Permissions granted by security roles
A security role grants a set of permissions to all users who have been assigned the role. When a user is assigned to more than one role, they are granted the permissions from each role. Permissions define what a user can see and do in Qlik Cloud.
Security roles control actions and access rights for users and administrators in the tenant. In addition to the tenant-level roles, there are also space roles that control user actions on content within spaces. For more information about space roles, see Managing permissions in shared spaces, Managing permissions in managed spaces, and Data space roles and permissions.
Permissions for tenant administrators
Users who are assigned the Tenant Admin role have broad permissions to manage a tenant. This includes managing users, access control, and tenant configuration.
For certain actions, the tenant administrator needs additional permissions. You need the Developer role to create API keys and you need to be a member of a space to access data and apps in that space.
Tenant administrators are the only administrators who can make edits in another user's personal space.
The table lists the permitted actions on content in other users' personal spaces.
| Resources | Permissions |
|---|---|
| Apps | List, Open, Delete, Export (download) |
| Data connections |
List, Edit, Delete, Open (for app reload) Can also open (read) data files for app reload. |
Anyone who is assigned the Tenant Admin role may be granted access to:
-
Information (which may include personal information) relating to all users in the tenant to which the Tenant Admin role is assigned; and
-
The subject (which is a unique string used to identify the user that is provided to Qlik Cloud by the configured identity provider) for users of other tenants which share the same Qlik license or subscription as the tenant on which the Tenant Admin role is assigned.
Permissions for analytics administrators
Users who are assigned the Analytics Admin role are administrators with limited permissions. They have access to parts of the Management Console, such as managing shared and managed spaces, extensions, and themes.
Analytics administrators cannot manage users in the Users section of the Management Console. They can manage space members in space types that they are allowed to manage. Analytics administrators do not have any access to other users' private content.
The table lists the permissions that are granted by this role.
| Resources | Permissions |
|---|---|
| Private apps |
None |
| Shared apps | List, Delete |
| Managed apps | List, Delete |
| Generic links | Create, Read, Update, Delete |
| Data sets | Read, Delete |
| Data assets | Read, Delete |
| Private data files |
None |
| REST data files | List, Delete |
| Data connections | List, Delete |
| Shared spaces | Create, Read, Update, Delete |
| Managed spaces | Create, Read, Update, Delete |
| Extensions | Create, Read, Update, Delete |
| Automations | Enable, Disable, List, Delete, Change owner |
| Management Console | Read |
| Themes | Create, Read, Update, Delete |
| Audit | Read |
| Sharing service task | Create, Read, Update, Delete |
Permissions for data administrators
Users who are assigned the Data Admin role are administrators with limited permissions for data spaces and data resources within those spaces. In the Management Console, they can access only the areas for which they have permissions.
Data administrators cannot manage users in the Users section of the Management Console. They can manage space members in space types that they are allowed to manage. Data administrators do not have any access to other users' private content.
The table lists the permissions that are granted by this role.
| Resources | Permissions |
|---|---|
| Private data integration apps |
None |
| Shared data integration apps | List, Create, Read, Update, Delete, Operate, Change owner |
| Private data sets | None |
| Data integration data sets | List, Read, Delete |
| Private data assets | None |
| Data integration data asset | List, Read, Delete |
| Private resource connection | None |
| Data integration resource connection | List, Create, Read, Update, Delete |
| Private data store | None |
| Data Integration data store | List, Read, Delete |
| Data space | Create, Read, Update, Delete |
Permissions for audit administrators
Users who are assigned the Audit Admin role, in addition to the Developer role, can access app feedback and usage information captured as part of the Natural Language API. An audit administrator can view a variety of usage metrics for Insight Advisor and Insight Advisor Chat. This API enables evaluation of patterns in user interactions with apps, including feedback provided for analyses generated by Insight Advisor and Insight Advisor Chat. This information can be used to improve user experience through adjustments to the app, either within the data or in the business logic of the app.
This API only returns app information from shared and managed spaces. An audit administrator does not have access to usage metrics data for personal spaces.
To view the usage metrics of an app, an audit administrator must also be assigned one of the following space roles in the space where the app is located.
Roles in shared spaces:
-
Owner
-
Can manage
-
Can edit
-
Can view
Roles in managed spaces:
-
Is owner
-
Can manage
-
Can contribute
-
Can view
-
Has restricted view
For more information about how Insight Advisor user interaction data can be used to improve app usability, see Using feedback and usage metrics to improve app usability. For specifics about the Natural Language API, see Natural language, and for a tutorial on using the Natural Language API, see Collect and share Insight Advisor feedback.
The table lists the permissions that are granted by this role.
| Resources | Permissions |
|---|---|
| Audit |
Read |
| Management Console | Read |
| Filter action of the Natural Language API | Read |
| User | List, Read |
Permissions for space creators
Users with one of the space creator roles have the permission to create a space of that type from the hub.
The table lists the permissions that are granted by the roles.
| Resources | Permissions |
|---|---|
| Data spaces | Create |
| Resources | Permissions |
|---|---|
| Managed spaces | Create |
| Resources | Permissions |
|---|---|
| Private spaces | Create |
By default, all users with Professional entitlement are assigned the Shared Space Creator role. Tenant administrators can turn off this automatic role assignment by toggling off Professional entitlements can create shared spaces under Settings > Entitlements in the Management Console.
Permissions for private analytics content creators
Users with the Private Analytics Content Creator role can create analytics content in personal spaces. Users without this role can still create monitored charts, alerts, subscriptions, and notes in their personal space.
The table lists the permissions that are granted by this role on resources in personal spaces.
| Resources | Permissions |
|---|---|
| Qlik Sense apps |
Create, Duplicate, Import, Source |
| QlikView apps |
Duplicate, Import, Source |
| Data connections | Create, Update, Change space |
| Data files |
Create, Update |
| Data sets | Create, Update, Profile |
Note that tenant administrators must also have the Private Analytics Content Creator role to perform the actions in the table.
By default, all users with Professional entitlement are assigned the Private Analytics Content Creator role. Tenant administrators can turn off this automatic role assignment by toggling off Professional entitlements can create private analytics content under Settings > Entitlements in the Management Console.
The role cannot be assigned to users with Analyzer entitlement. You can assign the role to a group that includes users with Analyzer entitlement, but the role will have no affect for those users.
As you can see in the table above, this role does not control all actions on the resources. If you remove the role from a user who has analytics content in their personal space, the user can still use that content. Any already existing data connections and data files can be selected and used, and scripts can be updated and reloaded.
Permissions for automation creators
Users with the Automation Creator role can create automations in personal spaces.
The table lists the permissions that are granted by this role.
| Resources | Permissions |
|---|---|
| Qlik Application Automation |
Create, Update, Run, Enable, Disable, Duplicate |
For new tenants, the Automation creator role is automatically assigned to all users by default. Tenant administrators can turn off this automatic role assignment by toggling off the Auto assign option under Users > Permissions in the Management Console. See Assigning security roles to everyone in the tenant.
Permissions for developers
You need the Developer role to generate API keys. Users with this role have an API keys section on their user profile menu. For more information, see Managing API keys.
The table lists the permissions that are granted by this role.
| Resources | Permissions |
|---|---|
| API keys |
List, Create, Read, Update, Delete |
Permissions for data services contributors
You need the Data Services Contributor role to work with Qlik Cloud Data Integration. Users with this role can access the Qlik Cloud Data Integration home by selecting Data Integration from the launcher menu 
.
The table lists the permissions that are granted by this role.
| Resources | Permissions |
|---|---|
| Data services |
Read |
By default, all users with Professional entitlement are assigned the Data Services Contributor role. Tenant administrators can turn off this automatic role assignment by toggling off Professional entitlements can access Data Integration under Settings > Entitlements in the Management Console.
Permissions for business glossary stewards
With the Steward role, you can create, update, and delete a glossary as well as edit or delete a term in Verified state or change the term status to Verified. In addition to the Steward role, you must also be assigned the Can edit space role in the space where the glossary is located.
The table lists the permissions that are granted by this role.
| Resources | Permissions |
|---|---|
| Business glossaries |
Create, Read, Update, Delete |
| Glossary terms | Change status |