Security rules example: Creating custom admin roles
Qlik Sense comes with six default admin roles. If you want to create a custom admin role, you need some security rules. In this example, you will create a custom admin role for the management of streams, apps, app objects, and reload tasks.
The following security rules are needed:
-
A rule that provides access to the required resources.
-
A QMC section access rule, providing the admin with access to the required sections in the QMC.
By creating a generic admin role, rather than creating security rules for a certain user, you make the rules reusable. The custom admin role can be assigned to several users, without changing any of the security rules.
Resource rule
By creating a resource rule, you can provide one or more users with the same admin access rights.
Do the following:
-
Select Security rules and click Create new.
-
In the Name field, type CustomAdmin.
-
Set the resource filter to filter on streams, apps, app objects (such as sheets and stories), and tasks.
In the Basic section, fill in the Resource filter field as follows:
Stream_*, App_*, App.Object_*, ReloadTask_*
-
Set the actions that the rule should provide for the specified resources.
In the Basic section, select the Actions as follows:
Create, Read, Update, Delete, Export, Publish, Export data
-
Set the conditions to specify the user role.
In the Advanced section, fill in the Conditions field as follows:
user.roles = "CustomAdmin"
-
Click Apply.
-
Assign the role to the user who will be the custom administrator.
Go to QMC start page > Users.
-
Select the user and click Edit.
-
Click under Admin roles and select CustomAdmin.
-
Click Apply.
This table summarizes the security rule fields for the user role CustomAdmin.
Field | Code | Comments |
---|---|---|
Resource filter | Stream_*, App_*, App.Object_*, ReloadTask_* |
Filters on resource types Stream, App, AppObjects, and ReloadTasks. Tip noteAlternatively, you could write App* instead of App_*, App.Object_*, because the wildcard (*), without the underscore (_), targets all resource types beginning with App.
|
Actions | Create, Read, Update, Delete, Export, Publish, Export data |
These actions will be granted provided the conditions are met. |
Conditions | user.roles = "CustomAdmin" |
The user role CustomAdmin will be available in Users > Roles. |
QMC section access
To manage the content, the admin must have section access to the relevant sections in the QMC.
Do the following:
-
Select Security rules and click Create new.
-
In the Name field, type QMC_Sections_CustomAdmin.
-
Set the resource filter to filter on the QMC sections that the CustomAdmin needs access to.
In the Basic section, fill in the Resource filter field as follows:
License_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object,QmcSection_Task
-
Set the actions that the rule should provide for the specified resources.
In the Basic section, select the Actions as follows:
Read
-
Set the conditions to specify the user role.
In the Advanced section, fill in the Conditions field as follows:
user.roles = "CustomAdmin"
-
Set the context for the rule.
In the Advanced section, in the Context field, select Only in QMC.
-
Click Apply.
This table summarizes the security rule for QMC_Sections_CustomAdmin.
Field | Code | Comments |
---|---|---|
Resource filter | License_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object,QmcSection_Task |
The QMC section access rule only grants read access to a QMC section. |
Actions | Read |
The action is granted provided that the conditions are met. |
Conditions | user.roles = "CustomAdmin" |
Users with the admin role CustomAdmin are granted access to these sections. |
Context | Only in QMC |
This rule only applies to the QMC. |