Skip to main content

Security rules example: Creating custom admin roles

Qlik Sense comes with five default admin roles. If you want to create a custom admin role, you need some security rules. In this example, you will create a custom admin role for the management of streams, apps, app objects, and reload tasks.

The following security rules are needed:

  • A rule that provides access to the required resources.

  • A QMC section access rule, providing the admin with access to the required sections in the QMC.

By creating a generic admin role, rather than creating security rules for a certain user, you make the rules reusable. The custom admin role can be assigned to several users, without changing any of the security rules.

Resource rule

By creating a resource rule, you can provide one or more users with the same admin access rights.

  1. Select Security rules and click Create new Create new.

  2. In the Name field, type CustomAdmin.

  3. Set the resource filter to filter on streams, apps, app objects (such as sheets and stories), and tasks.

    In the Basic section, fill in the Resource filter field as follows:

    Stream_*, App_*, App.Object_*, ReloadTask_*

  4. Set the actions that the rule should provide for the specified resources.

    In the Basic section, select the Actions as follows:

    Create, Read, Update, Delete, Export, Publish, Export data

  5. Set the conditions to specify the user role.

    In the Advanced section, fill in the Conditions field as follows:

    user.roles = "CustomAdmin"

  6. Click Apply.

  7. Assign the role to the user who will be the custom administrator.

    Go to QMC start page > Users.

  8. Select the user and click Edit.

  9. Click Create new under Admin roles and select CustomAdmin.

  10. Click Apply.

This table summarizes the security rule fields for the user role CustomAdmin.

Security rule fields
Field Code Comments
Resource filter Stream_*, App_*, App.Object_*, ReloadTask_*

Filters on resource types Stream, App, AppObjects, and ReloadTasks.

Tip: Alternatively, you could write App* instead of App_*, App.Object_*, because the wildcard (*), without the underscore (_), targets all resource types beginning with App.
Actions Create, Read, Update, Delete, Export, Publish, Export data

These actions will be granted provided the conditions are met.

Conditions user.roles = "CustomAdmin"

The user role CustomAdmin will be available in Users > Roles.

QMC section access

To manage the content, the admin must have section access to the relevant sections in the QMC.

  1. Select Security rules and click Create new Create new.

  2. In the Name field, type QMC_Sections_CustomAdmin.

  3. Set the resource filter to filter on the QMC sections that the CustomAdmin needs access to.

    In the Basic section, fill in the Resource filter field as follows:

    License_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object,QmcSection_Task

  4. Set the actions that the rule should provide for the specified resources.

    In the Basic section, select the Actions as follows:

    Read

  5. Set the conditions to specify the user role.

    In the Advanced section, fill in the Conditions field as follows:

    user.roles = "CustomAdmin"

  6. Set the context for the rule.

    In the Advanced section, in the Context field, select Only in QMC.

  7. Click Apply.

This table summarizes the security rule for QMC_Sections_CustomAdmin.

Security rule properties
Field Code Comments
Resource filter License_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object,QmcSection_Task

The QMC section access rule only grants read access to a QMC section.

Actions Read

The action is granted provided that the conditions are met.

Conditions user.roles = "CustomAdmin"

Users with the admin role CustomAdmin are granted access to these sections.

Context Only in QMC

This rule only applies to the QMC.