QlikWorld 2020 Global Conference. Join us to discover how to get the most from your data. Act fast. Register now and save.

Security rules evaluation

Each time a user requests access to a resource, Qlik Sense evaluates the request against the security rules in the Qlik Sense system. If at least one rule evaluates to True then Qlik Sense will provide the user with access according to the conditions and actions described in the security rule. If no rules evaluate to True then the user will be denied access. The fact that Qlik Sense security rules are property-based makes Qlik Sense very scalable as you can build rules based on properties that apply to groups of users.

This inclusive method of security rule evaluation means that you should keep the following principles in mind when designing security for resources in Qlik Sense:

  • Access is provided if at least one rule for the resource in question includes access rights for the user who is requesting access.
  • You do not need to write rules that explicitly exclude users.
  • Use roles, user types and group properties as far as possible when designing rules.

The rule preview and auditing tools can then be used to verify and validate that your rules work in practice.

Example 1: Only one rule required to provide user access

Your Finance department publishes financial results to a stream called Quarterly results. To begin with you only want users from the finance department to be able to read from this stream. In this case you need only create a security rule for finance department users that provides the Read action for the Quarterly results stream.

The easiest way to create this security rule is to go to the Streams overview in the QMC, select the stream from the list, click Edit and then add a user condition for Read to the stream in the System rules under Associated items. You can either edit an existing rule, or create a new rule with the user condition for Read. As a condition you would preferably use either group property from the directory service. If available, these properties are shown in the drop-down menus in the Basic view. If the directory service does not include an appropriate group property you can create a custom property in the QMC, for example, the custom property Departments with the value Finance.

Example 2: More than one rule applies to the user

In the Quarterly results example we created a rule (Rule 1) that allows users belonging to Active Directory group Finance to read the Quarterly results stream. Assume that another rule (Rule 2) giving users belonging to the Active Directory (AD) group Management read access to the Quarterly results steam.

Finally, assume that the Sales director belongs to both Active Directory groups Sales and Management.

  Rule 1 Rule 2
Allow users to Read Read
On resource Quarterly results stream Quarterly results stream
Provided that group=Finance group=Management
Evaluates to FALSE True
Resulting access for Sales director Provide read access

Example 3: More than one rule with different access rights

In the Quarterly results example we created a rule (Rule 1) that allows users belonging to Active Directory group Finance to read the Quarterly results stream. Assume that another rule (Rule 2) giving users belonging to the Active Directory (AD) group Management read access to the Quarterly results stream. Finally, Rule 3 allows Management users to update apps in streams that they have read access to.

Assume that the Sales director belongs to both Active Directory groups Sales and Management.

  Rule 1 Rule 2 Rule 3
Allow users to Read Read Update
On resource Quarterly results stream Quarterly results stream All apps and sheets if user has read access to stream
Provided that group=Finance group=Management group=Management
Evaluates to FALSE True True
Resulting access for Sales director Provide read and update access

Example 4: Out-of-the-box Qlik Sense rules

The Finance office in the UK has published an app to the Quarterly results stream called UK quarterly report. They want Finance users in the UK office to be the only users with read access to that app. For this purpose the UK administrator creates Rule 3 that explicitly states that only users belonging to AD group Finance and UK office have read access. Also assume that Rule 2 from Example 1 and the out-of-the-box Stream rule are also in place.

In this case Finance in the UK may have assumed that the Sales director would not be able to read the UK quarterly report app. However, this is not True since Rule 2 allows management to read the Quarterly reports stream and the Stream rule allows all users that have read access to the Quarterly reports stream to read all apps on that stream.

  Rule 2 Rule 3 Stream rule
Allow users to Read Read Read
On resource Quarterly reports stream UK quarterly report app published on Quarterly reports stream All apps and sheets in a stream
Provided that group=Management group=Finance AND office=UK User has read access to the stream
Evaluates to True FALSE True
Resulting access for Sales director  Provide read access  

Did this information help you?

Thanks for letting us know. Is there anything you'd like to tell us about this topic?

Can you tell us why it did not help you and how we can improve it?