In a Qlik Sense installation, a number of security rules are included by default and available in the QMC. The security rules can be used to grant users access to areas in Qlik Sense. There are three types of rules: Default, Read only, and Custom. The Read only rules are essential to Qlik Sense and cannot be edited or deleted. The Default rules can be edited. When you edit a Default rule or create a new rule, the type is changed to Custom.
Information noteIf you want to edit a Default rule, we strongly recommend that you create a copy of the original and edit the copy, because you may want to use original rule later on. Remember to disable the original rule before using the copy.
The following security rules are included by default in a Qlik Sense installation.
AuditAdmin
| Property | Details |
|---|---|
| Name | AuditAdmin |
| Description | Audit admin should have read rights to audit entities |
| Resource filter |
* |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | user.roles = "AuditAdmin" and !(resource.resourcetype = "TransientObject" and resource.name like "QmcSection_*") |
AuditAdminQmcSections
| Property | Details |
|---|---|
| Name | AuditAdminQmcSections |
| Description | Audit admin should have read rights to audit related sections |
| Resource filter |
License_*,TermsAcceptance_*,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution, QmcSection_Tag,QmcSection_Audit,QmcSection_DeploymentSetup |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="AuditAdmin")) |
Content library content
| Property | Details |
|---|---|
| Name | Content library content |
| Description | Everyone who has read rights to a content library should also have read rights to its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.ContentLibrarys.HasPrivilege("Read") |
Content library manage content
| Property | Details |
|---|---|
| Name | Content library manage content |
| Description | Everyone who has update rights to a content library should also have rights to manage its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.ContentLibrarys.HasPrivilege("Update") |
ContentAdmin
| Property | Details |
|---|---|
| Name | ContentAdmin |
| Description | Content admin should have rights to manage content related entities |
| Resource filter |
Stream_*,App*,ReloadTask_*,ExternalProgramTask_*,UserSyncTask_*, SchemaEvent_*,User*,CustomProperty*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*,CustomBannerMessage_* |
| Actions | Create, Read, Update, Delete, Export, Publish, Change owner |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="ContentAdmin")) |
ContentAdminQmcSections
| Property | Details |
|---|---|
| Name | ContentAdminQmcSections |
| Description | Content admin should have read rights to content related sections |
| Resource filter |
License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object, QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_DataConnection, QmcSection_Tag,QmcSection_User,QmcSection_CustomPropertyDefinition,QmcSection_Task, QmcSection_Event, QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension, QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary, QmcSection_Audit,QmcSection_AnalyticConnection,QmcSection_SystemNotification, QmcSection_SystemNotificationPolicy,QmcSection_DeploymentSetup,QmcSection_CustomBannerMessage |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="ContentAdmin")) |
ContentAdminRulesAccess
| Property | Details |
|---|---|
| Name | ContentAdminRulesAccess |
| Description | Content admin should have rights to manage security rules for streams, data connections, content libraries, and extensions |
| Resource filter |
SystemRule_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in QMC |
| Type | Default |
| Conditions | user.roles = "ContentAdmin" and (resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}") or (resource.category = "Generic" and resource.subcategory = "SystemNotification")) |
CreateApp
| Property | Details |
|---|---|
| Name | CreateApp |
| Description | Everyone, except anonymous users, should have rights to create apps |
| Resource filter |
App_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() |
CreateAppObjectsPublishedApp
| Property | Details |
|---|---|
| Name | CreateAppObjectsPublishedApp |
| Description | Everyone who has read rights to a published app should also have rights to create sheets, stories, bookmarks and snapshots belonging to that app |
| Resource filter |
App.Object_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() |
CreateAppObjectsUnPublishedApp
| Property | Details |
|---|---|
| Name | CreateAppObjectsUnPublishedApp |
| Description | Everyone who has read rights to an unpublished app should also have rights to create app objects belonging to that app |
| Resource filter |
App.Object_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | resource.App.stream.Empty() and resource.App.HasPrivilege("read") and !user.IsAnonymous() |
CreateOdagLinks
| Property | Details |
|---|---|
| Name | CreateOdagLinks |
| Description | Non-anonymous users with read access to the ODAG template app can create links and it is possible to create a link without first knowing the template app |
| Resource filter |
OdagLink_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and (resource.templateApp.Empty() or resource.templateApp.HasPrivilege("read")) |
CreateOdagLinkUsage
| Property | Details |
|---|---|
| Name | CreateOdagLinkUsage |
| Description | Non-anonymous users with read access to the selectionApp and read access to the link can create OdagLinkUsages |
| Resource filter |
OdagLinkUsage_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and (resource.selectionApp.Empty() or resource.selectionApp.HasPrivilege("read")) and (resource.link.Empty() or resource.link.HasPrivilege("read")) |
CreateOdagRequest
| Property | Details |
|---|---|
| Name | CreateOdagRequest |
| Description | Non-anonymous users with read access to the link can create new Requests using that link |
| Resource filter |
OdagRequest_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and (resource.link.HasPrivilege("read")) |
Custom banner message
| Property | Details |
|---|---|
| Name | Custom banner message |
| Description | Allows all users to see the custom banner messages |
| Resource filter |
CustomBannerMessage_* |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | true |
DataConnection
| Property | Details |
|---|---|
| Name | DataConnection |
| Description | Data connections can be created for all resource types, except "folder" |
| Resource filter |
DataConnection_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | ((resource.type!="folder")) |
DataPrepAppCacheAccessRule
| Property | Details |
|---|---|
| Name | DataPrepAppCacheAccessRule |
| Description | Everyone, except anonymous users, should have read rights to data connections |
| Resource filter |
DataConnection_<Connection_ID> |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Custom |
| Conditions | !user.isAnonymous() |
Default content library
| Property | Details |
|---|---|
| Name | Default content library |
| Description | Everyone should have read rights to the default content library |
| Resource filter |
ContentLibrary_<Content library ID> |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | true |
DeleteOdagLinkUsage
| Property | Details |
|---|---|
| Name | DeleteOdagLinkUsage |
| Description | Non-anonymous users with read access on the selection app can delete OdagLinkUsages for that app |
| Resource filter |
OdagLinkUsage_* |
| Actions | Read, Delete |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and resource.selectionApp.HasPrivilege("read") |
DeploymentAdmin
| Property | Details |
|---|---|
| Name | DeploymentAdmin |
| Description | Deployment admin should have access rights to deployment related entities |
| Resource filter |
ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*, User*,CustomProperty*,Tag_*,License*, TermsAcceptance_*,ReloadTask_*,ExternalProgramTask_*, UserSyncTask_*,SchemaEvent_*,CompositeEvent_*, Deployment_*,IdentityProviderSettings_*, SystemNotification_*, CustomBannerMessage_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminAppAccess
| Property | Details |
|---|---|
| Name | DeploymentAdminAppAccess |
| Description | Deployment admin should have read and update rights to apps in order to handle load balancing rules |
| Resource filter |
App_* |
| Actions | Read, Update |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminQmcSections
| Property | Details |
|---|---|
| Name | DeploymentAdminQmcSections |
| Description | Deployment admin should have read rights to deployment related sections |
| Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_AppDistributionStatus, QmcSection_CloudDistribution,QmcSection_Tag,QmcSection_Templates,QmcSection_ServiceCluster, QmcSection_ServerNodeConfiguration,QmcSection_EngineService,QmcSection_ProxyService, QmcSection_VirtualProxyConfig,QmcSection_RepositoryService, QmcSection_SchedulerService,QmcSection_PrintingService,QmcSection_License*,QmcSection_Token, LoadbalancingSelectList,QmcSection_User,QmcSection_UserDirectory,QmcSection_CustomPropertyDefinition, QmcSection_Certificates,QmcSection_Certificates.Export,QmcSection_Task,QmcSection_App,QmcSection_SyncRule, QmcSection_LoadBalancingRule,QmcSection_Event,QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_Audit, QmcSection_DistributionPolicy,QmcSection_SystemNotification,QmcSection_SystemNotificationPolicy, QmcSection_DeploymentSetup,QmcSection_CustomBannerMessage |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminRulesAccess
| Property | Details |
|---|---|
| Name | DeploymentAdminRulesAccess |
| Description | Deployment admin should have rights to manage sync and license rules |
| Resource filter |
SystemRule_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in QMC |
| Type | Default |
| Conditions | user.roles = "DeploymentAdmin" and (resource.category = "Sync" or resource.category = "License" or resource.category = "Generic") |
ExportAppData
| Property | Details |
|---|---|
| Name | ExportAppData |
| Description | Everyone is allowed to export the app data they are allowed to see, except anonymous users |
| Resource filter |
App_* |
| Actions | Export data |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Extension
| Property | Details |
|---|---|
| Name | Extension |
| Description | Everyone should have read rights to extensions |
| Resource filter |
Extension_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | true |
Extension manage content
| Property | Details |
|---|---|
| Name |
Extension manage content |
| Description | Everyone who has update rights to an extension should have rights to manage its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.Extensions.HasPrivilege("Update") |
Extension static content
| Property | Details |
|---|---|
| Name |
Extension static content |
| Description | Everyone who has read rights to an extension should have read rights to its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.Extensions.HasPrivilege("Read") |
File upload connection object
| Property | Details |
|---|---|
| Name |
File upload connection object |
| Description | Everyone, except anonymous users, should have read rights to data connections used for uploading files to server |
| Resource filter |
DataConnection_<data_connection_ID> |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | !user.IsAnonymous() |
FolderDataConnection
| Property | Details |
|---|---|
| Name |
FolderDataConnection |
| Description | Admins should have rights to manage folder data connections |
| Resource filter |
DataConnection_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in hub |
| Type | Default |
| Conditions | resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = "ContentAdmin" or user.roles = "SecurityAdmin") |
HubAdmin
| Property | Details |
|---|---|
| Name | HubAdmin |
| Description | Hub admin should have read, create and update rights to reload tasks and schema events |
| Resource filter |
ReloadTask_*,SchemaEvent_* |
| Actions | Create, Read, Update |
| Context | Only in hub |
| Type | Default |
| Conditions | ((user.roles="HubAdmin")) |
HubSectionHome
| Property | Details |
|---|---|
| Name | HubSectionHome |
| Description | Allows all users to access the home hub section |
| Resource filter |
HubSection_Home |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | true |
HubSectionTask
| Property | Details |
|---|---|
| Name | HubSectionTask |
| Description | Allows all users to access the task hub section |
| Resource filter |
HubSection_Task |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | true |
Installed static content
| Property | Details |
|---|---|
| Name | Installed static content |
| Description | Everyone should have read rights to installed static content |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | ((resource.StaticContentSecurityType="Open")) |
ManageAnalyticConnection
| Property | Details |
|---|---|
| Name | ManageAnalyticConnection |
| Description | RootAdmin, ContentAdmin and SecurityAdmin roles should be able to manage an analytical connection |
| Resource filter |
AnalyticConnection_* |
| Actions | Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
Offline access
| Property | Details |
|---|---|
| Name | Offline access |
| Description | Everyone is allowed offline access to the app they are allowed to see except anonymous users |
| Resource filter |
App_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Owner
| Property | Details |
|---|---|
| Name | Owner |
| Description | The owner of a resource should have update and delete rights if the resource is not published to a stream |
| Resource filter |
* |
| Actions | Update, Delete |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and (resource.owner = user and !((resource.resourcetype = "App" and !resource.stream.Empty()) or (resource.resourcetype = "App.Object" and resource.published = "true"))) |
OwnerAnonymousTempContent
| Property | Details |
|---|---|
| Name | OwnerAnonymousTempContent |
| Description | An anonymous owner of temporary content should be able to access and delete it |
| Resource filter |
TempContent_* |
| Actions | Read, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | user.IsAnonymous() and resource.anonymousOwnerUserId = user.userId |
OwnerAppApproveAppObject
| Property | Details |
|---|---|
| Name | OwnerAppApproveAppObject |
| Description | The owner of an app should be able to approve app objects belonging to the app |
| Resource filter |
App.Object_* |
| Actions | Approve |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.App.owner = user |
OwnerPublishAppObject
| Property | Details |
|---|---|
| Name | OwnerPublishAppObject |
| Description | The owner of an app object should have publish rights to the object unless it is approved |
| Resource filter |
App.Object_* |
| Actions | Publish |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish") |
OwnerPublishDuplicate
| Property | Details |
|---|---|
| Name | OwnerPublishDuplicate |
| Description | The owner of an app or a stream should be able to publish, and the owner of an app should be able to duplicate |
| Resource filter |
App_*,Stream_* |
| Actions | Publish, Duplicate |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and resource.owner = user |
OwnerRead
| Property | Details |
|---|---|
| Name | OwnerRead |
| Description | The owner of a resource should have read rights to the resource if it is published to a stream |
| Resource filter |
* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.IsOwned() and resource.owner = user |
OwnerUpdateApp
| Property | Details |
|---|---|
| Name | OwnerUpdateApp |
| Description | The owner of an app should be able to update |
| Resource filter |
App_* |
| Actions | Update |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and resource.owner = user |
QMCCachingSupport
| Property | Details |
|---|---|
| Name | QMCCachingSupport |
| Description | Enable this rule along with QmcCacheEnabled flag to support QMC-caching |
| Resource filter |
ExecutionSession_*,ExecutionResult_*,*TaskOperational* |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="ContentAdmin" or user.roles="DeploymentAdmin")) |
ReadAnalyticConnectionEveryone
| Property | Details |
|---|---|
| Name | ReadAppContentFiles |
| Description | Non-anonymous users can read an analytic connection |
| Resource filter |
AnalyticConnection_* |
| Actions | Read |
| Context | Only in hub |
| Type | Read only |
| Conditions | !user.IsAnonymous() |
ReadAppContentFiles
| Property | Details |
|---|---|
| Name | ReadAppContentFiles |
| Description | Everyone who has read rights to an app should also have read rights to its content files |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.AppContents.App.HasPrivilege("Read") |
ReadAppContents
| Property | Details |
|---|---|
| Name | ReadAppContents |
| Description | Everyone who has read rights to an app should also have read rights to app content belonging to that app |
| Resource filter |
App.Content_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("read") |
ReadAppDataSegments
| Property | Details |
|---|---|
| Name | ReadAppDataSegments |
| Description | Everyone who has read rights to an app should also have read rights to app data segments belonging to that app |
| Resource filter |
App.DataSegment_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("read") and !user.IsAnonymous() |
ReadAppInternals
| Property | Details |
|---|---|
| Name | ReadAppInternals |
| Description | Everyone who has read rights to an app should also have read rights to app internals belonging to that app |
| Resource filter |
App.Internal_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("read") |
ReadContentCacheControl
| Property | Details |
|---|---|
| Name | ReadContentCacheControl |
| Description | Read-access to parent content library should also give read-access to referencing content cache controls. |
| Resource filter |
ContentCacheControl_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions |
((user.roles="ContentAdmin" or user.roles="SecurityAdmin" or resource.contentLibrary.HasPrivilege("read"))) |
ReadCustomProperties
| Property | Details |
|---|---|
| Name | ReadCustomProperties |
| Description | Non-anonymous users can read custom property definitions and values |
| Resource filter |
CustomProperty* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | !user.IsAnonymous() |
ReadOdagLinks
| Property | Details |
|---|---|
| Name | ReadOdagLinks |
| Description | Non-anonymous users can read ODAG links |
| Resource filter |
OdagLink_* |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() |
ReadOdagLinkUsage
| Property | Details |
|---|---|
| Name | ReadOdagLinkUsage |
| Description | Non-anonymous users with read access to the selection app can read its OdagLinkUsages |
| Resource filter |
OdagLinkUsage_* |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() |
RootAdmin
| Property | Details |
|---|---|
| Name | RootAdmin |
| Description | Root admin should have full access rights |
| Resource filter |
* |
| Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data |
| Context | Only in QMC |
| Type | Read only |
| Conditions | ((user.roles="RootAdmin")) |
SecurityAdmin
| Property | Details |
|---|---|
| Name | SecurityAdmin |
| Description | Security admin should have access rights to security related entities |
| Resource filter |
Stream_*,App*,Proxy*,VirtualProxy*,User*,SystemRule_*,CustomProperty*,Tag_*,DataConnection_*, ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,Deployment_*, IdentityProviderSettings_* |
| Actions |
Create, Read, Update, Delete, Export, Publish, Change owner |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminQmcSections
| Property | Details |
|---|---|
| Name | SecurityAdminQmcSections |
| Description | Security admin should have read rights to security related sections |
| Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Stream,QmcSection_App, QmcSection_App.Object,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_SystemRule, QmcSection_DataConnection,QmcSection_Tag,QmcSection_Templates,QmcSection_Audit,QmcSection_ProxyService,QmcSection_VirtualProxyConfig,QmcSection_User,QmcSection_CustomPropertyDefinition, QmcSection_Certificates,QmcSection_Certificates.Export,QmcSection_ContentLibrary, QmcSection_AnalyticConnection,QmcSection_DeploymentSetup |
| Actions |
Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminServerNodeConfiguration
| Property | Details |
|---|---|
| Name | SecurityAdminServerNodeConfiguration |
| Description | Security admin should have read rights to the ServerNodeConfiguration entity |
| Resource filter |
ServerNodeConfiguration_* |
| Actions |
Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="SecurityAdmin")) |
ServiceAccount
| Property | Details |
|---|---|
| Name | ServiceAccount |
| Description | Service accounts should have rights to perform all actions |
| Resource filter |
* |
| Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | ((user.UserDirectory="INTERNAL" and user.UserId like "sa_*")) |
Shared content manage content
| Property | Details |
|---|---|
| Name | Shared content manage content |
| Description | Everyone who has update rights to shared content should also have rights to manage its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.SharedContents.HasPrivilege("Update") |
Shared content see content
| Property | Details |
|---|---|
| Name | Shared content see content |
| Description | Everyone who has read rights to shared content should also have read rights to the corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions |
Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.SharedContents.HasPrivilege("Read") |
Stream
Information noteIt is not recommended to create rules that allow users to edit published apps in streams.
| Property | Details |
|---|---|
| Name | Stream |
| Description |
Everyone who has read rights to a stream should also have read rights to a resource published to that stream |
| Resource filter |
App* |
| Actions |
Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")) |
StreamEveryone
| Property | Details |
|---|---|
| Name | StreamEveryone |
| Description | Everyone, except anonymous users, should have read and publish rights to the default stream called Everyone |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Read, Publish |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | !user.IsAnonymous() |
StreamEveryoneAnonymous
| Property | Details |
|---|---|
| Name | StreamEveryoneAnonymous |
| Description | Anonymous users should have read rights to the default stream called Everyone |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Read |
| Context | Only in hub |
| Type | Default |
| Conditions | user.IsAnonymous() |
StreamMonitoringAppsPublish
| Property | Details |
|---|---|
| Name | StreamMonitoringAppsPublish |
| Description | RootAdmin, ContentAdmin, and SecurityAdmin should have publish rights to the default stream called Monitoring apps |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Publish |
| Context | Only in hub |
| Type | Default |
| Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
StreamMonitoringAppsRead
| Property | Details |
|---|---|
| Name | StreamMonitoringAppsRead |
| Description | Default administrators should have read rights to the default stream called Monitoring apps |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or user.roles="AuditAdmin")) |
Temporary content
| Property | Details |
|---|---|
| Name | Temporary content |
| Description | Everyone, except anonymous users, should have rights to create temporary content |
| Resource filter |
TempContent_* |
| Actions |
Create |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | !user.IsAnonymous() |
UpdateAppContentFiles
| Property | Details |
|---|---|
| Name | UpdateAppContentFiles |
| Description | Everyone who has update rights to an app should also have rights to manage its content files |
| Resource filter |
StaticContentReference_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.AppContents.App.HasPrivilege("Update") |
UpdateAppContents
| Property | Details |
|---|---|
| Name | UpdateAppContents |
| Description | Everyone who has update rights to an app should also have update rights to app content belonging to that app |
| Resource filter |
App.Content_* |
| Actions |
Update |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("update") |
UpdateAppDataSegments
| Property | Details |
|---|---|
| Name | UpdateAppDataSegments |
| Description | Everyone who has update rights to an app should also have rights to manage app data segments belonging to that app |
| Resource filter |
App.DataSegment_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("update") and !user.IsAnonymous() |
UpdateAppInternals
| Property | Details |
|---|---|
| Name | UpdateAppInternals |
| Description | Everyone who has update rights to an app should also have rights to manage app internals belonging to that app |
| Resource filter |
App.Internal_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("update") |