Security rules evaluation
Each time a user requests access to a resource, Qlik Sense evaluates the request against the security rules in the Qlik Sense system. If at least one rule evaluates to True then Qlik Sense will provide the user with access according to the conditions and actions described in the security rule. If no rules evaluate to True then the user will be denied access. The fact that Qlik Sense security rules are property-based makes Qlik Sense very scalable as you can build rules based on properties that apply to groups of users.
This inclusive method of security rule evaluation means that you should keep the following principles in mind when designing security for resources in Qlik Sense:
- Access is provided if at least one rule for the resource in question includes access rights for the user who is requesting access.
- You do not need to write rules that explicitly exclude users.
- Use roles, user types and group properties as far as possible when designing rules.
The rule preview and auditing tools can then be used to verify and validate that your rules work in practice.
The evaluation flow
The following image displays how security rules are evaluated when a user accesses the hub in Qlik Sense. For a detailed description of the steps in the rule evaluation, and how rules can affect performance, see read the blog post Security Rules and Performance in Qlik Sense. There you can also learn about cache invalidation.
Security rules examples
The following are a few common examples of security rule creation.
Example 1: Only one rule required to provide user access
Your Finance department publishes financial results to a stream called Quarterly results. To begin with you only want users from the finance department to be able to read from this stream. In this case you need only create a security rule for finance department users that provides the Read action for the Quarterly results stream.
The easiest way to create this security rule is to go to the Streams overview in the QMC, select the stream from the list, click Edit and then add a user condition for Read to the stream in the System rules under Associated items. You can either edit an existing rule, or create a new rule with the user condition for Read. As a condition you would preferably use either group property from the directory service. If available, these properties are shown in the drop-down menus in the Basic view. If the directory service does not include an appropriate group property you can create a custom property in the QMC, for example, the custom property Departments with the value Finance.
Example 2: More than one rule applies to the user
In the Quarterly results example we created a rule (Rule 1) that allows users belonging to Active Directory group Finance to read the Quarterly results stream. Assume that another rule (Rule 2) giving users belonging to the Active Directory (AD) group Management read access to the Quarterly results steam.
Finally, assume that the Sales director belongs to both Active Directory groups Sales and Management.
- | Rule 1 | Rule 2 |
---|---|---|
Allow users to | Read | Read |
On resource | Quarterly results stream | Quarterly results stream |
Provided that | group=Finance | group=Management |
Evaluates to | FALSE | True |
Resulting access for Sales director | Provide read access |
Example 3: More than one rule with different access rights
In the Quarterly results example we created a rule (Rule 1) that allows users belonging to Active Directory group Finance to read the Quarterly results stream. Assume that another rule (Rule 2) giving users belonging to the Active Directory (AD) group Management read access to the Quarterly results stream. Finally, Rule 3 allows Management users to update apps in streams that they have read access to.
Assume that the Sales director belongs to both Active Directory groups Sales and Management.
- | Rule 1 | Rule 2 | Rule 3 |
---|---|---|---|
Allow users to | Read | Read | Update |
On resource | Quarterly results stream | Quarterly results stream | All apps and sheets if user has read access to stream |
Provided that | group=Finance | group=Management | group=Management |
Evaluates to | FALSE | True | True |
Resulting access for Sales director | Provide read and update access |
Example 4: Out-of-the-box Qlik Sense rules
The Finance office in the UK has published an app to the Quarterly results stream called UK quarterly report. They want Finance users in the UK office to be the only users with read access to that app. For this purpose the UK administrator creates Rule 3 that explicitly states that only users belonging to AD group Finance and UK office have read access. Also assume that Rule 2 from Example 1 and the out-of-the-box Stream rule are also in place.
In this case Finance in the UK may have assumed that the Sales director would not be able to read the UK quarterly report app. However, this is not True since Rule 2 allows management to read the Quarterly reports stream and the Stream rule allows all users that have read access to the Quarterly reports stream to read all apps on that stream.
- | Rule 2 | Rule 3 | Stream rule | |
---|---|---|---|---|
Allow users to | Read | Read | Read | |
On resource | Quarterly reports stream | UK quarterly report app published on Quarterly reports stream | All apps and sheets in a stream | |
Provided that | group=Management | group=Finance AND office=UK | User has read access to the stream | |
Evaluates to | True | FALSE | True | |
Resulting access for Sales director | Provide read access |