Qlik Cloud Analytics architecture and governance

Building on the security and governance features of the Qlik Cloud platform, Qlik Sense Enterprise SaaS provides a number of features to enhance security and governance around the needs of an analytic environment.

Security for spaces and applications

Securing spaces

Security in spaces is controlled by roles assigned to members directly or via groups when they are added to a space. A role assigned to a member of a space gives that member a set of permissions inside that space and on resources inside the space.

The space owner has full access to the space. Creating a space automatically assigns that user as the owner. Owners can be changed through the spaces section of the management console.

There are different roles available between personal, shared, and managed spaces.

In a personal space, users are able to create their own connections, applications and other assets. This is managed through the Private Analytics Content Creator role. By default, all users with a professional user allocation are assigned the Private Analytics Content Creator role. Tenant administrators can turn off this automatic role assignment if their organization wishes to restrict users from creating personal content.

Shared spaces contain the following roles:

• Can manage - Provides full access and is similar to the owner, with the exception of making changes through the Data load editor or Data manager

• Can edit – Can create and modify applications including moving them to or from another space

• Can view – Can access applications in the space as well as adding private bookmarks and stories. Can also monitor visualizations from applications in the hub

• Can consume data – Allows users creating an application in their personal space, or in a shared space they have edit rights for, to consume data files and connections created in this space

• Can edit data in apps - Allows a user who is not the app owner to work on the app's load script

Managed spaces contain the following roles:

• Can manage - Provides full access and is similar to the owner, with the exception of being unable to publish/republish apps to this space

• Can publish - Publish/republish apps to this space

• Can contribute – Allows consumption and creation of private sheets in applications in this space

• Can view – Allows consumption of applications in the space including Monitor a visualizations in the hub, the export of data, creation of private stories, snapshots

• Has restricted view - Can view and open apps in the space. They can export sheets or charts as images and PDFs, but they cannot export data.

• Can consume data – Allows users creating an application in their personal space or another shared space they have edit rights for, to consume data files and connections created in this space.

For more information about spaces, see Working with Spaces in the help.

Fine-grain access control

Admins and users now have more options and flexibility for fine-grain security, permissions, and sharing content within their spaces and individual apps. These enhancements allow customers to better scale and organize security permissions across large deployments while making it easy to invite others and share insights.

Space owners, facilitators, and admins can now directly share individual apps with any group or users without adding those users into the space. Shared users and their specific access controls can easily be managed from the Member section of the managed space.

Section access

Section Access is used to control the security of an application. It uses the data model to define authorization at the data level and allows restricted access to data at row and column levels. For more information, see Section Access in the help.

Governing the Qlik Sense Enterprise SaaS tenant

Application governance

Qlik provides several applications to assist customers in governing their Qlik Sense Enterprise SaaS tenant.

The App Analyzer provides governance information about a customer’s Qlik Sense Enterprise SaaS tenant. This app looks at key performance characteristics of apps such as memory usage, cardinality, and the data model.

The Entitlement Analyzer*is available to assist in governing user activities. The app provides insights in areas such as an entitlement usage overview across the tenant, analyzer capacity usage and how users are using the tenant(s), and if they have the right entitlement assigned to them.

The Reload Analyzer provides insights on:

• Number of reloads by type (Scheduled, Hub, In App, API) and by user

• Data connections and used files of each app’s most recent reload

• Reload concurrency and peak reload RAM

• Reload tasks and their respective statuses

At Qlik we are actively looking to provide improved governance options for our users, and share these through our support blog at Qlik Community.

Govern and enhance Qlik Sense applications with the App Evaluation service

The App Evaluation service helps users manage their Qlik Sense Enterprise SaaS instance from a performance perspective. The service captures key metrics on Qlik Sense Enterprise SaaS applications, including increases in application size and length of time to open applications. Further, the service provides feedback on possible reasons for changes, allowing customers to address these issues.

Script versioning and auditability

The Qlik Cloud Analytics platform automatically versions the load scripts for apps. This shows the user who made the change and when the change was made. Optionally, we can also provide a version name to signify a specific event such as a release. In the event of a problem, we can roll back to an earlier version. We can also download specific versions of the load script to allow the use of external utilities to analyze changes over time. Currently this feature excludes scripts generated by the Data manager.

Extending Qlik Sense SaaS security to mobile

While Qlik Sense Enterprise SaaS has always been accessible from any device via a web browser, Qlik has released a dedicated mobile app for IOS and Android to enhance the experience for mobile users. This application supports both live and offline access to Qlik Sense Enterprise SaaS applications, as well as Data Alerting.

Security is the key consideration in our mobile architecture. Authentication is through the tenant’s identity provider mechanism and with stay authenticated for the duration specified by the identity provider. If enabled, a token is stored for offline access, which resets when the re-authenticated online.

Data protection is a critical aspect of our mobile security. All application and cache data stored on mobile devices is encrypted. As with a regular browser connection, traffic between Qlik Sense Enterprise SaaS and the mobile application is encrypted over SSL and secure WebSocket connections.

In the event of a lost mobile device, administrators can revoke access for that user. Should someone gain access to that device, they would not be able to use the application to see the applications and/or data.

When used in offline mode, Qlik Sense runs natively on the device using the same associative analytics engine running in Qlik Sense Enterprise SaaS, optimized for mobile hardware. Therefore, offline mode provides a full analytics experience, not simply a set of saved dashboard and reports.

Customers can choose to disable offline access at the tenant level if they wish to prevent this. In this case, no application or cache data is persisted to local storage.

Business glossary

To provide users with a better understanding of the data available within their organization, Qlik Cloud Analytics provides a business glossary. The business glossary provides a single, easily-accessible repository of business terms and descriptions. This ensures that everyone in the organization has the same understanding of key business terms. Users who subscribe to a business glossary will be notified of additions and changes to the glossary.

People in your organization who maintain the business glossary are known as data stewards. Data stewards need to be assigned the global Steward role. Any user with "Can view" permission can read the business glossary. Users with "Can manage" or "Can edit" permission can add or edit draft terms in the glossary. If the glossary owner approves the terms they can set them as verified. Terms can also be set as Deprecated. It is also possible to import and export business glossaries, allowing you to integrate with your dev-ops tools and move them through a your systems development lifecycle.

Terms from business glossaries can be linked to master items and used within apps. This provides users with a greater understanding and context of the information presented in a Qlik application.