Qlik Sense Security Rule List (v1.1)

Qlik Sense Security Rules List
Qlik Sense 1.1
2015/04/06
Table of Contents
Read Only Security Rules ............................................................................................................................................................................................................................. 2
App Data Segment .................................................................................................................................................................................................................................... 2
Content Library ......................................................................................................................................................................................................................................... 2
Extension ................................................................................................................................................................................................................................................... 3
File Reference ............................................................................................................................................................................................................................................ 3
Installed Static Content ............................................................................................................................................................................................................................ 3
Owned Resource ........................................................................................................................................................................................................................................ 4
Temporary Content ................................................................................................................................................................................................................................... 5
User (Service Account / Root Admin) ....................................................................................................................................................................................................... 5
Default Security Rules – General ................................................................................................................................................................................................................ 7
App.............................................................................................................................................................................................................................................................. 7
App Object .................................................................................................................................................................................................................................................. 7
Content Library ......................................................................................................................................................................................................................................... 8
Data Connection ........................................................................................................................................................................................................................................ 8
Extension ................................................................................................................................................................................................................................................... 8
Stream ........................................................................................................................................................................................................................................................ 9
Default Security Rules – Default Administrative User Group ................................................................................................................................................................ 10
Audit Admin ............................................................................................................................................................................................................................................. 10
Content Admin......................................................................................................................................................................................................................................... 10
Deployment Admin .................................................................................................................................................................................................................................. 12
Security Admin ........................................................................................................................................................................................................................................ 14
1
Read Only Security Rules
App Data Segment
If you have read rights on the app you should be able to read app data segments belonging to that app
Name Resource filter Conditions Context Actions
ReadAppDataSegments App.DataSegment_* resource.App.HasPrivilege("read") and !user.IsAnonymous() Both in hub Read
and QMC
If you have update rights on the app you should be able to create/update/read/delete app data segments belonging to that app
UpdateAppDataSegments App.DataSegment_* resource.App.HasPrivilege("update") and !user.IsAnonymous() Both in hub Create
and QMC Read
Update
Delete
Content Library
Allows everyone that can see a content library to see its corresponding files
Content library content StaticContentReference_* resource.ContentLibrarys.HasPrivilege("Read") Both in hub Read
and QMC
Allows everyone that can update a content library to manage its corresponding files
Content library manage StaticContentReference_* resource.ContentLibrarys.HasPrivilege("Update") Both in hub Create,
content and QMC Read
Update
Delete
2
Extension
Allows everyone that can update an extension to manage its corresponding files
Extension manage content StaticContentReference_* resource.Extensions.HasPrivilege("Read") Both in hub Create,
and QMC Read
Update
Delete
Allows everyone that can see an extension to see its corresponding files
Extension static content StaticContentReference_* resource.Extensions.HasPrivilege("Update") Both in hub Read
and QMC
File Reference
Everyone is allowed to read file references
ReadFileReference FileReference_* !user.IsAnonymous() Both in hub Read
and QMC
Installed Static Content

Allows everyone to read installed static content
Installed static content StaticContentReference_* ((resource.StaticContentSecurityType="Open")) Both in hub Read
and QMC
3
Owned Resource
The owner of a resource should be able to do all actions if the resource is not published to a stream
Owner * resource.IsOwned() and (resource.owner = user Both in hub Read
and !((resource.resourcetype = "App" and !resource.stream.Empty()) and QMC Update
or (resource.resourcetype = "App.Object" and resource.published = Delete
"true"))) Publish
Change owner
The owner of a resource should be able to publish an object

OwnerPublish * resource.IsOwned() and resource.owner = user Both in hub Publish
and !(resource.resourcetype = "App.Object") and QMC
The owner of an app object should be able to unpublish an object unless it is approved
OwnerPublishAppObject App.Object_* resource.IsOwned() and resource.owner = user and Both in hub Publish
resource.resourcetype = "App.Object" and resource.approved = "false" and QMC
The owner of a resource should be able to see the resource if it is published to a stream
OwnerRead * resource.IsOwned() and resource.owner = user Both in hub Read
and QMC
4
Temporary Content
Allows everyone except anonymous users to create temporary content
Temporary content TempContent_* !user.IsAnonymous() Both in hub Create
and QMC
User (Service Account / Root Admin)

The service accounts should be able to do all actions
ServiceAccount * user.UserDirectory = "INTERNAL" and (user.UserId = Both in hub Create
"sa_repository" or user.UserId = "sa_proxy" or user.UserId = and QMC Read
"sa_scheduler" or user.UserId = "sa_engine") Update
Delete
Export
Publish
Change owner
Change role
Export data
5
Root admin should have full access rights
RootAdmin * ((user.roles="RootAdmin")) Both in hub Create
and QMC Read
Update
Delete
Export
Publish
Change owner
Change role
Export data
6
Default Security Rules – General
App
Everyone is allowed to create apps except anonymous users
CreateApp App_* !user.IsAnonymous() Only in hub Create
Everyone is allowed to export the app data they are allowed to see except anonymous users
ExportAppData App_* !user.IsAnonymous() Only in hub Export data
App Object
If you have read rights on an published app you should be able to create sheets, stories, bookmarks and snapshots belonging to that app
CreateAppObjectsPublishedApp App.Object_* !resource.App.stream.Empty() and Only in hub Create
resource.App.HasPrivilege("read") and (resource.objectType =
"userstate" or resource.objectType = "sheet" or resource.objectType =
"story" or resource.objectType = "bookmark" or resource.objectType =
"snapshot" or resource.objectType = "embeddedsnapshot" or
resource.objectType = "hiddenbookmark") and !user.IsAnonymous()
If you have read rights on an unpublished app you should be able to create app objects belonging to that app
CreateAppObjectsUnPublishedApp App.Object_* resource.App.stream.Empty() and Only in hub Create
resource.App.HasPrivilege("read") and !user.IsAnonymous()
7
Content Library
The default content library should be visible for all users
Default content library ContentLibrary_365cddf2-1181-4204-8800-e9 true Both in hub Read
a46fe3b127 and QMC
Data Connection
It should be possible to create data connections except of type folder
DataConnection DataConnection_* ((resource.type!="folder")) Only in hub Create
It should be possible for admins to create folder data connections

FolderDataConnection DataConnection_* resource.type = "folder" and (user.roles = "RootAdmin" or user.roles = Only in hub Create
"ContentAdmin" or user.roles = "SecurityAdmin") Read
Update
Delete
Extension
Everyone can view extensions
Default content library Extension_* ((resource.resourcetype="Extension")) Both in hub Read
and QMC
8
Stream
The user should see the resource if he/she has read access to the stream it is published to
Stream App* (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) Both in hub Read
or ((resource.resourcetype = "App.Object" and resource.published ="true") and QMC
and resource.app.stream.HasPrivilege("read"))
The default stream called Administration should be visible for default Administrators and they should be able to publish to it
StreamAdministration Stream_a70ca8a5-1d59-4cc9-b5fa-6e207978d ((user.roles="RootAdmin" or user.roles="ContentAdmin" or Both in hub Read
caf user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or and QMC Publish
user.roles="AuditAdmin"))
The default stream called Everyone should be visible for all users and all users should be able to publish to it
StreamEveryone Stream_aaec8d41-5201-43ab-809f-3063750df !user.IsAnonymous() Both in hub Read
afd and QMC Publish
The default stream called Everyone should be visible for anonymous users
StreamEveryoneAnonymo Stream_aaec8d41-5201-43ab-809f-3063750df true Both in hub Read
us afd and QMC
9
Default Security Rules – Default Administrative User Group
Audit Admin
Audit admin should have access rights to audit related entities
AuditAdmin Tag_* ((user.roles="AuditAdmin")) Only in QMC Create
Read
Update
Delete
Audit admin should have access rights to audit related sections

AuditAdminQmcSections License_*,QmcSection_Tag,QmcSection_Audi ((user.roles="AuditAdmin")) Only in QMC Read
Content Admin
Content admin should have access rights to content related entities
ContentAdmin Stream_*,App*,ReloadTask_*,UserSyncTask ((user.roles="ContentAdmin")) Only in QMC Create
_*,SchemaEvent_*,User*,CustomProperty*,T Read
ag_*,DataConnection_*,CompositeEvent_*,E Update
xtension_*,ContentLibrary_* Delete
Publish
Change
owner
Content admin should have access rights to content related sections

10
ContentAdminQmcSection License_*,QmcSection_Stream,QmcSection_ ((user.roles="ContentAdmin")) Only in QMC Read
s App,QmcSection_App.Object,QmcSection_Da
taConnection,QmcSection_Tag,QmcSection_
Audit,QmcSection_User,QmcSection_Custom
PropertyDefinition,QmcSection_Task,QmcSe
ction_Event,QmcSection_SchemaEvent,Qmc
Section_CompositeEvent,QmcSection_Extens
ion,QmcSection_ReloadTask,QmcSection_Us
erSyncTask,QmcSection_ContentLibrary
Content admin should have access rights to manage security rules for streams, data connections and content libraries
ContentAdminRulesAccess SystemRule_* user.roles = "ContentAdmin" and resource.category = "Security" and Only in QMC Create
(resource.resourcefilter matches Read
"Stream_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or resource.resourcefilter Update
matches "DataConnection_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or Delete
resource.resourcefilter matches
"ContentLibrary_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}")
11
Deployment Admin
Deployment admin should have access rights to deployment related entities
DeploymentAdmin ServerNodeConfiguration_*,Engine*,Proxy*, ((user.roles="DeploymentAdmin")) Only in QMC Create
VirtualProxy*,Repository*,Scheduler*,User*, Read
CustomProperty*,Tag_*,License*,ReloadTask Update
_*,UserSyncTask_*,SchemaEvent_*,Composi Delete
teEvent_*
Deployment admin should have access rights to see and update apps in order to handle sync rules
DeploymentAdminAppAcc App_* ((user.roles="DeploymentAdmin")) Only in QMC Read
ess Update
12
Deployment admin should have access rights to deployment related sections
DeploymentAdminQmcSec License_*,ServiceStatus_*,QmcSection_Tag, ((user.roles="DeploymentAdmin")) Only in QMC Read
tions QmcSection_Templates,QmcSection_ServerN
odeConfiguration,QmcSection_EngineService
,QmcSection_ProxyService,QmcSection_Virtu
alProxyConfig,QmcSection_RepositoryServic
e,QmcSection_SchedulerService,QmcSection_
License*,QmcSection_Token,LoadbalancingS
electList,QmcSection_User,QmcSection_User
Directory,QmcSection_CustomPropertyDefini
tion,QmcSection_Certificates,
QmcSection_Certificates.Export,QmcSection
_Task,QmcSection_App,QmcSection_SyncRul
e,QmcSection_Event,
QmcSection_ReloadTask,
QmcSection_UserSyncTask,
QmcSection_Audit
Deployment admin should have access rights to manage sync and license rules
DeploymentAdminRuleAcc SystemRule_* user.roles = "DeploymentAdmin" and (resource.category = "Sync" or Only in QMC Create
ess resource.category = "License") Read
Update
Delete
13
Security Admin
Security admin should have access rights to security related entities
SecurityAdmin Stream_*,App*,Proxy*,VirtualProxy*,User*, ((user.roles="SecurityAdmin")) Only in QMC Create
SystemRule_*,CustomProperty*,Tag_*,Data Read
Connection_*,ContentLibrary_* Update
Delete
Publish
Change
owner
Security admin should have access rights to security related sections

SecurityAdminQmcSection License_*,QmcSection_Stream,QmcSection_ ((user.roles="SecurityAdmin")) Only in QMC Read
s App,QmcSection_App.Object,QmcSection_Sy
stemRule,QmcSection_DataConnection,Qmc
Section_Tag,QmcSection_Templates,QmcSect
ion_Audit,QmcSection_ProxyService,QmcSec
tion_VirtualProxyConfig,QmcSection_User,Q
mcSection_CustomPropertyDefinition,QmcSe
ction_Certificates,QmcSection_Certificates.E
xport,QmcSection_ContentLibrary
14
Security admin should have read rights on ServerNodeConfiguration entity
SecurityAdminServerNode ServerNodeConfiguration_* ((user.roles="SecurityAdmin")) Only in QMC Read
Configuration
15

Qlik Sense Security Rule List (v1.1)

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Qlik Sense Security Rule List (v1.1)

Uploaded by

Copyright:

Available Formats

Qlik Sense Security Rules List

Qlik Sense 1.1

ReadAppDataSegments App.DataSegment_* resource.App.HasPrivilege("read") and !user.IsAnonymous() Both in hub Read

UpdateAppDataSegments App.DataSegment_* resource.App.HasPrivilege("update") and !user.IsAnonymous() Both in hub Create

and QMC Read

Content library content StaticContentReference_* resource.ContentLibrarys.HasPrivilege("Read") Both in hub Read

Content library manage StaticContentReference_* resource.ContentLibrarys.HasPrivilege("Update") Both in hub Create,

content and QMC Read

Extension manage content StaticContentReference_* resource.Extensions.HasPrivilege("Read") Both in hub Create,

and QMC Read

Extension static content StaticContentReference_* resource.Extensions.HasPrivilege("Update") Both in hub Read

ReadFileReference FileReference_* !user.IsAnonymous() Both in hub Read

Installed Static Content

Installed static content StaticContentReference_* ((resource.StaticContentSecurityType="Open")) Both in hub Read

Owner * resource.IsOwned() and (resource.owner = user Both in hub Read

and !((resource.resourcetype = "App" and !resource.stream.Empty()) and QMC Update

or (resource.resourcetype = "App.Object" and resource.published = Delete

The owner of a resource should be able to publish an object

OwnerPublish * resource.IsOwned() and resource.owner = user Both in hub Publish

and !(resource.resourcetype = "App.Object") and QMC

resource.resourcetype = "App.Object" and resource.approved = "false" and QMC

OwnerRead * resource.IsOwned() and resource.owner = user Both in hub Read

Temporary content TempContent_* !user.IsAnonymous() Both in hub Create

User (Service Account / Root Admin)

ServiceAccount * user.UserDirectory = "INTERNAL" and (user.UserId = Both in hub Create

"sa_repository" or user.UserId = "sa_proxy" or user.UserId = and QMC Read

"sa_scheduler" or user.UserId = "sa_engine") Update

RootAdmin * ((user.roles="RootAdmin")) Both in hub Create

and QMC Read

CreateApp App_* !user.IsAnonymous() Only in hub Create

ExportAppData App_* !user.IsAnonymous() Only in hub Export data

CreateAppObjectsPublishedApp App.Object_* !resource.App.stream.Empty() and Only in hub Create

resource.App.HasPrivilege("read") and (resource.objectType =

"userstate" or resource.objectType = "sheet" or resource.objectType =

"story" or resource.objectType = "bookmark" or resource.objectType =

"snapshot" or resource.objectType = "embeddedsnapshot" or

resource.objectType = "hiddenbookmark") and !user.IsAnonymous()

CreateAppObjectsUnPublishedApp App.Object_* resource.App.stream.Empty() and Only in hub Create

resource.App.HasPrivilege("read") and !user.IsAnonymous()

Default content library ContentLibrary_365cddf2-1181-4204-8800-e9 true Both in hub Read

a46fe3b127 and QMC

DataConnection DataConnection_* ((resource.type!="folder")) Only in hub Create

It should be possible for admins to create folder data connections

"ContentAdmin" or user.roles = "SecurityAdmin") Read

Default content library Extension_* ((resource.resourcetype="Extension")) Both in hub Read

Stream App* (resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) Both in hub Read

or ((resource.resourcetype = "App.Object" and resource.published ="true") and QMC

StreamAdministration Stream_a70ca8a5-1d59-4cc9-b5fa-6e207978d ((user.roles="RootAdmin" or user.roles="ContentAdmin" or Both in hub Read

caf user.roles="SecurityAdmin" or user.roles="DeploymentAdmin" or and QMC Publish

StreamEveryone Stream_aaec8d41-5201-43ab-809f-3063750df !user.IsAnonymous() Both in hub Read

afd and QMC Publish

StreamEveryoneAnonymo Stream_aaec8d41-5201-43ab-809f-3063750df true Both in hub Read

us afd and QMC

AuditAdmin Tag_* ((user.roles="AuditAdmin")) Only in QMC Create

Audit admin should have access rights to audit related sections

AuditAdminQmcSections License_*,QmcSection_Tag,QmcSection_Audi ((user.roles="AuditAdmin")) Only in QMC Read

ContentAdmin Stream_*,App*,ReloadTask_*,UserSyncTask ((user.roles="ContentAdmin")) Only in QMC Create

Content admin should have access rights to content related sections

(resource.resourcefilter matches Read

"Stream_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or resource.resourcefilter Update

matches "DataConnection_¥w{8}-¥w{4}-¥w{4}-¥w{4}-¥w{12}" or Delete

DeploymentAdmin ServerNodeConfiguration_*,Engine*,Proxy*, ((user.roles="DeploymentAdmin")) Only in QMC Create

DeploymentAdminAppAcc App_* ((user.roles="DeploymentAdmin")) Only in QMC Read

ContentAdmin Stream_,App,ReloadTask_*,UserSyncTask ((user.roles="ContentAdmin")) Only in QMC Create

DeploymentAdmin ServerNodeConfiguration_,Engine,Proxy*, ((user.roles="DeploymentAdmin")) Only in QMC Create

DeploymentAdminQmcSec License_,ServiceStatus_,QmcSection_Tag, ((user.roles="DeploymentAdmin")) Only in QMC Read

SecurityAdmin Stream_,App,Proxy,VirtualProxy,User*, ((user.roles="SecurityAdmin")) Only in QMC Create