Early Access: The content on this website is provided for informational purposes only in connection with pre-General Availability Qlik Products.
All content is subject to change and is provided without warranty.
Skip to main content Skip to complementary content
Qlik Resources

Assigning security roles

Security roles provide a set of tenant level permissions to users and administrators, beyond the general permissions granted by the user entitlements. Security roles are optional. For users who have not been assigned any roles, their permissions are based on their user entitlement.

Information noteThis topic is applicable to Qlik Sense Enterprise SaaS, Qlik Sense Business, and Qlik Cloud Government. If you have a subscription for the Standard, Premium, or Enterprise edition of Qlik Cloud Analytics or Qlik Cloud Data Integration, see Managing users - Capacity-based subscriptions.

Security roles control actions and access rights for users and administrators in the tenant. In addition to the tenant-level roles, there are also space roles that control user actions on content within spaces. For more information about space roles, see Managing permissions in shared spaces, Managing permissions in managed spaces, and Data space roles and permissions.

You can assign roles to individual users or groups of users from the Management Console.

Assigning security roles to users

The Users section in the Management Console has two tabs. Tenant administrators can assign security roles from the All users tab or from the Permissions tab.

Information note If the user is logged in when they are assigned a security role, they must log out and log in again for the role to be applied.

The All users tab shows a list of users who have been added or invited to the tenant. You can select one or more users to see all roles assigned to them.

Do the following:

  1. In the Management Console, go to Users > All users.

  2. Select one or more users and click Edit roles.

  3. In the Edit roles dialog, select the roles you want to assign on the User tab or Admin tab.

  4. Click Save.

On the Permissions tab, you see all available security roles. You can select a role to see all users assigned to this role.

Do the following:

  1. In the Management Console, go to Users > Permissions.

  2. Click the arrow Arrow down on the security role you want to assign.

  3. On the Users tab, click Assign.

  4. Search for users by name or email and add them to the list.

  5. Click Assign.

Assigning security roles to groups

Groups are defined through your identity provider and not created from the Management Console. Tenant administrators can assign security roles to groups from the Permissions tab in the Management Console. When you assign a role to a group, every member of that group is granted the permissions defined by the role.

Information note If the user is logged in when they are assigned a security role, they must log out and log in again for the role to be applied.

Do the following:

  1. In the Management Console, go to Users > Permissions.

  2. Click the arrow Arrow down on the security role you want to assign.

  3. On the Groups tab, click Assign.

  4. Search for groups by name and add them to the list.

  5. Click Assign.

Information noteIf you add users to the tenant individually and they are included in a group through the identity provider, it is possible that user is assigned the same role twice: once from their user assignment and once from their group assignment. To remove a user assignment for such a user, you must unassign the role from both the Users tab and the Groups tab.

Assigning security roles to everyone in the tenant

Tenant administrators can assign security roles to all users in the tenant from the Auto assign column on the Permissions tab in the Management Console. A role assigned to a user this way is removed from the user if you set the value in the column to Off.

Do the following:

  1. In the Management Console, go to Users > Permissions.

  2. Find the security role you want to assign to everyone and select Anyone at <your_tenant_name> in the Auto assign column.

    All users will now be assigned the role the next time they log in.

For new tenants, the following roles are automatically assigned to all users by default:

  • Automation Creator

  • Data Services Contributor

  • Steward

  • Private Analytics Content Creator

  • Shared Space Creator

The Settings pane in the Management Console also has toggles for automatically assigning certain roles (Shared Space Creator, Private Analytics Content Creator, and Data Services Contributor). Those toggles are slightly different from the Auto assign option:

  • A role assigned to a user by the Auto assign option on the Users > Permissions tab is kept only as long as the toggle is turned on. The role will be removed from the user as soon as the toggle is turned off. The role is assigned to users with Professional and Analyzer entitlement.

  • A role assigned to a user by the toggle under Settings is kept until manually removed from the user—even if the toggle is turned off. The role is only assigned to users with Professional entitlement.

What is a security role

A security role is a set of permissions that are granted to a user in addition to the permissions granted by their user entitlement. Security roles are divided into administrator roles and user roles. Administrator roles enable management of tenant-wide functions that affect governance, performance, and security. User roles enable actions on resources, such as editing apps or opening data files. By assigning roles to users, you can better organize your users and what they can do in the tenant.

You can assign the following security roles. For more information about the permissions granted with each role, see Permissions granted by security roles.

Security roles
Role Type Permissions Access granted with role
Tenant Admin Administrator An administrator with full permissions to manage and administer all aspects of the tenant. Access to Management Console from the launcher menu
Analytics Admin Administrator An administrator with limited permissions to manage only some areas of governance and content. Access to Management Console from the launcher menu
Audit Admin Administrator An administrator with limited permissions, including access to events and data from the Natural Language API (Developer role also needed). Access to Management Console from the launcher menu
Data Admin Administrator Administrator with limited permissions to manage only data spaces. Access to Management Console from the launcher menu
Developer User A user who can generate API keys. API keys option on the user profile menu
Data Space Creator User A user who can create data spaces. Create space option under the Add new button in hub
Managed Space Creator User A user who can create managed spaces. Create space option under the Add new button in hub
Shared Space Creator User A user who can create shared spaces. Create space option under the Add new button in hub
Data Services Contributor User A user who has access to Data Integration services Access to Data Integration from the launcher menu
Private Analytics Content Creator User A user who can create private analytics content. Personal space option in the Space list when adding new content
Automation Creator User A user who can create private automations. New automation option under the Add new button in the hub.
Steward User A user who can create, update, and delete a glossary, and approve, edit, and delete terms. Create glossary option under the Add new button in hub.

How security roles interact with user entitlement

Users who join the tenant are assigned a user entitlement, either Professional entitlement or Analyzer entitlement. User entitlements divide users into content consumers and content creators. The user entitlement also determines which areas of the tenant are visible to a user. For more information, see Assigning user entitlements.

  • Users with Professional entitlement are both content consumers and content creators, which means they have access to the Add New button. This lets them create new resources like apps and spaces.

  • Users with Analyzer entitlement are strictly content consumers, as a result, the Add New button is hidden from their view.

However, administrator roles and user roles provide additional permissions beyond user entitlement permissions. For example, a user with Analyzer entitlement who is assigned a space creator role will gain access to the Add New button to create a space.

Information noteWhen designing your permission structure, provide Professional entitlement to any user who will be assigned a specific security role.

By default, the Shared Space Creator, Private Analytics Content Creator, and Data Services Contributor roles are assigned to all users with Professional entitlement. Tenant administrators can choose to turn off this automatic role assignment.

Do the following:

  1. In the Management Console, go to Settings > Entitlements.

  2. Toggle off Professional entitlements can create shared spaces, Professional entitlements can create private analytics content, or Professional entitlements can access Data Integration.

All users who have been automatically assigned the Shared Space Creator role, Private Analytics Content Creator role, or Data Services Contributor role will retain that role until an administrator manually removes it.

How security roles interact with the Data Integration subscription

The Data Integration subscription gives you access to the Data Integration home and to security roles specifically designed for data admins and data spaces.

Related learning:

Learn more

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here