Skip to main content

Overlapping rules

As you develop rules, you will eventually have rules that overlap. By this we mean that conditions in two or more rules target the same user or users. If rules overlap, the rule that provides access will prevail.

Note: Qlik Sense evaluates each rule in turn. If one rule provides access of a certain type, Qlik Sense provides that access.

If we consider two rules that overlap the following types of overlap can typically occur:

  • Identical

    Both rules provide read access to the user. In this case read access will be provided.

  • Complementary

    One rule provides read and the other provides update. In this case, the user is provided with both read and update access.

You can view which user security rules apply to a resource using the audit page in the QMC.

Audit

You can also preview the effects of a rule.

Editing security rules

Example 1:  

In the example One property-value pair in conditions: we created a rule (Rule 1) that allows users belonging to Active Directory group Finance to read the Quarterly results stream. Assume that another rule (Rule 2) giving users belonging to the Active Directory (AD) group Management read access to the Quarterly results steam.

Finally, assume that the Sales director belongs to both Active Directory groups Sales and Management.

  Rule 1 Rule 2
Allow users to Read Read
On resource Quarterly reports stream Quarterly reports stream
Provided that group=Finance group=Management
Evaluates to FALSE TRUE
Resulting access for Sales director Provide read access

Example 2:  

The Finance office in the UK have published an app to the Quarterly reports stream called UK quarterly outlook. They want Finance users in the UK office to be the only users with read access to that app. For this purpose the UK administrator creates Rule 3 that explicitly states that only users belonging to AD group Finance and UK office have read access. Also assume that Rule 2 from Example 1 and the out-of-the-box Stream rule are also in place.

In this case Finance in the UK may have assumed that the Sales director would not be able to read the UK quarterly outlook app. However, this is not true since Rule 2 allows management to read the Quarterly reports stream and the Stream rule allows all users that have read access to a stream to read all apps on that stream.

  Rule 3 Rule 2 Stream rule
Allow users to Read Read Read
On resource UK quarterly report published on Quarterly reports stream Quarterly reports stream All apps and sheets in a stream
Provided that group=Finance AND office=UK group=Management User has read access to the stream
Evaluates to FALSE TRUE TRUE
Resulting access for Sales director Provide read access