-create the connection.
The creator of a data file is assigned as its owner. The owner of a data file can be changed by an administrator. Ownership of data files does not affect access controls unless the data file is in a user's personal space. For more information about expected behavior, see Data file ownership.
The owner of a data file can leave the space and tenant, and other space members will continue to be able to view and use the file.
Space permissions and user entitlement
If you have a Qlik Sense Enterprise SaaS or Qlik Sense Business subscription, what you can do is determined by both your assigned space roles and your user entitlement—Professional or Analyzer. The permitted actions are more limited for users with Analyzer entitlement. We recommend that the space owner and members with Can manage role in the space have Professional entitlement.
In subscriptions with Full User entitlements, only the space roles determine what you can do in the space. The Full User entitlement is not linked to your permissions. Note that Basic Users can only have the role Has restricted view. Granting additional permissions to Basic Users automatically promotes them to Full Users.
Assignment of roles by user entitlement
Users with Professional or Full User entitlement can be assigned roles to allow them permissions to do the following types of actions:
-
Space management (Owner or Can manage)
-
Creation of content and data sources (Owner or Can manage)
-
Reloads (Owner, Can manage, Can operate)
-
Publishing (Can publish)
-
Consumption of content and/or data (Any role)
Users with Analyzer entitlement should only be assigned roles for consumption of content. These include Can contribute, Can view, Has restricted view, and Can consume data.
Space permissions and global tenant roles
This section outlines how global tenant roles (assigned by an administrator) affect space permissions.
Administrator roles
If you are assigned an administrator role in the Qlik Cloud tenant, your space permissions will be different from user permissions in the same spaces. The following general rules apply:
-
An administrator will generally be able to view the resources in a space, manage space membership, and delete certain resources. They can create shared and managed spaces, and do not need the Shared Space Creator and Managed Space Creator security roles to do so. Administrators can also add themselves to spaces if needed.
-
For other actions (for example, creating and editing content), the administrator role does not override space permissions, and the administrator needs to have sufficient roles in the space.
For more information, see:
-
Assigning security roles and custom roles (capacity-based subscriptions)
-
Assigning security roles and custom roles (user-based subscriptions)
-
Assigning security roles and custom roles (Qlik Anonymous Access subscriptions)
Security roles
Certain actions require additional security roles to be assigned to you by an administrator. You might need the security role only, or a combination of security roles and space roles.
For example, to have full access to working with business glossaries, you need the Steward role, in addition to the required space roles.
For more information, see:
-
Assigning security roles and custom roles (capacity-based subscriptions)
-
Assigning security roles and custom roles (user-based subscriptions)
-
Assigning security roles and custom roles (Qlik Anonymous Access subscriptions)
Troubleshooting
For solutions to common issues you might encounter when working in spaces, see Troubleshooting - Working in spaces.