Skip to main content Skip to complementary content
Qlik Resources

Security rules example: Applying Qlik Sense access rights for user types

In this example, you set access rights according to user types. Your development department comprises the following user types:

  • Developer: is allowed to create apps, sheets, stories, objects and can use and create data connections.
  • Contributor: is allowed to create stories and sheet towards published apps but is not allowed to create new apps.
  • Consumer: can only consume and is not allowed to create content.

The following activities with corresponding access rights have been identified:

Activity Developer Contributor Consumer
Create app Allowed Not allowed Not allowed
Create app object Allowed Allowed Not allowed
Create data connection Allowed Not allowed Not allowed
Information noteThe following assumes that you have the out-of-the-box rule Stream in place that gives users read access to apps on a stream that they have read access to. This will enable Consumers to read apps. Also, when setting up the access rights according to this example the following out-of-the-box security rules must be disabled; CreateApp, CreateAppObjectsPublishedApp, CreateAppObjectsUnPublishedApp, DataConnection.

You set access rights according to user types by using security rules in the following main steps:

  1. Define each type of user in such a way that makes it possible to apply rules to each type of user instead of individual users.

  2. Apply the custom property to the relevant users.

    Tip noteAlternatively, if you have a user directory with a corresponding group you can use that instead of custom properties.
  3. Create one rule per type of activity.

Procedure

Do the following:

  1. Define the user types as values to a custom property.
    1. Create a custom property called UserType.
    2. Apply the custom property to the resource type Users.
    3. Define the custom property values as Developer, Contributor and Consumer.
    4. Click Apply.
  2. Apply the UserType custom property to the appropriate users in the Users page.
  3. Create the four new security rules (CreateApp , CreateAppObjectsPublishedApp, CreateAppObjectsUnPublishedApp, and DataConnection):
    1. Select Security rules and click PCreate new.
    2. In the Advanced and Basic sections, fill in the fields Resource filter, Conditions, Actions and Context per Security rule code.

    3. Set the Name to correspond to the activity.

    4. Click Apply.

  4. Make sure the following out-of-the-box security rules are disabled or deleted:

    1. CreateApp
    2. CreateAppObjectsPublishedApp
    3. CreateAppObjectsUnPublishedApp
    4. DataConnection

You have now created rules to give access rights according to user types.

Security rule code

The following is the security rule code for this example, with explanatory comments:

Security rule code for "Create app"

Field Code Comments
Resource filter App_*,FileReference_*

Specifically filters on resource types apps.
Conditions

!user.IsAnonymous() and (user.@usertype="Developer")

!user.IsAnonymous()

This condition uses the security rules function IsAnonymous that can be used to evaluate if the user is logged in as anonymous. In this case, if the user is logged in as Anonymous the rule will NOT apply.

(user.@usertype="Developer")

The rule will apply to all users that have the custom property @usertype set to Developer.

Tip noteAlternatively, if you have a user directory with a corresponding group you can use that instead of custom properties. In this case the condition could look like this: user.group="Developer".
Action create The specified actions will be provided to the conditions are met.

Security rule code for "Create app object" (sheets, stories, app objects)

Field Code Comments
Resource filter App.Object_*

Specifically filters on resource types App.Object.
Conditions

resource.App.HasPrivilege("read") and !user.IsAnonymous() and (user.@usertype="Developer" or user.@usertype="Contributor")

resource.App.HasPrivilege("read") and

This condition uses a security rules function HasPrivelege that can be used to evaluate access rights for resourcetypes.

In this instance the function evaluates if the resourcetype user is allowed to perform the action update on the resource sheet. This means that Contributors will be allowed to create objects for sheets that he or she owns.
Actions create The specified actions will be granted provided the conditions are met.

Security rule code for "Data connections"

Field Code Comments
Resource filter DataConnection_*

Specifically filters on data connections.
Conditions

resource.resourcetype = "DataConnection" and (user.@usertype="Developer")

resource.resourcetype = "DataConnection" and

The rule will apply to resources of the type DataConnection.

user.@usertype="Developer"

The rule will apply to users with the custom property @usertype set to "Developer".
Actions create

Create action will be granted provided that the conditions are met.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here