Qlik Sense Security

01. Apps & Streams Access in Different Context

To demonstrate the working of Context options, I'll set up a simple security rule to give user Read access to all apps and streams. At first, we'll set context on this rule to be Only in hub. We'll check what a user will be able to see in Hub and in QMC. Then, I'll switch the rule context to be Only in QMC and we'll take a look at the impact. The idea is to have a clear example of how context option in a security rule controls visibility of resources in the Hub and in QMC. Feel free to follow along if you like or just observe as I demonstrate what Context option controls.

Step 01.

I'll start by going to Security rules section in QMC using my Root Admin account and finding the default rule called StreamEveryone.

Step 02.

Click Edit button to edit the rule.

Step 03.

Check the Disabled checkbox.

Step 04.

Click Apply to save the change.

Step 05.

Back in Security rules section, click Create new button to create a new security rule.

Step 06.

Name the rule and enter App_*,Stream_* in Resource filter input box to tell Qlik Sense that this rule applies to all apps and streams.

Step 07.

In Actions section, check the Read action.

Step 08.

In the Conditions dropdown select a user that you would like to give access to.

Step 09.

In Context section, select Only in hub to have this rule be applied only to the Hub.

Now that we have a rule that gives user access to all apps and streams explicitly in the Hub, let's see how that looks and confirm that it does work as intended. Before we do that, I'll show you the list of all apps and streams in my environment so we would know what we should expect the user to see.

Step 10.

I'm logged in using my service account with Root Admin privileges which will show us all of the available streams and apps in my environment.

Step 11.

I'll go to Streams section in QMC and note the two streams that I have available. User should be able to see both of these streams in the Hub.

Step 12.

Still logged in with the service account, I'll go to Apps section and note all of the published apps that user should see in stream Everyone and stream Monitoring apps.

Step 13.

Login to the Hub with the user account for which rule in steps 06 through 09 above was created.

Step 14.

Notice that both stream Everyone and Monitoring apps are visible to the user.

Step 15.

Go to stream Everyone and note that the two apps published in that stream are accessible to the user as intended.

Step 16.

Go to stream Monitoring apps.

Step 17.

Notice that the two apps published in Monitoring apps stream are also accessible to the user.

So far, so good. We gave user access to all apps and streams in the Hub and the user is able to see all apps and streams.

Next, let's create a security rule to give user access to Apps and Streams sections in QMC and see if the user will be able to see the same apps and streams in QMC. Remember, in step 09 above, since the rule has Only in hub specified in the context, the user shouldn't see any streams or apps in QMC.

Step 18.

Using the service account, I went back to QMC, to Security rules section and clicked the Create new button to create a rule. I named the rule and entered QmcSection_App,QmcSection_Stream to give user access to Apps and Streams sections of QMC.

Step 19.

In Actions section of security rule, check the Read action.

Step 20.

In the Conditions dropdown select a user that you would like to give access to.

Step 21.

In Context section, select Only in QMC to have this rule be applied only to QMC.

Step 22.

Login to QMC with user's account that was specified in step 20 above.

Step 23.

Notice that Apps section is accessible to the user.

Step 24.

Notice that Streams section is also accessible to the user.

Step 25.

Go to Apps section and notice that, as intended, user isn't able to see any apps in the Apps section of QMC.

Step 26.

Go to Streams section and notice that user doesn't have access to any streams in QMC either.

This demonstrates and confirms the workings of Context option in a security rule. With Context, you can control where a user is able to access a resource. There are, of course, resources like QMC Sections that are accessible only in QMC so it wouldn't make sense to give user access to a QMC section with Only in hub context, but in other cases where a resource is accessible to user through both the Hub and QMC, the context option allows you to specify where you would like the user to be able to access a resource.

To complete the demonstration, I'll go back to the rule created in steps 6 through 9 and switch the context from Only in hub to Only in QMC to confirm that the user will lose access to streams and apps in the Hub and will gain access to all streams and apps in QMC.

Step 27.

Login to QMC using Root Admin account, go to Security rules, and edit the Context option of the rule created in steps 06 through 09 from Only in hub to Only in QMC.

Step 28.

Click Apply.

Step 29.

Login to QMC with the user's account and go to Apps section.

Step 30.

Notice that user is now able to see all apps in QMC.

Step 31.

Go to Streams section to see that the user is now able to see all streams also.

Step 32.

Next, login to the Hub with the user's account.

Step 33.

Notice that the user no longer has access to streams or apps within them.

There you have it. Context simply controls where a user is able to have access to Qlik Sense resources. There's no complexity beyond that.

The last Context option that I didn't show here is Both in hub and QMC. This one:

I won't go through demonstration of that context option. As the context name suggests, Both in hub and QMC option will give user access to specified resource in the Hub as well as in QMC.

02. When to Use Which Context?

Now that you know what the Context option does, the question of when to use which context should be fairly self-explanatory. If a user needs access to a resource in the Hub, set the context of a security rule to be Only in hub. If a user needs access to a resource in QMC, set the context to be Only in QMC. And when a user needs access to a resource both in the Hub and in QMC, use the Both in hub and QMC option in Context setting of a security rule.

With resources like apps, streams, data connections, extensions, etc., the Context option of a security rule is fairly straightforward. However, some resources like a QMC Section or Virtual Proxy are accessible only through QMC. You and I can still create a rule for a QMC Section, for example, and set the context to be Only in hub, but that will make the rule useless.

When creating a new security rule and selecting a resource in Resource filter, Qlik did a good job at having list of Actions that are applicable to the resource update, but they didn't do the same for Context options. So, if you are creating a security rule to give someone access to a QMC Section and you see Context option of Only in hub, know that Qlik developers just didn't get around to creating a conditional hide logic to hide irrelevant context options based on selected resource. That's all.

By the way, there are also some resources that are accessible only in Hub, like Hub Sections and ODAG Links, that also have a Context option of Only in QMC for same reason - Qlik Sense doesn't have a functionality to hide irrelevant Context options.