QlikWorld 2020 Global Conference. Join us to discover how to get the most from your data. Act fast. Register now and save.

Security rules installed in Qlik Sense

In a Qlik Sense installation, a number of security rules are included by default and available in the QMC. The security rules can be used to grant users access to areas in Qlik Sense. These rules are of two types: Default and Read only. The Read only rules are essential to Qlik Sense and cannot be edited or deleted. The Default rules can be edited. When you edit a Default rule, the type is changed to Custom.

Note: If you want to edit a Default rule, we strongly recommend that you create a copy of the original and edit the copy, because you may want to use original rule later on. Remember to disable the original rule before using the copy.

The following security rules are included by default in a Qlik Sense installation.

AuditAdmin

Name AuditAdmin
Description Audit admin should have read rights to audit entities
Resource filter

*

Actions Read
Context Only in QMC
Type Default
Conditions user.roles = "AuditAdmin" and !(resource.resourcetype = "TransientObject" and resource.name like "QmcSection_*")

AuditAdminQmcSections

Name AuditAdminQmcSections
Description Audit admin should have read rights to audit related sections
Resource filter

License_*,TermsAcceptance_*,QmcSection_Tag,QmcSection_Audit

Actions Read
Context Only in QMC
Type Default
Conditions ((user.roles="AuditAdmin"))

Content library content

Name Content library content
Description Everyone who has read rights to a content library should also have read rights to its corresponding files
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.ContentLibrarys.HasPrivilege("Read")

Content library manage content

Name Content library manage content
Description Everyone who has update rights to a content library should also have rights to manage its corresponding files
Resource filter

StaticContentReference_*

Actions Create, Read, Update, Delete
Context Both in hub and QMC
Type Read only
Conditions resource.ContentLibrarys.HasPrivilege("Update")

ContentAdmin

Name ContentAdmin
Description Content admin should have rights to manage content related entities
Resource filter

Stream_*,App*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*, DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_*

Actions Create, Read, Update, Delete, Export, Publish, Change owner
Context Only in QMC
Type Default
Conditions ((user.roles="ContentAdmin"))

ContentAdminQmcSections

Name ContentAdminQmcSections
Description Content admin should have read rights to content related sections
Resource filter

License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object, QmcSection_DataConnection,QmcSection_Tag,QmcSection_User, QmcSection_CustomPropertyDefinition,QmcSection_Task,QmcSection_Event, QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension, QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary,QmcSection_Audit

Actions Read
Context Only in QMC
Type Default
Conditions ((user.roles="ContentAdmin"))

ContentAdminRulesAccess

Name ContentAdminRulesAccess
Description Content admin should have rights to manage security rules for streams, data connections, content libraries, and extensions
Resource filter

SystemRule_*

Actions Create, Read, Update, Delete
Context Only in QMC
Type Default
Conditions user.roles = "ContentAdmin" and resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}")

CreateApp

Name CreateApp
Description Everyone, except anonymous users, should have rights to create apps
Resource filter

App_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous()

CreateAppObjectsPublishedApp

Name CreateAppObjectsPublishedApp
Description Everyone who has read rights to a published app should also have rights to create sheets, stories, bookmarks and snapshots belonging to that app
Resource filter

App.Object_*

Actions Create
Context Only in hub
Type Default
Conditions !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous()

CreateAppObjectsUnPublishedApp

Name CreateAppObjectsUnPublishedApp
Description Everyone who has read rights to an unpublished app should also have rights to create app objects belonging to that app
Resource filter

App.Object_*

Actions Create
Context Only in hub
Type Default
Conditions resource.App.stream.Empty() and resource.App.HasPrivilege("read") and !user.IsAnonymous()

CreateOdagLinks

Name CreateOdagLinks
Description Non-anonymous users with read access to the ODAG template app can create links and it is possible to create a link without first knowing the template app
Resource filter

OdagLink_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and (resource.templateApp.Empty() or resource.templateApp.HasPrivilege("read"))

CreateOdagLinkUsage

Name CreateOdagLinkUsage
Description Non-anonymous users with read access to the selectionApp and read access to the link can create OdagLinkUsages
Resource filter

OdagLinkUsage_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and (resource.selectionApp.Empty() or resource.selectionApp.HasPrivilege("read")) and (resource.link.Empty() or resource.link.HasPrivilege("read"))

CreateOdagRequest

Name CreateOdagRequest
Description Non-anonymous users with read access to the link can create new Requests using that link
Resource filter

OdagRequest_*

Actions Create
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and (resource.link.HasPrivilege("read"))

DataConnection

Name DataConnection
Description Data connections can be created for all resource types, except "folder"
Resource filter

DataConnection_*

Actions Create
Context Only in hub
Type Default
Conditions ((resource.type!="folder"))

Default content library

Name Default content library
Description Everyone should have read rights to the default content library
Resource filter

ContentLibrary_<Content library ID>

Actions Read
Context Both in hub and QMC
Type Default
Conditions true

Default content library

Name Default content library
Description Everyone should have read rights to the default content library
Resource filter

ContentLibrary_<Content library ID>

Actions Read
Context Both in hub and QMC
Type Default
Conditions true

DeleteOdagLinkUsage

Name DeleteOdagLinkUsage
Description Non-anonymous users with read access on the selection app can delete OdagLinkUsages for that app
Resource filter

OdagLinkUsage_*

Actions Read, Delete
Context Only in hub
Type Default
Conditions !user.IsAnonymous() and resource.selectionApp.HasPrivilege("read")

DeploymentAdmin

Name DeploymentAdmin
Description Deployment admin should have access rights to deployment related entities
Resource filter

ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*,User*,CustomProperty*,Tag_*,License*,TermsAcceptance_*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,CompositeEvent_*

Actions Create, Read, Update, Delete
Context Only in QMC
Type Default
Conditions ((user.roles="DeploymentAdmin"))

DeploymentAdminAppAccess

Name DeploymentAdminAppAccess
Description Deployment admin should have read and update rights to apps in order to handle load balancing rules
Resource filter

App_*

Actions Read, Update
Context Only in QMC
Type Default
Conditions ((user.roles="DeploymentAdmin"))

DeploymentAdminQmcSections

Name DeploymentAdminQmcSections
Description Deployment admin should have read rights to deployment related sections
Resource filter

License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Tag,QmcSection_Templates, QmcSection_ServiceCluster,QmcSection_ServerNodeConfiguration,QmcSection_EngineService, QmcSection_ProxyService,QmcSection_VirtualProxyConfig,QmcSection_RepositoryService, QmcSection_SchedulerService,QmcSection_PrintingService,QmcSection_License*, QmcSection_Token,LoadbalancingSelectList,QmcSection_User,QmcSection_UserDirectory, QmcSection_CustomPropertyDefinition,QmcSection_Certificates, QmcSection_Certificates.Export,QmcSection_Task,QmcSection_App,QmcSection_SyncRule, QmcSection_LoadBalancingRule,QmcSection_Event, QmcSection_ReloadTask, QmcSection_UserSyncTask, QmcSection_Audit

Actions Read
Context Only in QMC
Type Default
Conditions ((user.roles="DeploymentAdmin"))

DeploymentAdminRulesAccess

Name DeploymentAdminRulesAccess
Description Deployment admin should have rights to manage sync and license rules
Resource filter

SystemRule_*

Actions Create, Read, Update, Delete
Context Only in QMC
Type Default
Conditions user.roles = "DeploymentAdmin" and (resource.category = "Sync" or resource.category = "License")

ExportAppData

Name ExportAppData
Description Everyone is allowed to export the app data they are allowed to see, except anonymous users
Resource filter

App_*

Actions Export data
Context Both in hub and QMC
Type Default
Conditions resource.HasPrivilege("read") and !user.IsAnonymous()

Extension

Name Extension
Description Everyone should have read rights to extensions
Resource filter

Extension_*

Actions Read
Context Both in hub and QMC
Type Default
Conditions true

Extension manage content

Name

Extension manage content

Description Everyone who has update rights to an extension should have rights to manage its corresponding files
Resource filter

StaticContentReference_*

Actions Create, Read, Update, Delete
Context Both in hub and QMC
Type Read only
Conditions resource.Extensions.HasPrivilege("Update")

Extension static content

Name

Extension static content

Description Everyone who has read rights to an extension should have read rights to its corresponding files
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.Extensions.HasPrivilege("Read")

File upload connection object

Name

File upload connection object

Description Everyone, except anonymous users, should have read rights to data connections used for uploading files to server
Resource filter

DataConnection_<data_connection_ID>

Actions Read
Context Both in hub and QMC
Type Default
Conditions !user.IsAnonymous()

FolderDataConnection

Name

FolderDataConnection

Description Admins should have rights to manage folder data connections
Resource filter

DataConnection_*

Actions Create, Read, Update, Delete
Context Only in hub
Type Default
Conditions resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = "ContentAdmin" or user.roles = "SecurityAdmin")

HubSections

Name HubSections
Description Everyone should have read rights to all hub sections
Resource filter

HubSection_*

Actions Read
Context Both in hub and QMC
Type Default
Conditions true

Installed static content

Name Installed static content
Description Everyone should have read rights to installed static content
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions ((resource.StaticContentSecurityType="Open"))

ManageAnalyticConnection

Name ManageAnalyticConnection
Description RootAdmin, ContentAdmin and SecurityAdmin roles should be able to manage an analytical connection
Resource filter

AnalyticConnection_*

Actions Create, Read, Update, Delete
Context Both in hub and QMC
Type Default
Conditions ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin"))

Offline access

Name Offline access
Description Everyone is allowed offline access to the app they are allowed to see except anonymous users
Resource filter

App_*

Actions Read
Context Both in hub and QMC
Type Default
Conditions resource.HasPrivilege("read") and !user.IsAnonymous()

Owner

Name Owner
Description The owner of a resource should have update and delete rights if the resource is not published to a stream
Resource filter

*

Actions Update, Delete
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and (resource.owner = user and !((resource.resourcetype = "App" and !resource.stream.Empty()) or (resource.resourcetype = "App.Object" and resource.published = "true")))

OwnerAnonymousTempContent

Name OwnerAnonymousTempContent
Description An anonymous owner of temporary content should be able to access and delete it
Resource filter

TempContent_*

Actions Read, Delete
Context Both in hub and QMC
Type Read only
Conditions user.IsAnonymous() and resource.anonymousOwnerUserId = user.userId

OwnerDistribute

Name OwnerDistribute
Description The owner of apps and streams should be able to distribute
Resource filter

App_*, Stream_*

Actions Distribute
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and resource.owner = user

OwnerAppApproveAppObject

Name OwnerAppApproveAppObject
Description The owner of an app should be able to approve app objects belonging to the app
Resource filter

App.Object_*

Actions Approve
Context Both in hub and QMC
Type Default
Conditions resource.App.owner = user

OwnerPublishAppObject

Name OwnerPublishAppObject
Description The owner of an app object should have publish rights to the object unless it is approved
Resource filter

App.Object_*

Actions Publish
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and resource.owner = user and resource.approved = "false" and resource.app.stream.HasPrivilege("publish")

OwnerPublishDuplicate

Name OwnerPublishDuplicate
Description The owner of an app or a stream should be able to publish, and the owner of an app should be able to duplicate
Resource filter

App_*,Stream_*

Actions Publish, Duplicate
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and resource.owner = user

OwnerRead

Name OwnerRead
Description The owner of a resource should have read rights to the resource if it is published to a stream
Resource filter

*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.IsOwned() and resource.owner = user

OwnerUpdateApp

Name OwnerUpdateApp
Description The owner of an app should be able to update
Resource filter

App_*

Actions Update
Context Both in hub and QMC
Type Default
Conditions resource.IsOwned() and resource.owner = user

ReadAnalyticConnectionEveryone

Name ReadAppContentFiles
Description Non-anonymous users can read an analytic connection
Resource filter

AnalyticConnection_*

Actions Read
Context Only in hub
Type Read only
Conditions !user.IsAnonymous()

ReadAppContentFiles

Name ReadAppContentFiles
Description Everyone who has read rights to an app should also have read rights to its content files
Resource filter

StaticContentReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.AppContents.App.HasPrivilege("Read")

ReadAppContents

Name ReadAppContents
Description Everyone who has read rights to an app should also have read rights to app content belonging to that app
Resource filter

App.Content_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("read")

ReadAppDataSegments

Name ReadAppDataSegments
Description Everyone who has read rights to an app should also have read rights to app data segments belonging to that app
Resource filter

App.DataSegment_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("read") and !user.IsAnonymous()

ReadAppInternals

Name ReadAppInternals
Description Everyone who has read rights to an app should also have read rights to app internals belonging to that app
Resource filter

App.Internal_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("read")

ReadCustomProperties

Name ReadCustomProperties
Description Non-anonymous users can read custom property definitions and values
Resource filter

CustomProperty*

Actions Read
Context Both in hub and QMC
Type Default
Conditions !user.IsAnonymous()

ReadFileReference

Name ReadFileReference
Description Everyone, except anonymous users, should have read rights to file references
Resource filter

FileReference_*

Actions Read
Context Both in hub and QMC
Type Read only
Conditions !user.IsAnonymous()

ReadOdagLinks

Name ReadOdagLinks
Description Non-anonymous users can read ODAG links
Resource filter

OdagLink_*

Actions Read
Context Only in hub
Type Default
Conditions !user.IsAnonymous()

ReadOdagLinkUsage

Name ReadOdagLinkUsage
Description Non-anonymous users with read access to the selection app can read its OdagLinkUsages
Resource filter

OdagLinkUsage_*

Actions Read
Context Only in hub
Type Default
Conditions !user.IsAnonymous()

RootAdmin

Name RootAdmin
Description Root admin should have full access rights
Resource filter

*

Actions

Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data

Context Only in QMC
Type Read only
Conditions ((user.roles="RootAdmin"))

SecurityAdmin

Name SecurityAdmin
Description Security admin should have access rights to security related entities
Resource filter

Stream_*,App*,Proxy*,VirtualProxy*,User*,SystemRule_*,CustomProperty*,Tag_*, DataConnection_*,ContentLibrary_*

Actions

Create, Read, Update, Delete, Export, Publish, Change owner

Context Only in QMC
Type Default
Conditions ((user.roles="SecurityAdmin"))

SecurityAdminQmcSections

Name SecurityAdminQmcSections
Description Security admin should have read rights to security related sections
Resource filter

License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Stream,QmcSection_App, QmcSection_App.Object,QmcSection_SystemRule,QmcSection_DataConnection,QmcSection_Tag, QmcSection_Templates,QmcSection_Audit,QmcSection_ProxyService,QmcSection_VirtualProxyConfig, QmcSection_User, QmcSection_CustomPropertyDefinition,QmcSection_Certificates, QmcSection_Certificates.Export,QmcSection_ContentLibrary

Actions

Read

Context Only in QMC
Type Default
Conditions ((user.roles="SecurityAdmin"))

SecurityAdminServerNodeConfiguration

Name SecurityAdminServerNodeConfiguration
Description Security admin should have read rights to the ServerNodeConfiguration entity
Resource filter

ServerNodeConfiguration_*

Actions

Read

Context Only in QMC
Type Default
Conditions ((user.roles="SecurityAdmin"))

ServiceAccount

Name ServiceAccount
Description Service accounts should have rights to perform all actions
Resource filter

*

Actions

Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data

Context Both in hub and QMC
Type Read only
Conditions ((user.UserDirectory="INTERNAL" and user.UserId like "sa_*"))

Shared content manage content

Name Shared content manage content
Description Everyone who has update rights to shared content should also have rights to manage its corresponding files
Resource filter

StaticContentReference_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.SharedContents.HasPrivilege("Update")

Shared content see content

Name Shared content see content
Description Everyone who has read rights to shared content should also have read rights to the corresponding files
Resource filter

StaticContentReference_*

Actions

Read

Context Both in hub and QMC
Type Read only
Conditions resource.SharedContents.HasPrivilege("Read")

Stream

Name Stream
Description

Everyone who has read rights to a stream should also have read rights to a resource published to that stream

Resource filter

App*

Actions

Read

Context Both in hub and QMC
Type Default
Conditions (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read"))

StreamEveryone

Name StreamEveryone
Description Everyone, except anonymous users, should have read and publish rights to the default stream called Everyone
Resource filter

Stream_<stream_ID>

Actions

Read, Publish

Context Both in hub and QMC
Type Default
Conditions !user.IsAnonymous()

StreamEveryoneAnonymous

Name StreamEveryoneAnonymous
Description Anonymous users should have read rights to the default stream called Everyone
Resource filter

Stream_<stream_ID>

Actions

Read

Context Only in hub
Type Default
Conditions user.IsAnonymous()

StreamMonitoringAppsPublish

Name StreamMonitoringAppsPublish
Description RootAdmin, ContentAdmin, and SecurityAdmin should have publish rights to the default stream called Monitoring apps
Resource filter

Stream_<stream_ID>

Actions

Publish

Context Only in hub
Type Default
Conditions ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin"))

StreamMonitoringAppsRead

Name StreamMonitoringAppsRead
Description Default administrators should have read rights to the default stream called Monitoring apps
Resource filter

Stream_<stream_ID>

Actions

Read

Context Both in hub and QMC
Type Default
Conditions ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or user.roles="AuditAdmin"))

Temporary content

Name Temporary content
Description Everyone, except anonymous users, should have rights to create temporary content
Resource filter

TempContent_*

Actions

Create

Context Both in hub and QMC
Type Read only
Conditions !user.IsAnonymous()

UpdateAppContentFiles

Name UpdateAppContentFiles
Description Everyone who has update rights to an app should also have rights to manage its content files
Resource filter

StaticContentReference_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.AppContents.App.HasPrivilege("Update")

UpdateAppContents

Name UpdateAppContents
Description Everyone who has update rights to an app should also have update rights to app content belonging to that app
Resource filter

App.Content_*

Actions

Update

Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("update")

UpdateAppDataSegments

Name UpdateAppDataSegments
Description Everyone who has update rights to an app should also have rights to manage app data segments belonging to that app
Resource filter

App.DataSegment_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("update") and !user.IsAnonymous()

UpdateAppInternals

Name UpdateAppInternals
Description Everyone who has update rights to an app should also have rights to manage app internals belonging to that app
Resource filter

App.Internal_*

Actions

Create, Read, Update, Delete

Context Both in hub and QMC
Type Read only
Conditions resource.App.HasPrivilege("update")

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?