Access control
This section describes the different types of access control:
- Resource access control: Is the user allowed to access the app? Which functions in the app is the user allowed to use (for example, printing, exporting, and snapshots)?
- Administrator access control: Which access rights are needed for the different roles and responsibilities of the administrators?
Resource access control
The resource access control system in Qlik Sense is based on properties. This means that the access is based on rules that refer to properties connected to resources and users in Qlik Sense.
All authorization to resources is enforced by the Qlik Sense Repository Service (QRS). The QRS only gives other Qlik Sense services access to resources that the current user is allowed to access.
The resource access control system determines the access based on the following parameters:
- User name and user properties: The user name and user properties are supplied by the Qlik Sense Proxy Service (QPS) that authenticated the user.
- Action: The method that the user is trying to perform on a resource (for example, create, read, or print).
- Resource: The entity that the user is trying to perform an action on (for example, app, sheet, or object).
- Environment: The environment is supplied by the QPS and describes, for example, time, location, protection, and the type of Qlik Sense client used.
Resource access control rules
The system administrator can set up rules for the resources access control. The rules are divided into three parts:
- Resource filter: The resources that the rule applies to.
- Condition: A logical condition that, if evaluated as true, grants access.
- Action: The action that the user is allowed to perform, if the condition is true.
Properties connected to resources or users may be used in the rules. Examples of properties include the name of user or resource, type of resource, and Active Directory groups for users or custom-defined properties.
Resource access control streams
To make the management of the Qlik Sense authorization systems efficient, apps can be grouped into streams. From an authorization perspective, a stream is a grouping of apps that a group of users has read (often referred to as “subscription”) or publish access to.
By default, Qlik Sense includes the following streams:
- Everyone: All users have read and publish rights to this stream.
- Monitoring apps: Contains a number of apps for monitoring of Qlik Sense.
Streams are created and managed in the Qlik Management Console (QMC).
Administrator access control
In addition to setting up the access control for the users, it is important to configure the access control for the administrators so that they get access rights in the Qlik Management Console (QMC) that correspond to their roles and responsibilities.
Common administrator roles include the following:
- RootAdmin
- AuditAdmin
- ContentAdmin
- DeploymentAdmin
- HubAdmin (access to hub only)
- SecurityAdmin
For a presentation of the access rights for the respective administrator roles, see: Default administration roles.