In a Qlik Sense installation, a number of security rules are included by default and available in the QMC. The security rules can be used to grant users access to areas in Qlik Sense. There are three types of rules: Default, Read only, and Custom. The Read only rules are essential to Qlik Sense and cannot be edited or deleted. The Default rules can be edited. When you edit a Default rule or create a new rule, the type is changed to Custom.
Information noteIf you want to edit a Default rule, we strongly recommend that you create a copy of the original and edit the copy, because you may want to use original rule later on. Remember to disable the original rule before using the copy.
The following security rules are included by default in a Qlik Sense installation.
AuditAdmin
| Property | Details |
|---|---|
| Name | AuditAdmin |
| Description | Audit admin should have access rights to audit entities |
| Resource filter |
* |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | user.roles = "AuditAdmin" and !(resource.resourcetype = "TransientObject" and resource.name like "QmcSection_*") |
AuditAdminQmcSections
| Property | Details |
|---|---|
| Name | AuditAdminQmcSections |
| Description | Audit admin should have access rights to audit related sections |
| Resource filter |
License_*,TermsAcceptance_*,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution, QmcSection_Tag,QmcSection_Audit,QmcSection_DeploymentSetup,QmcSection_EngineHealth |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="AuditAdmin")) |
Content library content
| Property | Details |
|---|---|
| Name | Content library content |
| Description | Allows everyone that can see a content library to see its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.ContentLibrarys.HasPrivilege("Read") |
Content library manage content
| Property | Details |
|---|---|
| Name | Content library manage content |
| Description | Allows everyone that can update a content library to manage its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.ContentLibrarys.HasPrivilege("Update") |
ContentAdmin
| Property | Details |
|---|---|
| Name | ContentAdmin |
| Description | Content admin should have access rights to content related sections |
| Resource filter |
Stream_*,App*,ReloadTask_*,ExternalProgramTask_*,UserSyncTask_*, SchemaEvent_*,User*,CustomProperty*,Tag_*,DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,SystemNotification_*,ExternalProductSignOn_*,CustomBannerMessage_* |
| Actions | Create, Read, Update, Delete, Export, Publish, Change owner, Duplicate, Approve |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="ContentAdmin")) |
ContentAdminQmcSections
| Property | Details |
|---|---|
| Name | ContentAdminQmcSections |
| Description | Content admin should have access rights to content related sections |
| Resource filter |
License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object, QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_DataConnection, QmcSection_Tag,QmcSection_User,QmcSection_CustomPropertyDefinition,QmcSection_Task, QmcSection_Event, QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension, QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary, QmcSection_Audit,QmcSection_AnalyticConnection,QmcSection_SystemNotification, QmcSection_SystemNotificationPolicy,QmcSection_DeploymentSetup,QmcSection_CustomBannerMessage,QmcSection_ExternalProductSignOn,QmcSection_EngineHealth |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="ContentAdmin")) |
ContentAdminReadOnly
| Property | Details |
|---|---|
| Name | ContentAdminReadOnly |
| Description | Content admin should have Read access rights to content related entities |
| Resource filter |
EngineHealth_* |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="ContentAdmin")) |
ContentAdminRulesAccess
| Property | Details |
|---|---|
| Name | ContentAdminRulesAccess |
| Description | Content admin should have access rights to manage security rules for streams, data connections, content libraries and extensions |
| Resource filter |
SystemRule_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in QMC |
| Type | Default |
| Conditions | user.roles = "ContentAdmin" and (resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}") or (resource.category = "Generic" and resource.subcategory = "SystemNotification")) |
CreateApp
| Property | Details |
|---|---|
| Name | CreateApp |
| Description | Everyone is allowed to create apps except anonymous users |
| Resource filter |
App_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() |
CreateAppObjectsPublishedApp
| Property | Details |
|---|---|
| Name | CreateAppObjectsPublishedApp |
| Description | If you have read rights on a published app you should be able to create sheets, stories, bookmarks and snapshots belonging to that app |
| Resource filter |
App.Object_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() |
CreateAppObjectsUnPublishedApp
| Property | Details |
|---|---|
| Name | CreateAppObjectsUnPublishedApp |
| Description | If you have read rights on an unpublished app you should be able to create app objects belonging to that app |
| Resource filter |
App.Object_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | resource.App.stream.Empty() and resource.App.HasPrivilege("read") and !user.IsAnonymous() |
CreateOdagLinks
| Property | Details |
|---|---|
| Name | CreateOdagLinks |
| Description | Non-anonymous users with read access to the ODAG template app can create links and it is possible to create a link without first knowing the template app |
| Resource filter |
OdagLink_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and (resource.templateApp.Empty() or resource.templateApp.HasPrivilege("read")) |
CreateOdagLinkUsage
| Property | Details |
|---|---|
| Name | CreateOdagLinkUsage |
| Description | Non-anonymous users with read access to the selectionApp and read access to the link can create OdagLinkUsages |
| Resource filter |
OdagLinkUsage_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and (resource.selectionApp.Empty() or resource.selectionApp.HasPrivilege("read")) and (resource.link.Empty() or resource.link.HasPrivilege("read")) |
CreateOdagRequest
| Property | Details |
|---|---|
| Name | CreateOdagRequest |
| Description | Non-anonymous users with read access to the link can create new Requests using that link |
| Resource filter |
OdagRequest_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and (resource.link.HasPrivilege("read")) |
Custom banner message
| Property | Details |
|---|---|
| Name | Custom banner message |
| Description | Allows all users to see the custom banner messages |
| Resource filter |
CustomBannerMessage_* |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | true |
DataConnection
| Property | Details |
|---|---|
| Name | DataConnection |
| Description | It should be possible to create data connections except of type folder |
| Resource filter |
DataConnection_* |
| Actions | Create |
| Context | Only in hub |
| Type | Default |
| Conditions | ((resource.type!="folder")) |
DataPrepAppCacheAccessRule
| Property | Details |
|---|---|
| Name | DataPrepAppCacheAccessRule |
| Description | Everyone, except anonymous users, should have read rights to data connections |
| Resource filter |
DataConnection_<Connection_ID> |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Custom |
| Conditions | !user.isAnonymous() |
Default content library
| Property | Details |
|---|---|
| Name | Default content library |
| Description | The default content library should be visible for all users |
| Resource filter |
ContentLibrary_<Content library ID> |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | true |
DeleteOdagLinkUsage
| Property | Details |
|---|---|
| Name | DeleteOdagLinkUsage |
| Description | Non-anonymous users with read access on the selection app can delete OdagLinkUsages for that app |
| Resource filter |
OdagLinkUsage_* |
| Actions | Read, Delete |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and resource.selectionApp.HasPrivilege("read") |
DeploymentAdmin
| Property | Details |
|---|---|
| Name | DeploymentAdmin |
| Description | Deployment admin should have access rights to deployment related entities |
| Resource filter |
ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*, User*,CustomProperty*,Tag_*,License*, TermsAcceptance_*,ReloadTask_*,ExternalProgramTask_*, UserSyncTask_*,SchemaEvent_*,CompositeEvent_*, Deployment_*,IdentityProviderSettings_*, SystemNotification_*, ExternalProductSignOn_*,CustomBannerMessage_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminAppAccess
| Property | Details |
|---|---|
| Name | DeploymentAdminAppAccess |
| Description | Deployment admin should have access rights to see and update apps in order to handle load balancing rules |
| Resource filter |
App_* |
| Actions | Read, Update |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminQmcSections
| Property | Details |
|---|---|
| Name | DeploymentAdminQmcSections |
| Description | Deployment admin should have access rights to deployment related sections |
| Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_AppDistributionStatus, QmcSection_CloudDistribution,QmcSection_Tag,QmcSection_Templates,QmcSection_ServiceCluster, QmcSection_ServerNodeConfiguration,QmcSection_EngineService,QmcSection_ProxyService, QmcSection_VirtualProxyConfig,QmcSection_RepositoryService, QmcSection_SchedulerService,QmcSection_PrintingService,QmcSection_License*,QmcSection_Token, LoadbalancingSelectList,QmcSection_User,QmcSection_UserDirectory,QmcSection_CustomPropertyDefinition, QmcSection_Certificates,QmcSection_Certificates.Export,QmcSection_Task,QmcSection_App,QmcSection_SyncRule, QmcSection_LoadBalancingRule,QmcSection_Event,QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_Audit, QmcSection_DistributionPolicy,QmcSection_SystemNotification,QmcSection_SystemNotificationPolicy, QmcSection_DeploymentSetup,QmcSection_CustomBannerMessage,,QmcSection_ExternalProductSignOn,QmcSection_EngineHealth |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminReadOnly
| Property | Details |
|---|---|
| Name | DeploymentAdminReadOnly |
| Description | Deployment admin should have Read access rights to deployment related entities |
| Resource filter |
EngineHealth_* |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminRulesAccess
| Property | Details |
|---|---|
| Name | DeploymentAdminRulesAccess |
| Description | Deployment admin should have access rights to manage sync and license rules |
| Resource filter |
SystemRule_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in QMC |
| Type | Default |
| Conditions | user.roles = "DeploymentAdmin" and (resource.category = "Sync" or resource.category = "License" or resource.category = "Generic") |
ExportAppData
| Property | Details |
|---|---|
| Name | ExportAppData |
| Description | Everyone is allowed to export the app data they are allowed to see, except anonymous users |
| Resource filter |
App_* |
| Actions | Export data |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Extension
| Property | Details |
|---|---|
| Name | Extension |
| Description | Everyone can view extensions |
| Resource filter |
Extension_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | true |
Extension manage content
| Property | Details |
|---|---|
| Name |
Extension manage content |
| Description | Allows everyone that can update an extension to manage its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.Extensions.HasPrivilege("Update") |
Extension static content
| Property | Details |
|---|---|
| Name |
Extension static content |
| Description | Allows everyone that can see an extension to see its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.Extensions.HasPrivilege("Read") |
File upload connection object
| Property | Details |
|---|---|
| Name |
File upload connection object |
| Description | Data connection used for uploading files to server |
| Resource filter |
DataConnection_<data_connection_ID> |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | !user.IsAnonymous() |
FolderDataConnection
| Property | Details |
|---|---|
| Name |
FolderDataConnection |
| Description | It should be possible for admins to create folder data connections |
| Resource filter |
DataConnection_* |
| Actions | Create, Read, Update, Delete |
| Context | Only in hub |
| Type | Default |
| Conditions | resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = "ContentAdmin" or user.roles = "SecurityAdmin") |
HubAdmin
| Property | Details |
|---|---|
| Name | HubAdmin |
| Description | HubAdmins should be able to create and update Reloadtasks and SchemaEvents in the hub |
| Resource filter |
ReloadTask_*,SchemaEvent_*,ExternalProductSignOn_* |
| Actions | Create, Read, Update |
| Context | Only in hub |
| Type | Default |
| Conditions | ((user.roles="HubAdmin")) |
HubSectionHome
| Property | Details |
|---|---|
| Name | HubSectionHome |
| Description | Allows all users to access the home hub section |
| Resource filter |
HubSection_Home |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | true |
HubSectionTask
| Property | Details |
|---|---|
| Name | HubSectionTask |
| Description | Allows all users to access the task hub section |
| Resource filter |
HubSection_Task |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | true |
Installed static content
| Property | Details |
|---|---|
| Name | Installed static content |
| Description | Allows everyone to read installed static content |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | ((resource.StaticContentSecurityType="Open")) |
ManageAnalyticConnection
| Property | Details |
|---|---|
| Name | ManageAnalyticConnection |
| Description | RootAdmin, ContentAdmin and SecurityAdmin roles should be able to manage an analytical connection |
| Resource filter |
AnalyticConnection_* |
| Actions | Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
Offline access
| Property | Details |
|---|---|
| Name | Offline access |
| Description | Everyone is allowed offline access to the app they are allowed to see except anonymous users |
| Resource filter |
App_* |
| Actions | Access offline |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Owner
| Property | Details |
|---|---|
| Name | Owner |
| Description | The owner of a resource should be able to do Update and Delete actions if the resource is not published to a stream |
| Resource filter |
* |
| Actions | Update, Delete |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and (resource.owner = user and !((resource.resourcetype = "App" and !resource.stream.Empty()) or (resource.resourcetype = "App.Object" and resource.published = "true"))) |
OwnerAnonymousTempContent
| Property | Details |
|---|---|
| Name | OwnerAnonymousTempContent |
| Description | An anonymous owner of temporary content should be able to access and delete it |
| Resource filter |
TempContent_* |
| Actions | Read, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | user.IsAnonymous() and resource.anonymousOwnerUserId = user.userId |
OwnerAppApproveAppObject
| Property | Details |
|---|---|
| Name | OwnerAppApproveAppObject |
| Description | The owner of an app should be able to approve app objects belonging to the app |
| Resource filter |
App.Object_* |
| Actions | Approve |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.App.owner = user |
OwnerPublishAppObject
| Property | Details |
|---|---|
| Name | OwnerPublishAppObject |
| Description | The owner of an app object should be able to publish an object unless it is approved |
| Resource filter |
App.Object_* |
| Actions | Publish |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish") |
OwnerPublishDuplicate
| Property | Details |
|---|---|
| Name | OwnerPublishDuplicate |
| Description | The owner of an app or a stream should be able to publish, and the owner of an app should be able to duplicate |
| Resource filter |
App_*,Stream_* |
| Actions | Publish, Duplicate |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and resource.owner = user |
OwnerRead
| Property | Details |
|---|---|
| Name | OwnerRead |
| Description | The owner of a resource should be able to see the resource if it is published to a stream |
| Resource filter |
* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.IsOwned() and resource.owner = user |
OwnerUpdateApp
| Property | Details |
|---|---|
| Name | OwnerUpdateApp |
| Description | The owner of an app should be able to do update action |
| Resource filter |
App_* |
| Actions | Update |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | resource.IsOwned() and resource.owner = user |
QMCCachingSupport
| Property | Details |
|---|---|
| Name | QMCCachingSupport |
| Description | Enable this rule along with QmcCacheEnabled flag to support QMC-caching |
| Resource filter |
ExecutionSession_*,ExecutionResult_*,*TaskOperational* |
| Actions | Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="ContentAdmin" or user.roles="DeploymentAdmin")) |
ReadAnalyticConnectionEveryone
| Property | Details |
|---|---|
| Name | ReadAppContentFiles |
| Description | Non-anonymous users can read an analytic connection |
| Resource filter |
AnalyticConnection_* |
| Actions | Read |
| Context | Only in hub |
| Type | Read only |
| Conditions | !user.IsAnonymous() |
ReadAppContentFiles
| Property | Details |
|---|---|
| Name | ReadAppContentFiles |
| Description | Allows everyone that can see an app to see its content files |
| Resource filter |
StaticContentReference_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.AppContents.App.HasPrivilege("Read") |
ReadAppContents
| Property | Details |
|---|---|
| Name | ReadAppContents |
| Description | If you have read rights on the app you should be able to read app content belonging to that app |
| Resource filter |
App.Content_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("read") |
ReadAppDataSegments
| Property | Details |
|---|---|
| Name | ReadAppDataSegments |
| Description | If you have read rights on the app you should be able to read app data segments belonging to that app |
| Resource filter |
App.DataSegment_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("read") and !user.IsAnonymous() |
ReadAppInternals
| Property | Details |
|---|---|
| Name | ReadAppInternals |
| Description | If you have read rights on the app you should be able to read app internals belonging to that app |
| Resource filter |
App.Internal_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("read") |
ReadContentCacheControl
| Property | Details |
|---|---|
| Name | ReadContentCacheControl |
| Description | Read-access to parent content library should also give read-access to referencing content cache controls. |
| Resource filter |
ContentCacheControl_* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions |
((user.roles="ContentAdmin" or user.roles="SecurityAdmin" or resource.contentLibrary.HasPrivilege("read"))) |
ReadCustomProperties
| Property | Details |
|---|---|
| Name | ReadCustomProperties |
| Description | Non-anonymous users can read custom property definitions and values |
| Resource filter |
CustomProperty* |
| Actions | Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | !user.IsAnonymous() |
ReadOdagLinks
| Property | Details |
|---|---|
| Name | ReadOdagLinks |
| Description | Non-anonymous users can read ODAG links |
| Resource filter |
OdagLink_* |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() |
ReadOdagLinkUsage
| Property | Details |
|---|---|
| Name | ReadOdagLinkUsage |
| Description | Non-anonymous users with read access to the selection app can read its OdagLinkUsages |
| Resource filter |
OdagLinkUsage_* |
| Actions | Read |
| Context | Only in hub |
| Type | Default |
| Conditions | !user.IsAnonymous() and resource.selectionApp.HasPrivilege("read") |
RootAdmin
| Property | Details |
|---|---|
| Name | RootAdmin |
| Description | Root admin should have full access rights |
| Resource filter |
* |
| Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data, Access offline, Duplicate, Approve |
| Context | Only in QMC |
| Type | Read only |
| Conditions | ((user.roles="RootAdmin")) |
SecurityAdmin
| Property | Details |
|---|---|
| Name | SecurityAdmin |
| Description | Security admin should have access rights to security related entities |
| Resource filter |
Stream_*,App*,Proxy*,VirtualProxy*,User*,SystemRule_*,CustomProperty*,Tag_*,DataConnection_*, ContentLibrary_*,FileExtension_*,FileExtensionWhiteList_*,Deployment_*, IdentityProviderSettings_*,CustomBannerMessage_* |
| Actions |
Create, Read, Update, Delete, Export, Publish, Change owner,Duplicate, Approve |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminQmcSections
| Property | Details |
|---|---|
| Name | SecurityAdminQmcSections |
| Description | Security admin should have access rights to security related sections |
| Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Stream,QmcSection_App, QmcSection_App.Object,QmcSection_AppDistributionStatus,QmcSection_CloudDistribution,QmcSection_SystemRule, QmcSection_DataConnection,QmcSection_Tag,QmcSection_Templates,QmcSection_Audit,QmcSection_ProxyService,QmcSection_VirtualProxyConfig,QmcSection_User,QmcSection_CustomPropertyDefinition, QmcSection_Certificates,QmcSection_Certificates.Export,QmcSection_ContentLibrary, QmcSection_AnalyticConnection,QmcSection_DeploymentSetup,QmcSection_CustomBannerMessage,QmcSection_EngineHealth |
| Actions |
Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminReadOnly
| Property | Details |
|---|---|
| Name | SecurityAdminReadOnly |
| Description | Security admin should have Read access rights to security related entities |
| Resource filter |
EngineHealth_* |
| Actions |
Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminServerNodeConfiguration
| Property | Details |
|---|---|
| Name | SecurityAdminServerNodeConfiguration |
| Description | Security admin should have read rights to the ServerNodeConfiguration entity |
| Resource filter |
ServerNodeConfiguration_* |
| Actions |
Read |
| Context | Only in QMC |
| Type | Default |
| Conditions | ((user.roles="SecurityAdmin")) |
ServiceAccount
| Property | Details |
|---|---|
| Name | ServiceAccount |
| Description | The service accounts should be able to do all actions |
| Resource filter |
* |
| Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data, Access offline, Duplicate, Approve |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | ((user.UserDirectory="INTERNAL" and user.UserId like "sa_*")) |
Shared content manage content
| Property | Details |
|---|---|
| Name | Shared content manage content |
| Description | Allows everyone that can update a shared content to manage its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.SharedContents.HasPrivilege("Update") |
Shared content see content
| Property | Details |
|---|---|
| Name | Shared content see content |
| Description | Allows everyone that can see a shared content to see its corresponding files |
| Resource filter |
StaticContentReference_* |
| Actions |
Read |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.SharedContents.HasPrivilege("Read") |
Stream
Information noteIt is not recommended to create rules that allow users to edit published apps in streams.
| Property | Details |
|---|---|
| Name | Stream |
| Description |
The user should see the resource if he/she has read access to the stream it is published to |
| Resource filter |
App* |
| Actions |
Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")) |
StreamEveryone
| Property | Details |
|---|---|
| Name | StreamEveryone |
| Description | The default stream called Everyone should be visible for all users and all users should be able to publish to it |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Read, Publish |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | !user.IsAnonymous() |
StreamEveryoneAnonymous
| Property | Details |
|---|---|
| Name | StreamEveryoneAnonymous |
| Description | The default stream called Everyone should be visible for anonymous users |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Read |
| Context | Only in hub |
| Type | Default |
| Conditions | user.IsAnonymous() |
StreamMonitoringAppsPublish
| Property | Details |
|---|---|
| Name | StreamMonitoringAppsPublish |
| Description | RootAdmin, ContentAdmin, and SecurityAdmin should be able to publish to the default stream called Monitoring apps |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Publish |
| Context | Only in hub |
| Type | Default |
| Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
StreamMonitoringAppsRead
| Property | Details |
|---|---|
| Name | StreamMonitoringAppsRead |
| Description | The default stream called Monitoring apps should be visible for default Administrators |
| Resource filter |
Stream_<stream_ID> |
| Actions |
Read |
| Context | Both in hub and QMC |
| Type | Default |
| Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or user.roles="AuditAdmin")) |
Temporary content
| Property | Details |
|---|---|
| Name | Temporary content |
| Description | Allows everyone except anonymous users to create temporary content |
| Resource filter |
TempContent_* |
| Actions |
Create |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | !user.IsAnonymous() |
UpdateAppContentFiles
| Property | Details |
|---|---|
| Name | UpdateAppContentFiles |
| Description | Allows everyone that can update an app to manage its content files |
| Resource filter |
StaticContentReference_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.AppContents.App.HasPrivilege("Update") |
UpdateAppContents
| Property | Details |
|---|---|
| Name | UpdateAppContents |
| Description | If you have update rights on the app you should be able to update app content belonging to that app |
| Resource filter |
App.Content_* |
| Actions |
Update |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("update") |
UpdateAppDataSegments
| Property | Details |
|---|---|
| Name | UpdateAppDataSegments |
| Description | If you have update rights on the app you should be able to create/update/read/delete app data segments belonging to that app |
| Resource filter |
App.DataSegment_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("update") and !user.IsAnonymous() |
UpdateAppInternals
| Property | Details |
|---|---|
| Name | UpdateAppInternals |
| Description | If you have update rights on the app you should be able to create/update/read/delete app internals belonging to that app |
| Resource filter |
App.Internal_* |
| Actions |
Create, Read, Update, Delete |
| Context | Both in hub and QMC |
| Type | Read only |
| Conditions | resource.App.HasPrivilege("update") |