Security rules installed in Qlik Sense
In a Qlik Sense installation, a number of security rules are included by default and available in the QMC. The security rules can be used to grant users access to areas in Qlik Sense. These rules are of two types: Default and Read only. The Read only rules are essential to Qlik Sense and cannot be edited or deleted. The Default rules can be edited. When you edit a Default rule, the type is changed to Custom.
The following security rules are included by default in a Qlik Sense installation.
AuditAdmin
Name | AuditAdmin |
Description | Audit admin should have read rights to audit entities |
Resource filter |
* |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | user.roles = "AuditAdmin" and !(resource.resourcetype = "TransientObject" and resource.name like "QmcSection_*") |
AuditAdminQmcSections
Name | AuditAdminQmcSections |
Description | Audit admin should have read rights to audit related sections |
Resource filter |
License_*,TermsAcceptance_*,QmcSection_Tag,QmcSection_Audit |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="AuditAdmin")) |
Content library content
Name | Content library content |
Description | Everyone who has read rights to a content library should also have read rights to its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.ContentLibrarys.HasPrivilege("Read") |
Content library manage content
Name | Content library manage content |
Description | Everyone who has update rights to a content library should also have rights to manage its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.ContentLibrarys.HasPrivilege("Update") |
ContentAdmin
Name | ContentAdmin |
Description | Content admin should have rights to manage content related entities |
Resource filter |
Stream_*,App*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,User*,CustomProperty*,Tag_*, DataConnection_*,CompositeEvent_*,Extension_*,ContentLibrary_* |
Actions | Create, Read, Update, Delete, Export, Publish, Change owner |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="ContentAdmin")) |
ContentAdminQmcSections
Name | ContentAdminQmcSections |
Description | Content admin should have read rights to content related sections |
Resource filter |
License_*,TermsAcceptance_*,QmcSection_Stream,QmcSection_App,QmcSection_App.Object, QmcSection_DataConnection,QmcSection_Tag,QmcSection_User, QmcSection_CustomPropertyDefinition,QmcSection_Task,QmcSection_Event, QmcSection_SchemaEvent,QmcSection_CompositeEvent,QmcSection_Extension, QmcSection_ReloadTask,QmcSection_UserSyncTask,QmcSection_ContentLibrary,QmcSection_Audit |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="ContentAdmin")) |
ContentAdminRulesAccess
Name | ContentAdminRulesAccess |
Description | Content admin should have rights to manage security rules for streams, data connections, content libraries, and extensions |
Resource filter |
SystemRule_* |
Actions | Create, Read, Update, Delete |
Context | Only in QMC |
Type | Default |
Conditions | user.roles = "ContentAdmin" and resource.category = "Security" and (resource.resourcefilter matches "Stream_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "DataConnection_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "ContentLibrary_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}" or resource.resourcefilter matches "Extension_\w{8}-\w{4}-\w{4}-\w{4}-\w{12}") |
CreateApp
Name | CreateApp |
Description | Everyone, except anonymous users, should have rights to create apps |
Resource filter |
App_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() |
CreateAppObjectsPublishedApp
Name | CreateAppObjectsPublishedApp |
Description | Everyone who has read rights to a published app should also have rights to create sheets, stories, bookmarks and snapshots belonging to that app |
Resource filter |
App.Object_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !resource.App.stream.Empty() and resource.App.HasPrivilege("read") and (resource.objectType = "userstate" or resource.objectType = "sheet" or resource.objectType = "story" or resource.objectType = "bookmark" or resource.objectType = "snapshot" or resource.objectType = "embeddedsnapshot" or resource.objectType = "hiddenbookmark") and !user.IsAnonymous() |
CreateAppObjectsUnPublishedApp
Name | CreateAppObjectsUnPublishedApp |
Description | Everyone who has read rights to an unpublished app should also have rights to create app objects belonging to that app |
Resource filter |
App.Object_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | resource.App.stream.Empty() and resource.App.HasPrivilege("read") and !user.IsAnonymous() |
CreateOdagLinks
Name | CreateOdagLinks |
Description | Non-anonymous users with read access to the ODAG template app can create links and it is possible to create a link without first knowing the template app |
Resource filter |
OdagLink_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and (resource.templateApp.Empty() or resource.templateApp.HasPrivilege("read")) |
CreateOdagLinkUsage
Name | CreateOdagLinkUsage |
Description | Non-anonymous users with read access to the selectionApp and read access to the link can create OdagLinkUsages |
Resource filter |
OdagLinkUsage_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and (resource.selectionApp.Empty() or resource.selectionApp.HasPrivilege("read")) and (resource.link.Empty() or resource.link.HasPrivilege("read")) |
CreateOdagRequest
Name | CreateOdagRequest |
Description | Non-anonymous users with read access to the link can create new Requests using that link |
Resource filter |
OdagRequest_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and (resource.link.HasPrivilege("read")) |
DataConnection
Name | DataConnection |
Description | Data connections can be created for all resource types, except "folder" |
Resource filter |
DataConnection_* |
Actions | Create |
Context | Only in hub |
Type | Default |
Conditions | ((resource.type!="folder")) |
Default content library
Name | Default content library |
Description | Everyone should have read rights to the default content library |
Resource filter |
ContentLibrary_<Content library ID> |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | true |
Default content library
Name | Default content library |
Description | Everyone should have read rights to the default content library |
Resource filter |
ContentLibrary_<Content library ID> |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | true |
DeleteOdagLinkUsage
Name | DeleteOdagLinkUsage |
Description | Non-anonymous users with read access on the selection app can delete OdagLinkUsages for that app |
Resource filter |
OdagLinkUsage_* |
Actions | Read, Delete |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() and resource.selectionApp.HasPrivilege("read") |
DeploymentAdmin
Name | DeploymentAdmin |
Description | Deployment admin should have access rights to deployment related entities |
Resource filter |
ServiceCluster_*,ServerNodeConfiguration_*,Engine*,Proxy*,VirtualProxy*,Repository*,Printing*,Scheduler*,User*,CustomProperty*,Tag_*,License*,TermsAcceptance_*,ReloadTask_*,UserSyncTask_*,SchemaEvent_*,CompositeEvent_* |
Actions | Create, Read, Update, Delete |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminAppAccess
Name | DeploymentAdminAppAccess |
Description | Deployment admin should have read and update rights to apps in order to handle sync rules |
Resource filter |
App_* |
Actions | Read, Update |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminQmcSections
Name | DeploymentAdminQmcSections |
Description | Deployment admin should have read rights to deployment related sections |
Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Tag,QmcSection_Templates, QmcSection_ServiceCluster,QmcSection_ServerNodeConfiguration,QmcSection_EngineService, QmcSection_ProxyService,QmcSection_VirtualProxyConfig,QmcSection_RepositoryService, QmcSection_SchedulerService,QmcSection_PrintingService,QmcSection_License*, QmcSection_Token,LoadbalancingSelectList,QmcSection_User,QmcSection_UserDirectory, QmcSection_CustomPropertyDefinition,QmcSection_Certificates, QmcSection_Certificates.Export,QmcSection_Task,QmcSection_App,QmcSection_SyncRule, QmcSection_LoadBalancingRule,QmcSection_Event, QmcSection_ReloadTask, QmcSection_UserSyncTask, QmcSection_Audit |
Actions | Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="DeploymentAdmin")) |
DeploymentAdminRulesAccess
Name | DeploymentAdminRulesAccess |
Description | Deployment admin should have rights to manage sync and license rules |
Resource filter |
SystemRule_* |
Actions | Create, Read, Update, Delete |
Context | Only in QMC |
Type | Default |
Conditions | user.roles = "DeploymentAdmin" and (resource.category = "Sync" or resource.category = "License") |
ExportAppData
Name | ExportAppData |
Description | Everyone is allowed to export the app data they are allowed to see, except anonymous users |
Resource filter |
App_* |
Actions | Export data |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Extension
Name | Extension |
Description | Everyone should have read rights to extensions |
Resource filter |
Extension_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | true |
Extension manage content
Name |
Extension manage content |
Description | Everyone who has update rights to an extension should have rights to manage its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.Extensions.HasPrivilege("Update") |
Extension static content
Name |
Extension static content |
Description | Everyone who has read rights to an extension should have read rights to its corresponding files |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.Extensions.HasPrivilege("Read") |
File upload connection object
Name |
File upload connection object |
Description | Everyone, except anonymous users, should have read rights to data connections used for uploading files to server |
Resource filter |
DataConnection_<data_connection_ID> |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | !user.IsAnonymous() |
FolderDataConnection
Name |
FolderDataConnection |
Description | Admins should have rights to manage folder data connections |
Resource filter |
DataConnection_* |
Actions | Create, Read, Update, Delete |
Context | Only in hub |
Type | Default |
Conditions | resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = "ContentAdmin" or user.roles = "SecurityAdmin") |
HubSections
Name | HubSections |
Description | Everyone should have read rights to all hub sections |
Resource filter |
HubSection_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | true |
Installed static content
Name | Installed static content |
Description | Everyone should have read rights to installed static content |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | ((resource.StaticContentSecurityType="Open")) |
ManageAnalyticConnection
Name | ManageAnalyticConnection |
Description | RootAdmin, ContentAdmin and SecurityAdmin roles should be able to manage an analytical connection |
Resource filter |
AnalyticConnection_* |
Actions | Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Default |
Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
Offline access
Name | Offline access |
Description | Everyone is allowed offline access to the app they are allowed to see except anonymous users |
Resource filter |
App_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.HasPrivilege("read") and !user.IsAnonymous() |
Owner
Name | Owner |
Description | The owner of a resource should have update and delete rights if the resource is not published to a stream |
Resource filter |
* |
Actions | Update, Delete |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and (resource.owner = user and !((resource.resourcetype = "App" and !resource.stream.Empty()) or (resource.resourcetype = "App.Object" and resource.published = "true"))) |
OwnerAnonymousTempContent
Name | OwnerAnonymousTempContent |
Description | An anonymous owner of temporary content should be able to access and delete it |
Resource filter |
TempContent_* |
Actions | Read, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | user.IsAnonymous() and resource.anonymousOwnerUserId = user.userId |
OwnerDistribute
Name | OwnerDistribute |
Description | The owner of apps and streams should be able to distribute |
Resource filter |
App_*, Stream_* |
Actions | Distribute |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and resource.owner = user |
OwnerPublishAppObject
Name | OwnerPublishAppObject |
Description | The owner of an app object should have publish rights to the object unless it is approved |
Resource filter |
App.Object_* |
Actions | Publish |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and resource.owner = user and resource.approved = "false" |
OwnerPublishDuplicate
Name | OwnerPublishDuplicate |
Description | The owner of an app or a stream should be able to publish, and the owner of an app should be able to duplicate |
Resource filter |
App_*,Stream_* |
Actions | Publish |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and resource.owner = user |
OwnerRead
Name | OwnerRead |
Description | The owner of a resource should have read rights to the resource if it is published to a stream |
Resource filter |
* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.IsOwned() and resource.owner = user |
OwnerUpdateApp
Name | OwnerUpdateApp |
Description | The owner of an app should be able to update |
Resource filter |
App_* |
Actions | Update |
Context | Both in hub and QMC |
Type | Default |
Conditions | resource.IsOwned() and resource.owner = user |
ReadAnalyticConnectionEveryone
Name | ReadAppContentFiles |
Description | Non-anonymous users can read an analytic connection |
Resource filter |
AnalyticConnection_* |
Actions | Read |
Context | Only in hub |
Type | Read only |
Conditions | !user.IsAnonymous() |
ReadAppContentFiles
Name | ReadAppContentFiles |
Description | Everyone who has read rights to an app should also have read rights to its content files |
Resource filter |
StaticContentReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.AppContents.App.HasPrivilege("Read") |
ReadAppContents
Name | ReadAppContents |
Description | Everyone who has read rights to an app should also have read rights to app content belonging to that app |
Resource filter |
App.Content_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("read") |
ReadAppDataSegments
Name | ReadAppDataSegments |
Description | Everyone who has read rights to an app should also have read rights to app data segments belonging to that app |
Resource filter |
App.DataSegment_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("read") and !user.IsAnonymous() |
ReadAppInternals
Name | ReadAppInternals |
Description | Everyone who has read rights to an app should also have read rights to app internals belonging to that app |
Resource filter |
App.Internal_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("read") |
ReadFileReference
Name | ReadFileReference |
Description | Everyone, except anonymous users, should have read rights to file references |
Resource filter |
FileReference_* |
Actions | Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | !user.IsAnonymous() |
ReadOdagLinks
Name | ReadOdagLinks |
Description | Non-anonymous users can read ODAG links |
Resource filter |
OdagLink_* |
Actions | Read |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() |
ReadOdagLinkUsage
Name | ReadOdagLinkUsage |
Description | Non-anonymous users with read access to the selection app can read its OdagLinkUsages |
Resource filter |
OdagLinkUsage_* |
Actions | Read |
Context | Only in hub |
Type | Default |
Conditions | !user.IsAnonymous() |
RootAdmin
Name | RootAdmin |
Description | Root admin should have full access rights |
Resource filter |
* |
Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data |
Context | Only in QMC |
Type | Read only |
Conditions | ((user.roles="RootAdmin")) |
SecurityAdmin
Name | SecurityAdmin |
Description | Security admin should have access rights to security related entities |
Resource filter |
Stream_*,App*,Proxy*,VirtualProxy*,User*,SystemRule_*,CustomProperty*,Tag_*, DataConnection_*,ContentLibrary_* |
Actions |
Create, Read, Update, Delete, Export, Publish, Change owner |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminQmcSections
Name | SecurityAdminQmcSections |
Description | Security admin should have read rights to security related sections |
Resource filter |
License_*,TermsAcceptance_*,ServiceStatus_*,QmcSection_Stream,QmcSection_App, QmcSection_App.Object,QmcSection_SystemRule,QmcSection_DataConnection,QmcSection_Tag, QmcSection_Templates,QmcSection_Audit,QmcSection_ProxyService,QmcSection_VirtualProxyConfig, QmcSection_User, QmcSection_CustomPropertyDefinition,QmcSection_Certificates, QmcSection_Certificates.Export,QmcSection_ContentLibrary |
Actions |
Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="SecurityAdmin")) |
SecurityAdminServerNodeConfiguration
Name | SecurityAdminServerNodeConfiguration |
Description | Security admin should have read rights to the ServerNodeConfiguration entity |
Resource filter |
ServerNodeConfiguration_* |
Actions |
Read |
Context | Only in QMC |
Type | Default |
Conditions | ((user.roles="SecurityAdmin")) |
ServiceAccount
Name | ServiceAccount |
Description | Service accounts should have rights to perform all actions |
Resource filter |
* |
Actions |
Create, Read, Update, Delete, Export, Publish, Change owner, Change role, Export data |
Context | Both in hub and QMC |
Type | Read only |
Conditions | ((user.UserDirectory="INTERNAL" and user.UserId like "sa_*")) |
Shared content manage content
Name | Shared content manage content |
Description | Everyone who has update rights to shared content should also have rights to manage its corresponding files |
Resource filter |
StaticContentReference_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.SharedContents.HasPrivilege("Update") |
Shared content see content
Name | Shared content see content |
Description | Everyone who has read rights to shared content should also have read rights to the corresponding files |
Resource filter |
StaticContentReference_* |
Actions |
Read |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.SharedContents.HasPrivilege("Read") |
Stream
Name | Stream |
Description |
Everyone who has read rights to a stream should also have read rights to a resource published to that stream |
Resource filter |
App* |
Actions |
Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")) |
StreamEveryone
Name | StreamEveryone |
Description | Everyone, except anonymous users, should have read and publish rights to the default stream called Everyone |
Resource filter |
Stream_<stream_ID> |
Actions |
Read, Publish |
Context | Both in hub and QMC |
Type | Default |
Conditions | !user.IsAnonymous() |
StreamEveryoneAnonymous
Name | StreamEveryoneAnonymous |
Description | Anonymous users should have read rights to the default stream called Everyone |
Resource filter |
Stream_<stream_ID> |
Actions |
Read |
Context | Only in hub |
Type | Default |
Conditions | user.IsAnonymous() |
StreamMonitoringAppsPublish
Name | StreamMonitoringAppsPublish |
Description | RootAdmin, ContentAdmin, and SecurityAdmin should have publish rights to the default stream called Monitoring apps |
Resource filter |
Stream_<stream_ID> |
Actions |
Publish |
Context | Only in hub |
Type | Default |
Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin")) |
StreamMonitoringAppsRead
Name | StreamMonitoringAppsRead |
Description | Default administrators should have read rights to the default stream called Monitoring apps |
Resource filter |
Stream_<stream_ID> |
Actions |
Read |
Context | Both in hub and QMC |
Type | Default |
Conditions | ((user.roles="RootAdmin" or user.roles="ContentAdmin" or user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or user.roles="AuditAdmin")) |
Temporary content
Name | Temporary content |
Description | Everyone, except anonymous users, should have rights to create temporary content |
Resource filter |
TempContent_* |
Actions |
Create |
Context | Both in hub and QMC |
Type | Read only |
Conditions | !user.IsAnonymous() |
UpdateAppContentFiles
Name | UpdateAppContentFiles |
Description | Everyone who has update rights to an app should also have rights to manage its content files |
Resource filter |
StaticContentReference_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.AppContents.App.HasPrivilege("Update") |
UpdateAppContents
Name | UpdateAppContents |
Description | Everyone who has update rights to an app should also have update rights to app content belonging to that app |
Resource filter |
App.Content_* |
Actions |
Update |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("update") |
UpdateAppDataSegments
Name | UpdateAppDataSegments |
Description | Everyone who has update rights to an app should also have rights to manage app data segments belonging to that app |
Resource filter |
App.DataSegment_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("update") and !user.IsAnonymous() |
UpdateAppInternals
Name | UpdateAppInternals |
Description | Everyone who has update rights to an app should also have rights to manage app internals belonging to that app |
Resource filter |
App.Internal_* |
Actions |
Create, Read, Update, Delete |
Context | Both in hub and QMC |
Type | Read only |
Conditions | resource.App.HasPrivilege("update") |
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!