Setting Up Security Rules In Qlik Sense QMC

· by · in Best Practice, QMC. ·

If your familiar with QlikView and move to the new Qlik Sense tool you’ll see a lot of similarities. The script, expression writing are the same.

The QMC is very different. One of the main differences is who will be using it. Typically the QMC in QlikView was only used by the developer team. In Qlik Sense however you need to move away from that concept and towards a world where many more people, the people who use the reports have some access to the QMC.

A typical Qlik Sense business requirement:
  • A developer will extract and transform the data, set up data models, create Sense applications and create standard expressions, dimensions and visualisations in the Master Items.
  • User will then consume that information and super users will want to develop the applications further, adding new data and visualisations. They will want to publish the revised dashboards so others can consume that information.

(If that second statement makes you take a breath and shake your head you really need to get with the times on this, things are changing and if you don’t keep up you’ll be left behind!)

Hopefully you are already aware of the concept of Resource Streams. They can be thought of as folders on the Qlik Sense Hub where applications can be stored. Users can be granted access to those streams using security rules in the Qlik Sense QMC.

Security Rules can define so much more. A general rule of thumb is they can define everything:

  • Access to a Resource Stream
  • Ability to create a new application
  • Ability to edit an existing application
  • etc.

These are all Hub rules!

Rules can also be created to control who can do which actions on the QMC. Again you may already be aware of the standard roles; Root Admin, Content Admin, etc. These roles that allow a user access to certain areas of the QMC although these roles are for everything. If you’re a Content Admin you can Publish, Delete, Edit any Application, Reload Task, Data Connection resource for any stream. That’s fine if you’re sticking with the traditional BI structure of a central development team. If not you’ll have to create the right rules for your business.

Security Roles can only grant access, they can’t take access away! When you install Qlik Sense server you’ll have quite a large number of automatically defined rules. Most of which you’ll keep and some you’ll have to edit or disable.

In general a rule can read as a sentence: “Allow the requester to [action] the [resource] provided that [conditions].”

I manage the requester by using a Custom Property which I set up in the QMC (there are other methods too). Per resource I have two properties which are then allocated to users, for example:

  • Finance – User
  • Finance – Admin
  • Sales – User
  • Sales – Admin

I have a second Custom Property for Resources (Resources I attribute these too are: Apps, App Objects, Data Connections, Reload Tasks and Streams), for example:

  • Finance
  • Sales

I have generic rules which grant access that’s not resource specific:

  • Admin access QMC Sections
  • Admin access to Create an App
  • Admin access to Resources Not Assigned a Custom Property

I then set up a number of rules for each Resource I bring online, currently there are six:

  • Admin access to all Applications relating to the resource group (Hub and QMC)
  • Admin access to all Application Objects relating to the resource group (QMC)
  • Admin access to all Data Connections relating to the resource group (Hub and QMC) – Example Below
  • Admin access to all Reload Tasks relating to the resource group (QMC)
  • Admin access to the Stream relating to the resource group (Hub and QMC)
  • User Read Only access to the Stream relating to the resource group (HUB)

The reason I have so many rules is because you can’t just do an Admin rule, each resource has its own set of permission types; Create, Read, Update, Delete, Export, etc. and you have to define them individually.

Here is an example of the rule so Admins of a particular resource have full access in both the HUB and QMC to the Data Connections for the same resource:

Qlik Sense Security Rule

Qlik Sense Security Rule

The resource filter is DataConnections_* which defines the area of access. You can have multiple resource filters separated by a comma although in testing this doesn’t always work as expected, if in doubt split them out!

I hope you find this useful. If you have some hints or ideas please comment them below!

Some useful links are:

 

Take care, Richard.

Leave a comment