Professional Documents
Culture Documents
Qlik Sense Security Rule List (v1.1)
Qlik Sense Security Rule List (v1.1)
2015/04/06
Table of Contents
Read Only Security Rules ............................................................................................................................................................................................................................. 2
App Data Segment .................................................................................................................................................................................................................................... 2
Content Library ......................................................................................................................................................................................................................................... 2
Extension ................................................................................................................................................................................................................................................... 3
File Reference ............................................................................................................................................................................................................................................ 3
Installed Static Content ............................................................................................................................................................................................................................ 3
Owned Resource ........................................................................................................................................................................................................................................ 4
Temporary Content ................................................................................................................................................................................................................................... 5
User (Service Account / Root Admin) ....................................................................................................................................................................................................... 5
Default Security Rules – General ................................................................................................................................................................................................................ 7
App.............................................................................................................................................................................................................................................................. 7
App Object .................................................................................................................................................................................................................................................. 7
Content Library ......................................................................................................................................................................................................................................... 8
Data Connection ........................................................................................................................................................................................................................................ 8
Extension ................................................................................................................................................................................................................................................... 8
Stream ........................................................................................................................................................................................................................................................ 9
Default Security Rules – Default Administrative User Group ................................................................................................................................................................ 10
Audit Admin ............................................................................................................................................................................................................................................. 10
Content Admin......................................................................................................................................................................................................................................... 10
Deployment Admin .................................................................................................................................................................................................................................. 12
Security Admin ........................................................................................................................................................................................................................................ 14
1
Read Only Security Rules
App Data Segment
If you have read rights on the app you should be able to read app data segments belonging to that app
Name Resource filter Conditions Context Actions
and QMC
If you have update rights on the app you should be able to create/update/read/delete app data segments belonging to that app
Name Resource filter Conditions Context Actions
Update
Delete
Content Library
Allows everyone that can see a content library to see its corresponding files
Name Resource filter Conditions Context Actions
and QMC
Allows everyone that can update a content library to manage its corresponding files
Name Resource filter Conditions Context Actions
Update
Delete
2
Extension
Allows everyone that can update an extension to manage its corresponding files
Name Resource filter Conditions Context Actions
Update
Delete
Allows everyone that can see an extension to see its corresponding files
Name Resource filter Conditions Context Actions
and QMC
File Reference
Everyone is allowed to read file references
Name Resource filter Conditions Context Actions
and QMC
and QMC
3
Owned Resource
The owner of a resource should be able to do all actions if the resource is not published to a stream
Name Resource filter Conditions Context Actions
"true"))) Publish
Change owner
The owner of an app object should be able to unpublish an object unless it is approved
Name Resource filter Conditions Context Actions
OwnerPublishAppObject App.Object_* resource.IsOwned() and resource.owner = user and Both in hub Publish
The owner of a resource should be able to see the resource if it is published to a stream
Name Resource filter Conditions Context Actions
and QMC
4
Temporary Content
Allows everyone except anonymous users to create temporary content
Name Resource filter Conditions Context Actions
and QMC
Delete
Export
Publish
Change owner
Change role
Export data
5
Root admin should have full access rights
Name Resource filter Conditions Context Actions
Update
Delete
Export
Publish
Change owner
Change role
Export data
6
Default Security Rules – General
App
Everyone is allowed to create apps except anonymous users
Name Resource filter Conditions Context Actions
Everyone is allowed to export the app data they are allowed to see except anonymous users
Name Resource filter Conditions Context Actions
App Object
If you have read rights on an published app you should be able to create sheets, stories, bookmarks and snapshots belonging to that app
Name Resource filter Conditions Context Actions
If you have read rights on an unpublished app you should be able to create app objects belonging to that app
Name Resource filter Conditions Context Actions
7
Content Library
The default content library should be visible for all users
Name Resource filter Conditions Context Actions
Data Connection
It should be possible to create data connections except of type folder
Name Resource filter Conditions Context Actions
FolderDataConnection DataConnection_* resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = Only in hub Create
Update
Delete
Extension
Everyone can view extensions
Name Resource filter Conditions Context Actions
and QMC
8
Stream
The user should see the resource if he/she has read access to the stream it is published to
Name Resource filter Conditions Context Actions
and resource.app.stream.HasPrivilege("read"))
The default stream called Administration should be visible for default Administrators and they should be able to publish to it
Name Resource filter Conditions Context Actions
user.roles="AuditAdmin"))
The default stream called Everyone should be visible for all users and all users should be able to publish to it
Name Resource filter Conditions Context Actions
The default stream called Everyone should be visible for anonymous users
Name Resource filter Conditions Context Actions
9
Default Security Rules – Default Administrative User Group
Audit Admin
Audit admin should have access rights to audit related entities
Name Resource filter Conditions Context Actions
Read
Update
Delete
Content Admin
Content admin should have access rights to content related entities
Name Resource filter Conditions Context Actions
_*,SchemaEvent_*,User*,CustomProperty*,T Read
ag_*,DataConnection_*,CompositeEvent_*,E Update
xtension_*,ContentLibrary_* Delete
Publish
Change
owner
10
ContentAdminQmcSection License_*,QmcSection_Stream,QmcSection_ ((user.roles="ContentAdmin")) Only in QMC Read
s App,QmcSection_App.Object,QmcSection_Da
taConnection,QmcSection_Tag,QmcSection_
Audit,QmcSection_User,QmcSection_Custom
PropertyDefinition,QmcSection_Task,QmcSe
ction_Event,QmcSection_SchemaEvent,Qmc
Section_CompositeEvent,QmcSection_Extens
ion,QmcSection_ReloadTask,QmcSection_Us
erSyncTask,QmcSection_ContentLibrary
Content admin should have access rights to manage security rules for streams, data connections and content libraries
Name Resource filter Conditions Context Actions
ContentAdminRulesAccess SystemRule_* user.roles = "ContentAdmin" and resource.category = "Security" and Only in QMC Create
resource.resourcefilter matches
"ContentLibrary_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}")
11
Deployment Admin
Deployment admin should have access rights to deployment related entities
Name Resource filter Conditions Context Actions
VirtualProxy*,Repository*,Scheduler*,User*, Read
CustomProperty*,Tag_*,License*,ReloadTask Update
_*,UserSyncTask_*,SchemaEvent_*,Composi Delete
teEvent_*
Deployment admin should have access rights to see and update apps in order to handle sync rules
Name Resource filter Conditions Context Actions
ess Update
12
Deployment admin should have access rights to deployment related sections
Name Resource filter Conditions Context Actions
tions QmcSection_Templates,QmcSection_ServerN
odeConfiguration,QmcSection_EngineService
,QmcSection_ProxyService,QmcSection_Virtu
alProxyConfig,QmcSection_RepositoryServic
e,QmcSection_SchedulerService,QmcSection_
License*,QmcSection_Token,LoadbalancingS
electList,QmcSection_User,QmcSection_User
Directory,QmcSection_CustomPropertyDefini
tion,QmcSection_Certificates,
QmcSection_Certificates.Export,QmcSection
_Task,QmcSection_App,QmcSection_SyncRul
e,QmcSection_Event,
QmcSection_ReloadTask,
QmcSection_UserSyncTask,
QmcSection_Audit
Deployment admin should have access rights to manage sync and license rules
Name Resource filter Conditions Context Actions
DeploymentAdminRuleAcc SystemRule_* user.roles = "DeploymentAdmin" and (resource.category = "Sync" or Only in QMC Create
Update
Delete
13
Security Admin
Security admin should have access rights to security related entities
Name Resource filter Conditions Context Actions
SystemRule_*,CustomProperty*,Tag_*,Data Read
Connection_*,ContentLibrary_* Update
Delete
Publish
Change
owner
s App,QmcSection_App.Object,QmcSection_Sy
stemRule,QmcSection_DataConnection,Qmc
Section_Tag,QmcSection_Templates,QmcSect
ion_Audit,QmcSection_ProxyService,QmcSec
tion_VirtualProxyConfig,QmcSection_User,Q
mcSection_CustomPropertyDefinition,QmcSe
ction_Certificates,QmcSection_Certificates.E
xport,QmcSection_ContentLibrary
14
Security admin should have read rights on ServerNodeConfiguration entity
Name Resource filter Conditions Context Actions
Configuration
15