Skip to main content

Security rules included in Qlik Sense

In a Qlik Sense installation, a number of security rules are included by default and available in the QMC. The security rules can be used to grant users access to areas in Qlik Sense. These rules are of two types: Default and Read only. The Read only rules are essential to Qlik Sense and cannot be edited or deleted. The Default rules can be edited. When you edit a Default rule, the type is changed to Custom.

Note: If you want to edit a Default rule, we strongly recommend that you create a copy of the original and edit the copy, because you may want to use original rule later on. Remember to disable the original rule before using the copy.

The following security rules are included by default in a Qlik Sense installation.

AuditAdmin

AuditAdmin security rule properties
Property Details
Name AuditAdmin
Description Audit admin should have read rights to audit entities
Resource filter

*

Actions Read
Context Only in QMC
Type Default
Conditions user.roles = "AuditAdmin" and !(resource.resourcetype = "TransientObject" and resource.name like "QmcSection_*")

AuditAdminQmcSections

AuditAdminQmcSections security rule properties
Property Details
Name AuditAdminQmcSections
Description Audit admin should have read rights to audit related sections
Resource filter

License_*,TermsAcceptance_*,QmcSection_Tag,QmcSection_Audit

Actions Read
Context Only in QMC
Type Default
Conditions ((user.roles="AuditAdmin"))

Content library content

Content library content security rule properties
Property Details
Name Content library content
Description Everyone who has read rights to a content library should also have read rights to its corresponding files
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.ContentLibrarys.HasPrivilege("Read")

Content library manage content

Content library manage content security rule properties
Property Details
Name Content library manage content
Description Everyone who has update rights to a content library should also have rights to manage its corresponding files
Resource filter

StaticContentReference_*

Actions Create, Read, Update, Delete
Context Both in hub and QMC
Type Read only
Conditions resource.ContentLibrarys.HasPrivilege("Update")

ContentAdmin

ContentAdmin security rule properties
Property Details
Name ContentAdmin
Description Content admin should have rights to manage content related entities
Resource filter

Stream_*,App*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*, DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*

Actions Create, Read, Update, Delete, Export, Publish, Change owner
Context Only in QMC
Type Default
Conditions ((user.roles="ContentAdmin"))

ContentAdminQmcSections

ContentAdminQmcSections security rule properties
Property Details
Name ContentAdminQmcSections
Description Content admin should have read rights to content related sections
Resource filter

License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object, QmcSection_DataConnection,QmcSection_Tag,QmcSection_User, QmcSection_CustomPropertyDefinition,QmcSection_Task,QmcSection_Event, QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension, QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary,QmcSection_Audit

Actions Read
Context Only in QMC
Type Default
Conditions ((user.roles="ContentAdmin"))

ContentAdminRulesAccess

ContentAdminRulesAccess security rule properties
Property Details
Name ContentAdminRulesAccess
Description Content admin should have rights to manage security rules for streams, data connections, content libraries, and extensions
Resource filter

SystemRule_*

Actions Create, Read, Update, Delete
Context Only in QMC
Type Default
Conditions user.roles = "ContentAdmin" and resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}")

CreateApp

CreateApp security rule properties
Property Details
Name CreateApp
Description Everyone, except anonymous users, should have rights to create apps
Resource filter

App_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous()

CreateAppObjectsPublishedApp

CreateAppObjectsPublishedApp security rule properties
Property Details
Name CreateAppObjectsPublishedApp
Description Everyone who has read rights to a published app should also have rights to create sheets, stories, bookmarks and snapshots belonging to that app
Resource filter

App.Object_*

Actions Create
Context Only in hub
Type Default
Conditions !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()

CreateAppObjectsUnPublishedApp

CreateAppObjectsUnPublishedApp security rule properties
Property Details
Name CreateAppObjectsUnPublishedApp
Description Everyone who has read rights to an unpublished app should also have rights to create app objects belonging to that app
Resource filter

App.Object_*

Actions Create
Context Only in hub
Type Default
Conditions resource.App.stream.Empty() and resource.App.HasPrivilege("read") and !user.IsAnonymous()

CreateOdagLinks

CreateOdagLinks security rule properties
Property Details
Name CreateOdagLinks
Description Non-anonymous users with read access to the ODAG template app can create links and it is possible to create a link without first knowing the template app
Resource filter

OdagLink_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and (resource.templateApp.Empty() or resource.templateApp.HasPrivilege("read"))

CreateOdagLinkUsage

CreateOdagLinkUsage security rule properties
Property Details
Name CreateOdagLinkUsage
Description Non-anonymous users with read access to the selectionApp and read access to the link can create OdagLinkUsages
Resource filter

OdagLinkUsage_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and (resource.selectionApp.Empty() or resource.selectionApp.HasPrivilege("read")) and (resource.link.Empty() or resource.link.HasPrivilege("read"))

CreateOdagRequest

CreateOdagRequest security rule properties
Property Details
Name CreateOdagRequest
Description Non-anonymous users with read access to the link can create new Requests using that link
Resource filter

OdagRequest_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and (resource.link.HasPrivilege("read"))

DataConnection

DataConnection security rule properties
Property Details
Name DataConnection
Description Data connections can be created for all resource types, except "folder"
Resource filter

DataConnection_*

Actions Create
Context Only in hub
Type Default
Conditions ((resource.type!="folder"))

DataPrepAppCacheAccessRule

DataPrepAppCacheAccessRule security rule properties
Property Details
Name DataPrepAppCacheAccessRule
Description Everyone, except anonymous users, should have read rights to data connections
Resource filter

DataConnection_<Connection_ID>

Actions Read
Context Both in hub and QMC
Type Custom
Conditions !user.isAnonymous()

Default content library

Default content library security rule properties
Property Details
Name Default content library
Description Everyone should have read rights to the default content library
Resource filter

ContentLibrary_<Content library ID>

Actions Read
Context Both in hub and QMC
Type Default
Conditions true

DeleteOdagLinkUsage

DeleteOdagLinkUsage security rule properties
Property Details
Name DeleteOdagLinkUsage
Description Non-anonymous users with read access on the selection app can delete OdagLinkUsages for that app
Resource filter

OdagLinkUsage_*

Actions Read, Delete
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and resource.selectionApp.HasPrivilege("read")

DeploymentAdmin

DeploymentAdmin security rule properties
Property Details
Name DeploymentAdmin
Description Deployment admin should have access rights to deployment related entities
Resource filter

ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*,User*,CustomProperty*,Tag_*,License*,TermsAcceptance_*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,CompositeEvent_*

Actions Create, Read, Update, Delete
Context Only in QMC
Type Default
Conditions ((user.roles="DeploymentAdmin"))

DeploymentAdminAppAccess

DeploymentAdminAppAccess security rule properties
Property Details
Name DeploymentAdminAppAccess
Description Deployment admin should have read and update rights to apps in order to handle load balancing rules
Resource filter

App_*

Actions Read, Update
Context Only in QMC
Type Default
Conditions ((user.roles="DeploymentAdmin"))

DeploymentAdminQmcSections

DeploymentAdminQmcSections security rule properties
Property Details
Name DeploymentAdminQmcSections
Description Deployment admin should have read rights to deployment related sections
Resource filter

License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Tag,QmcSection_Templates, QmcSection_ServiceCluster,QmcSection_ServerNodeConfiguration,QmcSection_EngineService, QmcSection_ProxyService,QmcSection_VirtualProxyConfig,QmcSection_RepositoryService, QmcSection_SchedulerService,QmcSection_PrintingService,QmcSection_License*, QmcSection_Token,LoadbalancingSelectList,QmcSection_User,QmcSection_UserDirectory, QmcSection_CustomPropertyDefinition,QmcSection_Certificates, QmcSection_Certificates.Export,QmcSection_Task,QmcSection_App,QmcSection_SyncRule, QmcSection_LoadBalancingRule,QmcSection_Event, QmcSection_ReloadTask, QmcSection_UserSyncTask, QmcSection_Audit

Actions Read
Context Only in QMC
Type Default
Conditions ((user.roles="DeploymentAdmin"))

DeploymentAdminRulesAccess

DeploymentAdminRulesAccess security rules properties
Property Details
Name DeploymentAdminRulesAccess
Description Deployment admin should have rights to manage sync and license rules
Resource filter

SystemRule_*

Actions Create, Read, Update, Delete
Context Only in QMC
Type Default
Conditions user.roles = "DeploymentAdmin" and (resource.category = "Sync" or resource.category = "License")

ExportAppData

ExportAppData security rule properties
Property Details
Name ExportAppData
Description Everyone is allowed to export the app data they are allowed to see, except anonymous users
Resource filter

App_*

Actions Export data
Context Both in hub and QMC
Type Default
Conditions resource.HasPrivilege("read") and !user.IsAnonymous()

Extension

Extension security rule properties
Property Details
Name Extension
Description Everyone should have read rights to extensions
Resource filter

Extension_*

Actions Read
Context Both in hub and QMC
Type Default
Conditions true

Extension manage content

Extension manage content security rule properties
Property Details
Name

Extension manage content

Description Everyone who has update rights to an extension should have rights to manage its corresponding files
Resource filter

StaticContentReference_*

Actions Create, Read, Update, Delete
Context Both in hub and QMC
Type Read only
Conditions resource.Extensions.HasPrivilege("Update")

Extension static content

Extension static content security rule properties
Property Details
Name

Extension static content

Description Everyone who has read rights to an extension should have read rights to its corresponding files
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.Extensions.HasPrivilege("Read")

File upload connection object

File upload connection object security rule properties
Property Details
Name

File upload connection object

Description Everyone, except anonymous users, should have read rights to data connections used for uploading files to server
Resource filter

DataConnection_<data_connection_ID>

Actions Read
Context Both in hub and QMC
Type Default
Conditions !user.IsAnonymous()

FolderDataConnection

FolderDataConnection security rule properties
Property Details
Name

FolderDataConnection

Description Admins should have rights to manage folder data connections
Resource filter

DataConnection_*

Actions Create, Read, Update, Delete
Context Only in hub
Type Default
Conditions resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = "ContentAdmin" or user.roles = "SecurityAdmin")

HubSectionHome

HubSectionHome security rule properties
Property Details
Name HubSectionHome
Description Allows all users to access the home hub section
Resource filter

HubSection_Home

Actions Read
Context Both in hub and QMC
Type Default
Conditions true

HubSectionTask

HubSectionTask security rule properties
Property Details
Name HubSectionTask
Description Allows all users to access the task hub section
Resource filter

HubSection_Task

Actions Read
Context Only in hub
Type Default
Conditions true

Installed static content

Installed static content security rule properties
Property Details
Name Installed static content
Description Everyone should have read rights to installed static content
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions ((resource.StaticContentSecurityType="Open"))

ManageAnalyticConnection

ManageAnalyticConnection security rule properties
Property Details
Name ManageAnalyticConnection
Description RootAdmin, ContentAdmin and SecurityAdmin roles should be able to manage an analytical connection
Resource filter

AnalyticConnection_*

Actions Create, Read, Update, Delete
Context Both in hub and QMC
Type Default
Conditions ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin"))

Offline access

Offline access security rule properties
Property Details
Name Offline access
Description Everyone is allowed offline access to the app they are allowed to see except anonymous users
Resource filter

App_*

Actions Read
Context Both in hub and QMC
Type Default
Conditions resource.HasPrivilege("read") and !user.IsAnonymous()

Owner

Owner security rule properties
Property Details
Name Owner
Description The owner of a resource should have update and delete rights if the resource is not published to a stream
Resource filter

*

Actions Update, Delete
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and (resource.owner = user and !((resource.resourcetype = "App" and !resource.stream.Empty()) or (resource.resourcetype = "App.Object" and resource.published = "true")))

OwnerAnonymousTempContent

OwnerAnonymousTempContent security rule properties
Property Details
Name OwnerAnonymousTempContent
Description An anonymous owner of temporary content should be able to access and delete it
Resource filter

TempContent_*

Actions Read, Delete
Context Both in hub and QMC
Type Read only
Conditions user.IsAnonymous() and resource.anonymousOwnerUserId = user.userId

OwnerAppApproveAppObject

OwnerAppApproveObject security rule properties
Property Details
Name OwnerAppApproveAppObject
Description The owner of an app should be able to approve app objects belonging to the app
Resource filter

App.Object_*

Actions Approve
Context Both in hub and QMC
Type Default
Conditions resource.App.owner = user

OwnerPublishAppObject

OwnerPublishAppObject security rule properties
Property Details
Name OwnerPublishAppObject
Description The owner of an app object should have publish rights to the object unless it is approved
Resource filter

App.Object_*

Actions Publish
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish")

OwnerPublishDuplicate

OwnerPublishDuplicate security rule properties
Property Details
Name OwnerPublishDuplicate
Description The owner of an app or a stream should be able to publish, and the owner of an app should be able to duplicate
Resource filter

App_*,Stream_*

Actions Publish, Duplicate
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and resource.owner = user

OwnerRead

OwnerRead security rule properties
Property Details
Name OwnerRead
Description The owner of a resource should have read rights to the resource if it is published to a stream
Resource filter

*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.IsOwned() and resource.owner = user

OwnerUpdateApp

OwnerUpdateApp security rule properties
Property Details
Name OwnerUpdateApp
Description The owner of an app should be able to update
Resource filter

App_*

Actions Update
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and resource.owner = user

ReadAnalyticConnectionEveryone

ReadAnalyticConnectionEveryone security rule properties
Property Details
Name ReadAppContentFiles
Description Non-anonymous users can read an analytic connection
Resource filter

AnalyticConnection_*

Actions Read
Context Only in hub
Type Read only
Conditions !user.IsAnonymous()

ReadAppContentFiles

ReadAppContentFiles security rule properties
Property Details
Name ReadAppContentFiles
Description Everyone who has read rights to an app should also have read rights to its content files
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.AppContents.App.HasPrivilege("Read")

ReadAppContents

ReadAppContents security rule properties
Property Details
Name ReadAppContents
Description Everyone who has read rights to an app should also have read rights to app content belonging to that app
Resource filter

App.Content_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("read")

ReadAppDataSegments

ReadAppDataSegments security rule properties
Property Details
Name ReadAppDataSegments
Description Everyone who has read rights to an app should also have read rights to app data segments belonging to that app
Resource filter

App.DataSegment_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("read") and !user.IsAnonymous()

ReadAppInternals

ReadAppInternals security rule properties
Property Details
Name ReadAppInternals
Description Everyone who has read rights to an app should also have read rights to app internals belonging to that app
Resource filter

App.Internal_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("read")

ReadCustomProperties

ReadCustomProperties security rule properties
Property Details
Name ReadCustomProperties
Description Non-anonymous users can read custom property definitions and values
Resource filter

CustomProperty*

Actions Read
Context Both in hub and QMC
Type Default
Conditions !user.IsAnonymous()

ReadOdagLinks

ReadOdagLinks security rule properties
Property Details
Name ReadOdagLinks
Description Non-anonymous users can read ODAG links
Resource filter

OdagLink_*

Actions Read
Context Only in hub
Type Default
Conditions !user.IsAnonymous()

ReadOdagLinkUsage

ReadOdagLinkUsage security rule properties
Property Details
Name ReadOdagLinkUsage
Description Non-anonymous users with read access to the selection app can read its OdagLinkUsages
Resource filter

OdagLinkUsage_*

Actions Read
Context Only in hub
Type Default
Conditions !user.IsAnonymous()

RootAdmin

RootAdmin security rule properties
Property Details
Name RootAdmin
Description Root admin should have full access rights
Resource filter

*

Actions

Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data

Context Only in QMC
Type Read only
Conditions ((user.roles="RootAdmin"))

SecurityAdmin

SecurityAdmin security rule properties
Property Details
Name SecurityAdmin
Description Security admin should have access rights to security related entities
Resource filter

Stream_*,App*,Proxy*,VirtualProxy*,User*,SystemRule_*,CustomProperty*,Tag_*, DataConnection_*,ContentLibrary_*

Actions

Create, Read, Update, Delete, Export, Publish, Change owner

Context Only in QMC
Type Default
Conditions ((user.roles="SecurityAdmin"))

SecurityAdminQmcSections

SecurityAdminQmcSections security rule properties
Property Details
Name SecurityAdminQmcSections
Description Security admin should have read rights to security related sections
Resource filter

License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Stream,QmcSection_App, QmcSection_App.Object,QmcSection_SystemRule,QmcSection_DataConnection,QmcSection_Tag, QmcSection_Templates,QmcSection_Audit,QmcSection_ProxyService,QmcSection_VirtualProxyConfig, QmcSection_User, QmcSection_CustomPropertyDefinition,QmcSection_Certificates, QmcSection_Certificates.Export,QmcSection_ContentLibrary

Actions

Read

Context Only in QMC
Type Default
Conditions ((user.roles="SecurityAdmin"))

SecurityAdminServerNodeConfiguration

SecurityAdminServerNodeConfiguration security rule properties
Property Details
Name SecurityAdminServerNodeConfiguration
Description Security admin should have read rights to the ServerNodeConfiguration entity
Resource filter

ServerNodeConfiguration_*

Actions

Read

Context Only in QMC
Type Default
Conditions ((user.roles="SecurityAdmin"))

ServiceAccount

ServiceAccount security rule properties
Property Details
Name ServiceAccount
Description Service accounts should have rights to perform all actions
Resource filter

*

Actions

Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data

Context Both in hub and QMC
Type Read only
Conditions ((user.UserDirectory="INTERNAL" and user.UserId like "sa_*"))

Shared content manage content

Shared content manage content security rule properties
Property Details
Name Shared content manage content
Description Everyone who has update rights to shared content should also have rights to manage its corresponding files
Resource filter

StaticContentReference_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.SharedContents.HasPrivilege("Update")

Shared content see content

Shared content see content security rule properties
Property Details
Name Shared content see content
Description Everyone who has read rights to shared content should also have read rights to the corresponding files
Resource filter

StaticContentReference_*

Actions

Read

Context Both in hub and QMC
Type Read only
Conditions resource.SharedContents.HasPrivilege("Read")

Stream

Stream security rule properties
Property Details
Name Stream
Description

Everyone who has read rights to a stream should also have read rights to a resource published to that stream

Resource filter

App*

Actions

Read

Context Both in hub and QMC
Type Default
Conditions (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

StreamEveryone

StreamEveryone security rule properties
Property Details
Name StreamEveryone
Description Everyone, except anonymous users, should have read and publish rights to the default stream called Everyone
Resource filter

Stream_<stream_ID>

Actions

Read, Publish

Context Both in hub and QMC
Type Default
Conditions !user.IsAnonymous()

StreamEveryoneAnonymous

StreamEveryoneAnonymous security rule properties
Property Details
Name StreamEveryoneAnonymous
Description Anonymous users should have read rights to the default stream called Everyone
Resource filter

Stream_<stream_ID>

Actions

Read

Context Only in hub
Type Default
Conditions user.IsAnonymous()

StreamMonitoringAppsPublish

StreamMonitoringAppsPublish security rule properties
Property Details
Name StreamMonitoringAppsPublish
Description RootAdmin, ContentAdmin, and SecurityAdmin should have publish rights to the default stream called Monitoring apps
Resource filter

Stream_<stream_ID>

Actions

Publish

Context Only in hub
Type Default
Conditions ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin"))

StreamMonitoringAppsRead

StreamMonitoringAppsRead security rule properties
Property Details
Name StreamMonitoringAppsRead
Description Default administrators should have read rights to the default stream called Monitoring apps
Resource filter

Stream_<stream_ID>

Actions

Read

Context Both in hub and QMC
Type Default
Conditions ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or user.roles="AuditAdmin"))

Temporary content

Temporary content security rule properties
Property Details
Name Temporary content
Description Everyone, except anonymous users, should have rights to create temporary content
Resource filter

TempContent_*

Actions

Create

Context Both in hub and QMC
Type Read only
Conditions !user.IsAnonymous()

UpdateAppContentFiles

UpdateAppContentFiles security rule properties
Property Details
Name UpdateAppContentFiles
Description Everyone who has update rights to an app should also have rights to manage its content files
Resource filter

StaticContentReference_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.AppContents.App.HasPrivilege("Update")

UpdateAppContents

UpdateAppContents security rule properties
Property Details
Name UpdateAppContents
Description Everyone who has update rights to an app should also have update rights to app content belonging to that app
Resource filter

App.Content_*

Actions

Update

Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("update")

UpdateAppDataSegments

UpdateAppDataSegments security rule properties
Property Details
Name UpdateAppDataSegments
Description Everyone who has update rights to an app should also have rights to manage app data segments belonging to that app
Resource filter

App.DataSegment_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("update") and !user.IsAnonymous()

UpdateAppInternals

UpdateAppInternals security rule properties
Property Details
Name UpdateAppInternals
Description Everyone who has update rights to an app should also have rights to manage app internals belonging to that app
Resource filter

App.Internal_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("update")