Skip to main content
Close announcements banner

Securing data

Qlik Data Catalyst Security includes user authentication and authorization through groups and role-based permissions. Qlik Data Catalyst leverages enterprise security technologies such as Active Directory identity services and domain management to query and dynamically synchronize active groups and personnel. Qlik Data Catalyst authentication and authorization implementation is based on the following key concepts:


Qlik Data Catalyst Definition


An association of entities or fields accessible by user groups created by a group administrator. The administrator adds users to groups as required by role and access permissions. An entity can belong to multiple data groups. When a group is created, existing groups can be added to the new group as a sub-group. (Note that groups are automatically generated, named, and synced by capturing the Qlik Sense Connector Globally Unique ID or GUID which is 36 characters but hyphens are removed to comply with Linux Group name 32-character limit.


Permission is an operation or function (e.g., view a source, create, edit, delete, etc. permissions are granted to users in the context of groups).


A role defines which features of the application will be accessible to a user. Hence a role is a collection of permissions. There are three pre-defined roles:

  • QVD Admin: Full access to all functions available
  • Data Steward:¬†Full access to catalog and discover modules
  • Analyst (end user):¬†Read-only access to discover and full access to catalog


All users have login credentials and a profile with a stream of recent activities performed by the user. A user can belong to one or more groups and has a specific role per group.

Qlik Data Catalyst and Qlik Sense relationships

The following table describes parallel objects in Qlik Data Catalyst and Qlik Sense environments. Note that Qlik Sense is the master application and Qlik Data Catalyst honors security as defined in Qlik Sense. For example, QVDs and associated objects are not deletable in Qlik Data Catalyst. The connectors have to be untagged in Qlik Sense and removed only upon syncing, at which time defined sources and QVD entities are removed from Qlik Data Catalyst.

Qlik Sense

Qlik Data Catalyst




Every Qlik Sense user must have a corresponding user in Qlik Data Catalyst with the same name. Syncing through shared Active Directory domains is strongly encouraged.

Users must have access to the same QVDs between the two applications. Qlik Sense is the master application where access to QVDs is defined as part of QVD authoring and administration; Qlik Data Catalyst honors privileges as defined by Qlik Sense. Single Sign On is in place and users should not need to log into either application more than once.

QVD file


One Qlik Sense QVD will be represented as one entity in Qlik Data Catalyst

Qlik Sense Connection


Each Qlik Sense Connection will have a corresponding group in Qlik Data Catalyst. This mapping is done for security purposes and access control management.



One unique folder in Qlik Sense will be represented as one unique Source in Qlik Data Catalyst containing all entities that represent QVDs within that folder. User access to QVDs will be governed by user access privileges as defined in Qlik Sense (via folder access).

Security integration between Data Catalyst and Qlik Sense

User access to QVDs is governed by user access privileges as defined in Qlik Sense (via folder access). The logged in user is able to access and sync QVDs for Qlik Sense connections that the user has access to and, when ingested, a Qlik Data Catalyst group will be created and the name of the group is the Qlik Sense Connector GUID.

The folders are mapped between Qlik Data Catalyst and Qlik Sense applications and, when the user signs in, their access to security connections in Qlik Sense are transferred to security groups in Qlik Data Catalyst.

Security policy sync

Qlik Data Catalyst syncs security policies between local file system and PostgreSQL policies with Qlik Data Catalyst sources, QVD entities, and groups.

Full Sync: Full Sync initiates/updates every entity in the environment.

To initiate Full Sync, select Start Sync.

Sync History Status codes





All entities are successfully synced


Sync has been initialized and is running


Sync was stopped at user's request via Request Stop command on Policy Sync Detail page.


Sync ran without synchronizing any objects

Done, with errors

Sync ran with at least one entity sync failure


Sync Logs capture policy sync history. To view error details for failed entity syncs, select the status hyperlink. Users can interrupt the policy sync by selecting Request Stop. Users are asked to confirm that they want to stop the sync, select Continue to stop syncing. Entities synced up until the sync was stopped will not roll back, entities that have yet to sync will remain unsynced.

Log filters provide filter criteria options for Start Time, End Time, Sync Type (Automatic, Full, Targeted), and Status (Log Changes, Done with Errors, Stopped).