Qlik Sense June release just arrived with many promising features including cognitive engine that makes suggestions for associations on the fly. While Qlik Sense keeps getting better with every new release, Qlik Sense also offers incredibly flexible security rules engine so my intent is to walk you through basics of Qlik Sense security and tips on how to implement it for your organization.

Basics

ABAC2Qlik Sense security is based on Attribute Based Access Control(ABAC).  It boils down to this principle — a user request to perform actions on resources are granted or denied based on combination of user and resource attributes,  environment conditions, and a set of security rules that are specified in terms of those attributes and conditions.

In this example, user’s group from LDAP gets compared with a custom property StreamGroup assigned to a specific stream. Since you can assign multiple values to a custom property, you can allow multiple user groups to access a stream.

 

Resources

Apps, Streams,  App Objects, Tasks and various QMC sections are all examples of resources.  Each security rule will have a resource or list of resources on which the rule conditions apply.

Example:  You can create a rule — or customize rules from the gss framework — to allow user to access app only if user’s AD group matches with App’s custom property — @AppADGroup

rule

 

Notice App* in this resource filter. You may also use App_* but with different implication.

Explicit type naming using wildcard (_*)

Use the “_*” wildcard to explicitly define the type of resource to apply the rule to.

For example, “App_*” will apply the rule to all App resources only.

Implicit type naming using wildcard (*)

Use wildcard to define the resource or resources.

For example, “App*” will apply the rule to all resources beginning with “App”. This means that this rule will apply to apps, sheets, stories, data and objects.

Role Based Access Control(RBAC)

This basic, flexible rule framework leads to role based access control. You can create a custom role based matrix and then create set of security rules along with set of custom properties to implement RBAC for your organization.

Since security in Qlik Sense enterprise implementation is completely different compare to QlikView, I have some tips that may help you overcome this skirmish.

gss

Start with roles that you envision for your enterprise and actions for each of the role both in development and production
environments. A good place to start is to visit Qlik Sense Governed Self-Service community page and review various roles — TeamAdmin, Developer, Designer, Contributor, Analyst and Consumer.

 

iportalNext, install iPortal. It will allow you to impersonate sample users for these roles. If you need to customize various rules, always make a copy of the original rule as a rule of thumb and make changes to the resource filter(s) or rule conditions to ensure that a role can perform set of actions per your security matrix.

Once you create set of rules, you can use Sense power tools to export them to your development environment for further testing and validation.

 

daIf you are new to Qlik Sense and also want to learn more about Section Access for dynamic data reduction, you can enroll in our Udemy best seller Qlik Sense Data Architect Masterclass.

Qlik Sense offers a very robust, flexible security rules engine so understanding how it works can go long way in implementing a governed yet flexible self-service solution for your enterprise.

Elsewhere:

Qlik Sense Governed Self-Service

What I learned about Qlik Sense Security via Qlikfix.com

Why Security Rules in Qlik Sense via Qlik Design Blog