Managed spaces provide governed access to applications in Qlik Cloud Analytics. Applications published to a managed space keep the data loaded in the application, but do not include their data files or data connections. This enables the use of mock data in application development that is replaced with real data when the application is published without changing the load script.
Applications do not include their data sources when they are published to a managed space. The application load script remains unchanged, however. By using space-aware data sources in your load script, development data sources in personal or shared spaces can be replaced with the final data sources when the application is added to the managed space. This helps keep strict data governance for applications and their users in managed spaces.
Space-aware data sources syntax enables you to specify in the load script that the data sources exist in the current space, rather than in a specific space. The application will always look in the current space for the data sources. By using mock data sets and real data sets with the same name, published applications can seamlessly switch to the final data sources.
Space-aware data source syntax examples
This example loads the file orders.csv from the current space. If the application is moved to another space, for example, it will use the file orders.csv in the new space.
LOAD * FROM [lib://:DataFiles/orders.csv];This example loads the table Sales_data from the DataSource data connection in the current space.
LIB CONNECT TO ':DataSource';
LOAD *;
SQL SELECT * FROM `Sales_data`;For more information using space-aware data sources, see:
- Connect to data sources in load scripts
- Adding data from uploaded data files
- Loading data from files
Best practice workflow for governed applications and data
The following is an example best practice workflow for governed applications and data sources in managed spaces.
Mock data sources are created that share the same names as the real data sources that will be used in the managed space. These mock data sources are added to a shared space where application developers have Can manage, Can edit, or Can edit data in applications permissions. Developers reference these data sources in the load script so that the load script looks for the data sources in the current space. When the applications are ready, the application is published to the managed space, where the managed space administrator adds the real data sources. This populates the applications with sensitive data while preventing the application developers from seeing any sensitive information.
This workflow involves three primary users:
- Tenant administrator: The tenant administrator creates the managed space and then assigns users and roles to the managed space.
- Governed Manager: The user in charge of managing access to sensitive data and administering the managed spaces
- Developer: The user in change of developing applications for the managed space and publishing them to the space.
This workflow occurs in four steps:
- Create the spaces.
- Add mock data and develop the application.
- Publish applications to managed space containing real data.
- Adding application consumers to the managed space.
Creating managed space and shared spaces
First, the spaces are created and then users are added to them.
Do the following:
- The tenant administrator creates a managed space, Secure Apps, as the destination for published governed applications.
-
The tenant administrator adds two members to Secure Apps:
- The lead application developer, Developer, is added with Can publish permission.
- The owner of the governed applications, Governed Manager, is made the space owner.
- Developer creates the Develop Apps shared space for the development of the governed applications. Optionally, additional developers are added with Can edit and Can edit data in applications roles.
Developing applications with mock data
Next, mock data is added and the application is developed.
Do the following:
-
Developer adds mock testing data to the Develop Apps space. This data can be used once or in continuous deployment scenarios.
Data can be made available to a space by adding an application and then adding the data source to the application. Once a data source has been added to an application in the space, it is available to all users with Can edit and Can edit data in applications roles in the space.
Information noteUsers with Can consume data can also view the data sources, and they can consume the data where they have permission to create applications. They cannot add, edit, or delete data sources. They have no permissions to view, add, edit, or delete applications. -
Developer develops applications in the Develop Apps space. These applications use space-aware scripting to always look for the data sources in the current space.
For space-aware connection syntax in Data load editor, see Connect to data sources in load scripts.
If Developer uses Data manager, they unlock the load script for editing and update the data source references to use space-aware connection syntax.
Publishing applications and adding final data
The application is published to the managed space. The real data sources are added to the managed space.
Do the following:
- When the application is ready for release, Governed Manager adds production data to the Secure Apps space.
- Developer publishes the application from Develop Apps to Secure Apps.
- Governed Manager schedules reloads for the application and confirms the application can reload data without errors.
Adding application consumers to the managed space
Finally, the application consumers are added to the managed space.
Do the following:
- Governed Manager adds Can view members to the Secure Apps managed space. These users will be able to open and create private bookmarks, snapshots and stories.
- Governed Manager adds Can contribute members to the Secure Apps managed space. These users will be able to additionally create community sheets, stories & bookmarks, and publish community sheets in the published application.