Permissions in spaces are controlled by space roles assigned to members when they are added to a space. A role gives the member a set of permissions in the space and on resources in the space.
Members of a shared space can have multiple roles applied to them. This enables customized access to the space for each member. If groups have been enabled by a tenant administrator, groups of users can be added to a space with the same role. If a space member has different individual permission and group permission in a space, the highest permission level is applied.
When you create a space, you are assigned the Owner space role. Owners can then add new members to the space. Users with the Owner and Can manage space roles can assign permissions. Space permissions are managed in Space details > Members.
You can check your permissions in a shared space by clicking Space details > Members. If you do not see Members, you have Can view, Can edit, Can edit data in apps, or Can consume data permission for the space.
Apps can be shared with non-space members. For more information, see Sharing apps with users who are not space members.
Available roles in shared spaces
The following space roles are available in shared spaces:
- Owner: You are the first administrator that can manage the space and its members as well as create content in the space. This role cannot be assigned to other members of the space unless you are an administrator. This space role also cannot be removed from the space member without administrator action. It is not possible to remove a member with the Owner role from the space, unless you have access to the Management Console as an administrator.
- Can manage: You can manage the space and its members as well as create content in the space.
- Can edit: You can add and edit content in apps. You cannot manage the space and its membership.
- Can edit data in apps: You can add and edit content in apps, as well as edit the load script and business logic of apps in the shared space. You cannot manage the space and its membership.
- Can view: You can view apps in the space, but cannot create content or manage the space.
- Can consume data: You can consume data sources, but cannot create or edit data sources. They cannot create content or manage the space. See Managing data sources in spaces to learn about data sources inside a space.
Changing permissions for members in shared spaces
Member permissions can be changed to give the user a new role in a space. A user with the Can view role might be changed to an app developer by changing their role to Can edit.
The space owner and members with the Can manage role can change members' permissions.
Do the following:
- In the space, click Space details and select Members.
- Click the arrow
in the Role column for the member. - Select the appropriate roles for the member.
When you make any changes to user's permissions for apps or scripts, these changes are not instantly reflected in actively opened apps and scripts. To ensure that the changes to the user's permissions are updated, the user must close all browser tabs belonging to the affected app or script and wait at least two minutes (app session's Time To Live), then re-open the app. This applies to app and script permissions in personal, shared, and managed spaces. Changes in permissions for newly opened apps are reflected instantly.
Space permissions and app ownership
Roles in a shared space give users permissions and access rules. Whether or not you are the owner of the app you are working with determines additional permissions.
The app owner is the user who has created the app. Only app owners and users with Can edit data in apps can edit data in Data model viewer, Data load editor, or Data manager. App owners and users with Can edit data in apps are also the only users who can edit the app business logic.
Space permissions override app ownership. If an app is moved to a space that the app owner does not have permission to access, then the app owner cannot access the app. If the app owner's role in a space is changed to Can view or Can consume data, they will lose the ability to add data to the app and reload the app. If an app owner does not have the Can edit data in apps, they can edit their own apps' load scripts but not the load scripts of other apps in the space. When moving an app between spaces, ensure the app owner has the Can edit, Can edit data in apps, Can manage, or Owner role in the destination space, if you want the app owner to still manage reloading the app and the data model.
If you move an app with a reload schedule between spaces, the reload schedule is deleted. Recreate the schedule in the new space if required.
Space permissions and user entitlement
If you have a Qlik Sense Enterprise SaaS or Qlik Sense Business subscription, what you can do is determined by both your assigned space roles and your user entitlement—Professional or Analyzer. The permitted actions are more limited for users with Analyzer entitlement. We recommend that the space owner and members with Can manage role in the space have Professional entitlement.
In subscriptions with Full User entitlements, only the space roles determine what you can do in the space. The Full User entitlement is not linked to your permissions.
Permissions for space members with Professional or Full User entitlement
The following tables outline what members with Professional or Full User entitlement can do in a space:
| Action | Owner | Can manage | Can edit data in apps |
Can edit | Can view | Can consume data |
|---|---|---|---|---|---|---|
| Rename the space | Yes | Yes | No | No | No | No |
| Create new apps in the space | Yes | Yes | No | Yes | No | No |
| Move apps to another space | Yes | Yes | No | Yes | No | No |
| Move apps to the space | Yes | Yes | No | Yes | No | No |
| Duplicate apps in the space | Yes | Yes | No | Yes | No | No |
| Export apps in the space | Yes | Yes | No | Yes | No | No |
|
Publish or republish apps from this space Information note
When publishing or republishing an app to a managed space, you also need the Owner or Can publish space role in the managed space to which the app is being published. |
Yes | Yes | Yes | Yes | No | No |
| Share apps in the space with non-space members | Yes | Yes | No | No | No | No |
| Remove app-only access to apps from non-space members | Yes | Yes | No | No | No | No |
| Add members to the space | Yes | Yes | No | No | No | No |
|
Change member permissions for the space Information noteSpace owners can be changed by tenant and analytics administrators in the Management Console.
|
Yes | Yes | No | No | No | No |
| Remove members from the space | Yes | Yes | No | No | No | No |
| Add and edit data sources in the space | Yes | Yes | Yes | Yes | No | No |
| Delete the space | Yes | Yes | No | No | No | No |
| Create, edit, and delete generic links | Yes | Yes | No | No | No | No |
| Add notes | Yes | Yes | Yes | Yes | Yes | No |
|
List all notes in the space Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them.
|
Yes | Yes | No | No | No | No |
|
Delete notes in the space Information noteThe note owner can also delete the note.
|
Yes | Yes | No | No | No | No |
| Action | Owner | Can manage | Can edit data in apps | Can edit | Can view | Can consume data |
|---|---|---|---|---|---|---|
| Open an app | Yes | Yes | Yes | Yes | Yes | No |
| Delete an app | Yes | Yes | Yes | Yes | No | No |
|
Open Data model viewer |
Yes | Yes | Yes | Yes | No | No |
| Open and edit the data model in Data load editor or Data manager Information noteUsers must be the app owner if they do not have the Can edit data in apps permission. |
Yes | No | Yes | No | No | No |
| Add data files to a space in Data load editor and Data manager Information noteUsers must be the app owner if they do not have the Can edit data in apps permission. |
Yes | No | Yes | No | No | No |
| Edit app attributes (change name, description, and tags) | Yes | Yes | Yes | Yes | No | No |
| Edit app properties (select theme, enable right-to-left reading order, set a bookmark as app default, and sheet title styling) | Yes | Yes | Yes | Yes | No | No |
|
Reload the app and create scheduled reloads |
Yes | Yes | Yes | Yes | No | No |
|
Create, edit, and delete master items and variables |
Yes | Yes | Yes | Yes | No | No |
|
Create, edit, and delete media library content |
Yes | Yes | No | Yes | No | No |
| Add private sheets to the app | Yes | Yes | No | Yes | No | No |
| Add private bookmarks and stories to the app | Yes | Yes | No | Yes | Yes | No |
| Make private sheets, bookmarks, and stories public in the app | Yes | Yes | No | Yes | No | No |
| Make public sheets, bookmarks, and stories private in the app | Yes | Yes | No | Yes | No | No |
| Take snapshots in the app | Yes | Yes | No | Yes | Yes | No |
| Make snapshots public | Yes | Yes | No | Yes | No | No |
| View on-demand app navigation links | Yes | Yes | No | Yes | Yes | No |
| Create or update app navigation on-demand links | Yes | Yes | No | Yes | No | No |
| Open on-demand selection apps | Yes | Yes | No | Yes | Yes | No |
| Generate on-demand apps | Yes | Yes | No | Yes | Yes | No |
| Create dynamic views | Yes | Yes | No | Yes | No | No |
| Add dynamic charts to sheets | Yes | Yes | No | Yes | No | No |
| Monitor a visualization in the cloud hub | Yes | Yes | No | Yes | Yes | No |
|
Customize the app business logic Information noteUsers must be the app owner if they do not have the Can edit data in apps permission.
|
Yes | Yes | Yes | Yes | No | No |
| Search for app fields in Insight Advisor Chat | Yes | Yes | No | Yes | No | No |
| Search for app master items in Insight Advisor Chat | Yes | Yes | No | Yes | Yes | No |
| Add notes | Yes | Yes | Yes | Yes | Yes | No |
|
List all notes in the space Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them.
|
Yes | Yes | No | No | No | No |
|
Delete notes in the space Information noteThe note owner can also delete the note.
|
Yes | Yes | No | No | No | No |
| Action | Owner | Can manage | Can edit data in apps | Can edit | Can view | Can consume data |
|---|---|---|---|---|---|---|
| Open a script | Yes | Yes | Yes | Yes | Yes | No |
| Delete a script | Yes | Yes | Yes | Yes | No | No |
| Open and edit the load script in Editor Information noteUsers must be the script owner if they do not have the Can edit data in apps permission. |
Yes | No | Yes | No | No | No |
| Add data files to a space in Editor Information noteUsers must be the app owner if they do not have the Can edit data in apps permission. |
Yes | No | Yes | No | No | No |
| Edit script attributes (change name, description, and tags) | Yes | Yes | Yes | Yes | No | No |
|
Reload the script and create scheduled reloads |
Yes | Yes | Yes | Yes | No | No |
| Action | Owner | Can manage | Can edit data in apps | Can edit | Can view | Can consume data |
|---|---|---|---|---|---|---|
| List and use data source in the space | Yes | Yes | Yes | Yes | No | Yes |
| Create data source in the space | Yes | Yes | Yes | Yes | No | No |
| Duplicate data files in the space | Yes | Yes | Yes | Yes | No | No |
| Move data files between spaces | Yes | Yes | Yes | Yes | No | No |
| Delete data source from the space | Yes | Yes | Yes | Yes | No | No |
|
Edit data connection in the space Information noteThe user must be the connection owner.
|
Yes | Yes | Yes | Yes | No | No |
| Profile data source | Yes | Yes | Yes | Yes | No | No |
| Edit and apply properties to data source in the space | Yes | Yes | Yes | Yes | No | No |
| Create app from data source | Yes | Yes | Yes | Yes | No | No |
| Open data connection or file for app reload | Yes | Yes | Yes | Yes | No | Yes |
| Binary load from apps inside space | Yes | Yes | Yes | Yes | No | Yes |
Permissions for space members with Analyzer entitlement
The following tables outline what members with Analyzer entitlement can do in a space:
| Action | Owner | Can manage | Can edit data in apps | Can edit | Can view | Can consume data |
|---|---|---|---|---|---|---|
| Export apps in the space | Yes | Yes | Yes | Yes | No | No |
|
Publish or republish apps from this space Information note
When publishing or republishing an app to a managed space, you also need the Owner or Can publish space role in the managed space to which the app is being published. |
Yes | Yes | Yes | Yes | No | No |
| Share apps in the space with non-space members | Yes | Yes | No | No | No | No |
| Remove app-only access to apps from non-space members | Yes | Yes | No | No | No | No |
| Move apps to another space | Yes | Yes | Yes | Yes | No | No |
| Move apps to the space | Yes | Yes | Yes | Yes | No | No |
| Create, edit, and delete generic links | Yes | Yes | No | No | No | No |
| Add notes | Yes | Yes | Yes | Yes | Yes | No |
|
List all notes in the space Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them.
|
Yes | Yes | No | No | No | No |
|
Delete notes in the space Information noteThe note owner can also delete the note.
|
Yes | Yes | No | No | No | No |
| Action | Owner | Can manage | Can edit data in apps | Can edit | Can view | Can consume data |
|---|---|---|---|---|---|---|
| Open an app | Yes | Yes | Yes | Yes | Yes | No |
| Delete an app | Yes | Yes | Yes | Yes | No | No |
|
Edit app attributes (change name, description, and tags) |
Yes | Yes | Yes | Yes | No | No |
|
Edit app properties (select theme, enable right-to-left reading order, set a bookmark as app default, and sheet title styling) |
Yes | Yes | Yes | Yes | No | No |
| Add private bookmarks and stories to the app | Yes | Yes | Yes | Yes | Yes | No |
| Take snapshots in the app | Yes | Yes | Yes | Yes | Yes | No |
| View on-demand app navigation links | Yes | Yes | Yes | Yes | Yes | No |
| Open on-demand selection apps | Yes | Yes | Yes | Yes | Yes | No |
| Generate on-demand apps | Yes | Yes | Yes | Yes | Yes | No |
| Create dynamic views | Yes | Yes | Yes | Yes | No | No |
| Add dynamic charts to sheets | Yes | Yes | Yes | Yes | No | No |
| Monitor a visualization in the cloud hub | Yes | Yes | Yes | Yes | Yes | No |
| Search for app fields in Insight Advisor Chat | Yes | Yes | Yes | Yes | No | No |
| Search for app master items in Insight Advisor Chat | Yes | Yes | Yes | Yes | Yes | No |
| Add notes | Yes | Yes | Yes | Yes | Yes | No |
|
List all notes in the space Information noteTo view the contents of a note, the note must be shared with the user at the note level. Space members can access a note if the note has been shared with them.
|
Yes | Yes | No | No | No | No |
|
Delete notes in the space Information noteThe note owner can also delete the note.
|
Yes | Yes | No | No | No | No |
| Action | Owner | Can manage | Can edit data in apps | Can edit | Can view | Can consume data |
|---|---|---|---|---|---|---|
| List and use data source in the space | Yes | Yes | Yes | Yes | No | Yes |
| Create data source in the space | No | No | No | No | No | No |
| Delete data source from the space | Yes | Yes | Yes | Yes | No | No |
| Edit data source in the space | No | No | No | No | No | No |
| Profile data source | Yes | Yes | Yes | Yes | No | No |
| Edit and apply properties to data source in the space | Yes | Yes | Yes | Yes | No | No |
| Create app from data source | Yes | Yes | Yes | Yes | No | No |
| Open data connection or file for app reload | Yes | Yes | Yes | Yes | No | Yes |
| Binary load from apps inside space | Yes | Yes | Yes | Yes | No | Yes |
Permissions for all user entitlements with business glossaries
The Steward user role, assigned in the Management Console, is used to create, update, and delete a glossary as well as edit and delete the term in verified state and change the state to verified. Users who have the Can view role in a space or have the glossary shared with them can view terms in the glossary. Users who have the Can contribute or Can manage permissions in the space can edit unverified terms.
| Action | Owner | Can manage | Can edit data in apps | Can edit | Can view | +Steward role |
|---|---|---|---|---|---|---|
| Create a glossary | Yes | Yes | Yes | Yes | No | Required |
| Edit glossary settings and page | Yes | Yes | Yes | Yes | No | Required |
| Delete a glossary | Yes | Yes | Yes | Yes | No | Required |
| Add a term in glossary | Yes | Yes | Yes | Yes | No | Not required |
| Edit term not in Verified state | Yes | Yes | Yes | Yes | No | Not required |
| Edit term in Verified state | Yes | Yes | Yes | Yes | No | Required |
| Delete term not in Verified state | Yes | Yes | Yes | Yes | No | Not required |
| Delete term in Verified state | Yes | Yes | Yes | Yes | No | Required |
| Change state of a term to/from Verified | Yes | Yes | Yes | Yes | No | Required |
| Change state of a term between states other than Verified | Yes | Yes | Yes | Yes | No | Not required |
| Create, edit, delete categories | Yes | Yes | Yes | Yes | No | Not required |
| Viewing glossary and terms | Yes | Yes | Yes | Yes | Yes | Not required |
| Link glossary terms to master items in apps | Yes | Yes | Yes | Yes | Yes | Not required |
Permissions for tenant and analytics administrators
Tenant and analytics administrators, without specific permissions, have limitations to what they can and cannot do in a shared space. The following tables outline what tenant and analytics administrators can and cannot do without shared space permissions.
| Action |
Tenant and analytics admin supported |
|---|---|
| Create the space | Yes |
| See the space exists in the Management Console | Yes |
| See the space exists in the hub | Yes |
| Publish or republish apps and scripts from this space | No |
| See all apps in the space | Yes |
| Delete the space | Yes |
| Add members to the space | Yes |
| Share apps in the space with non-space members | No |
| Change name and roles for the space | Yes |
| Change member permissions for the space | Yes |
| Remove members from the space | Yes |
| Change space owner in the Management Console | Yes |
|
See data files |
Yes |
| Delete data files | Yes |
| Update data file (overwrite with same name) | No |
| Move data files | No |
| Use data file in app | Yes |
| See data connections | Yes |
| Create, edit, and delete generic links | Yes |
| Add and manage apps and other content from this space in public collections | Yes |
| Action |
Tenant and analytics admin supported |
|---|---|
| Open an app | Yes |
|
Delete an app |
Yes |
|
Change app owner in the Management Console |
Yes |
| Export an app from the Management Console | No |
|
Open Data model viewer |
No |
| Edit app attributes (change name, description, and tags) | No |
| Edit app properties (select theme, enable right-to-left reading order, set a bookmark as app default, and sheet title styling) | No |
|
View master items and variables |
No |
| View media library content | No |
| Add private sheets to the app | No |
| Add private bookmarks and stories to the app | No |
| Make private sheets, bookmarks, and stories public in the app | No |
| Make public sheets, bookmarks, and stories private in the app | No |
| Take snapshots in the app | No |
| Monitor a visualization in the cloud hub | No |
| Action |
Tenant and analytics admin supported |
|---|---|
| Open a script | Yes |
|
Delete a script |
Yes |
|
Change script owner in the Management Console |
Yes |
| Export a script from the Management Console | No |
|
Open and edit the load script in Editor |
No |
| Edit script attributes (change name, description, and tags) | No |