Managing permissions in shared spaces
Permissions in spaces are controlled by space roles assigned to members when they are added to a space. A role gives the member a set of permissions in the space and on resources in the space.
Members of a shared space can have multiple roles applied to them. This enables customized access to the space for each member. If groups are allowed in the tenant, groups of users can be added to a space with the same role. If a space member has different individual permission and group permission in a space, the highest permission level is applied.
When you create a space, you are assigned the Owner space role. Owners can then add new members to the space. Users with the Owner and Can manage space roles can assign permissions. Space permissions are managed in Space details > Members.
You can check your permissions in a shared space by clicking Space details > Members. If you do not see Members, you have Can view, Can edit, Can edit data in apps, or Can consume data permission for the space.
Apps can be shared with non-space members. For more information, see Sharing apps with users who are not space members.
For details about the actions permitted by each available space role, see:
-
Shared space permissions for users with Professional or Full User entitlement
-
Shared space permissions for users with Analyzer entitlement
Available roles in shared spaces
The following space roles are available in shared spaces:
- Owner: You are the first administrator that can manage the space and its members as well as create content in the space. This role cannot be assigned to other members of the space unless you are an administrator. This space role also cannot be removed from the space member without administrator action. It is not possible to remove a member with the Owner role from the space, unless you have access to the Administration activity center as an administrator.
- Can manage: You can manage the space and its members as well as create content in the space.
- Can edit: You can add and edit content in apps. You cannot manage the space and its membership.
- Can edit data in apps: You can add and edit content in apps, as well as edit the load script and business logic of apps in the shared space. You cannot manage the space and its membership.
- Can view: You can view apps in the space, but cannot create content or manage the space.
- Can consume data: You can consume data sources, but cannot create or edit data sources. They cannot create content or manage the space. See Adding and managing your analytics data to learn about data sources inside a space.
Changing permissions for members in shared spaces
Member permissions can be changed to give the user a new role in a space. A user with the Can view role might be changed to an app developer by changing their role to Can edit.
The space owner and members with the Can manage role can change members' permissions.
When you make any changes to user's permissions for apps or scripts, these changes are not instantly reflected in actively opened apps and scripts. To ensure that the changes to the user's permissions are updated, the user must close all browser tabs belonging to the affected app or script and wait at least two minutes (app session's Time To Live), then re-open the app. This applies to app and script permissions in personal, shared, and managed spaces. Changes in permissions for newly opened apps are reflected instantly.
Do the following:
- In the space, click Space details and select Members.
- Click the arrow in the Role column for the member.
- Select the appropriate roles for the member.
Common use cases
The following sections outline some common approaches you might want to follow when assigning roles to space members.
I want to allow certain space members to develop analytics for consumption by others
To achieve this result, assign Can edit (or higher) permissions to content developers, and Can view permissions to content consumers.
With this configuration, content consumers are limited to what they can see and create in the space. They can create bookmarks, stories, notes, and other assets, but they will not be able to create their own apps and sheets.
I want to allow space members to edit the data of other users' apps and scripts
To achieve this result, assign the Can edit data in apps role to specific users in the space. Users with this role are granted access to editing the data loaded by apps and scripts. They also have the ability to manage business logic and distribution lists in an app.
This role allows collaborative development of data models. It can also be used to allow other users to make changes to the source data of an app or script, in the event of its owner leaving the space or tenant, without the need for intervention by a tenant admin.
The owners of app and scripts also have these permissions.
I want to allow space data to be used without giving users full access to the space
You might want data sources within the space to be accessible by certain users, without access to other space assets such as apps. Another requirement might be that you want to limit certain users' ability to manage data sources in a space, while still being able to use the existing data sources.
For either of these purposes, you can assign the Can consume data permission to specific data consumers.
For example, you could have a space dedicated to storing data sources. You could create a separate space for the development of apps using these data sources. You can assign Can consume data to users in the data source space, and then provide these users with app developer (Can edit) permissions in the development space. With this setup, the users are free to use the data sources to build analytics content, while allowing centralized data management.
Space permissions and app ownership
Roles in a shared space give users permissions and access rules. Whether or not you are the owner of the app you are working with determines additional permissions.
The app owner is the user who has created the app. Only app owners and users with Can edit data in apps can edit data in Data model viewer, Data load editor, or Data manager. App owners and users with Can edit data in apps are also the only users who can edit the app business logic.
Space permissions override app ownership. If an app is moved to a space that the app owner does not have permission to access, then the app owner cannot access the app. If the app owner's role in a space is changed to Can view or Can consume data, they will lose the ability to add data to the app and reload the app. If an app owner does not have the Can edit data in apps role, they can edit their own apps' load scripts but not the load scripts of other apps in the space. When moving an app between spaces, ensure the app owner has the Can edit, Can edit data in apps, Can manage, or Owner role in the destination space, if you want the app owner to still manage reloading the app and the data model.
If you move an app with a reload schedule between spaces, the reload schedule is deleted. Recreate the schedule in the new space if required.
Space permissions and data sources
A data source in one space can be used in another space. For example, a user can create an app in a shared space using a data connection from their personal space. Certain space actions, however, require space members other than the resource owner to have access to the data source. In the previous example, other space members would not be able to reload the app as it uses a data connection from a personal space. Depending on your use case, this access control may or may not be desirable.
Generally, the owner of a data source is not granted any exemptions to the permissions governed by space roles. The only exception to this is the action of editing a data connection. Only the data connection owner can edit a connection. Each time a connection is edited, the user must re-authenticate themselves on the connection.
If the owner of a data connection loses the required access to the space or leaves the tenant, entities that rely on the connection will no longer be able to fetch new data from that connection. If the connection owner leaves the tenant, contact a tenant administrator to reassign connection ownership and move it to a new space as needed. If the connection owner is simply no longer a space member, another space member can re-create the connection.
The creator of a data file is assigned as its owner. The owner of a data file can be changed by an administrator. Ownership of data files does not affect access controls unless the data file is in a user's personal space. For more information about expected behavior, see Data file ownership.
The owner of a data file can leave the space and tenant, and other space members will continue to be able to view and use the file.
Space permissions and user entitlement
If you have a Qlik Sense Enterprise SaaS or Qlik Sense Business subscription, what you can do is determined by both your assigned space roles and your user entitlement—Professional or Analyzer. The permitted actions are more limited for users with Analyzer entitlement. We recommend that the space owner and members with Can manage role in the space have Professional entitlement.
In subscriptions with Full User entitlements, only the space roles determine what you can do in the space. The Full User entitlement is not linked to your permissions.
Space permissions and global tenant roles
This section outlines how global tenant roles (assigned by an administrator) affect space permissions.
Administrator roles
If you are assigned an administrator role in the Qlik Cloud tenant, your space permissions will be different from user permissions in the same spaces. The following general rules apply:
-
An administrator will generally be able to view the resources in a space, manage space membership, and delete certain resources. They can create shared and managed spaces, and do not need the Shared Space Creator and Managed Space Creator security roles to do so. Administrators can also add themselves to spaces if needed.
-
For other actions (for example, creating and editing content), the administrator role does not override space permissions, and the administrator needs to have sufficient roles in the space.
For more information, see:
-
Assigning security roles and custom roles (capacity-based subscriptions)
-
Assigning security roles and custom roles (user-based subscriptions)
-
Assigning security roles and custom roles (Qlik Anonymous Access subscriptions)
Security roles
Certain actions require additional security roles to be assigned to you by an administrator. You might need the security role only, or a combination of security roles and space roles.
For example, to have full access to working with business glossaries, you need the Steward role, in addition to the required space roles.
For more information, see:
-
Assigning security roles and custom roles (capacity-based subscriptions)
-
Assigning security roles and custom roles (user-based subscriptions)
-
Assigning security roles and custom roles (Qlik Anonymous Access subscriptions)
Troubleshooting
For solutions to common issues you might encounter when working in spaces, see Troubleshooting - Working in spaces.