Permissions in User Default and custom roles
User Default settings and custom roles control permissions for users and administrators. User Default defines a baseline for all users, while custom roles allow more specific permissions for selected users or groups. The table below lists all available settings, with additional details in the sections that follow.
Understanding User Default permissions
The User Default permissions act as a tenant-wide baseline profile, applying a standard set of permissions to all users in the tenant by default. Administrators can modify the User Default settings to remove certain permissions for everyone, effectively restricting broad access.
Understanding custom roles
To grant more specific or elevated permissions, custom roles are used. These roles allow administrators to selectively assign permissions to individual users or groups, overriding the restrictions set by the User Default role. This approach provides a granular and controlled way to manage access—first by limiting general permissions through the User Default role, and then by granting necessary access only to selected users or groups via custom roles.
Permission hierarchy
Default permissions and custom roles, along with built-in security roles, control user and administrator access at the tenant level. Additionally, space roles control user actions on content within specific spaces. For more information about the different types of roles, see Roles and permissions for users and administrators.
Permission settings
The following sections list the permissions available in the User Default or custom role settings.
For custom roles, you will also have the option to inherit the User Default permission, shown as "User default (permission setting)"—for example, "User default (Not allowed)". This means that the setting in the custom role will match whatever the default is set to.
The "Not allowed" option is only available for the User Default settings because custom roles can’t remove permissions that are already allowed by default.
Permission settings — Content types
The Content types section contains permissions to take action on different content types. These are user permissions.
| Subsection | Permission | Options |
|---|---|---|
| Applications | Share applications via fine-grained access control |
Allowed: Space owners and users with the Can manage role can share individual applications with users or groups without adding them to the space. Not allowed: Users can only share the entire space, not individual apps. |
| Applications | In-app content download |
No data: Users can only download images and PDFs. Data downloads are not permitted. Allowed: Users can download all types of app content. Not allowed: App content downloads are not permitted. |
| Applications | Use GeoOperations |
Allowed: Users can use all GeoOperations functions. No geocoding: Users can use all GeoOperations functions, except for Address to point lookup and Point to address lookup. Not allowed: Users cannot use GeoOperations. |
| Applications | Manage write table charts |
Allowed: Users have full access to write table functionality, including chart configuration, making changes in editable columns, and access to the change-stores API. Read and write access only: Users can view and interact with write tables in apps. They can make changes in editable columns added to the write table. Users cannot create write table charts or edit existing write table chart configurations, and cannot use API keys to extract changes from the change-stores API. Not allowed: Users cannot view or make changes in editable columns within write tables. They also cannot create write tables or edit existing write table configurations, and they are not granted access to the change-stores API. For more information, see Setting permissions for write tables. |
| Assistants | Manage assistants |
View assistants: Users can view assistants and ask questions. Allowed: Users can create, view, and manage assistants. Not allowed: Users cannot access assistants. |
| Automations | Automations |
Allowed: Users have access to shared automations. Not allowed: Users can only access personal automations if they are assigned the Automation creator role. Admins can set User Default to not allowed and create custom roles to provide access to shared automations to a group of users. |
| Data content | Data connections |
Allowed: Users can list, create, view, update, and delete data connections. Users can also read data from, and store data to, these connections. Read: Users can view data connections, select and load data from connections, and store data to data connections. Not allowed: Users cannot create, view, update, or delete data connections. Users also cannot read data from, or store data to, these connections. For more information, see Assigning permissions for users to work with data connections. |
| Data products | Manage data products |
Consume only: Users have access to the Data marketplace. Allowed: Users can view, create, update, activate, and delete data products on the Data marketplace. Not allowed: Users cannot access data products on the Data marketplace. |
| Data quality | Manage validation rules |
Apply only: Users can list and view validation rules (depending on their license), and apply rules on datasets. Allowed: Users can view, create, update, and delete validation rules on a space. Not allowed: Users cannot view validation rules. |
| Data quality | Manage semantic types |
Assign only: Users can list and view semantic types (depending on their license), and apply semantic types on datasets. Allowed: Users can view, create, update, and delete semantic types. No space role is needed. Not allowed: Users cannot view semantic types. |
| Glossaries | Manage glossaries and approve terms |
Allowed: Users can list, create, view, and delete glossaries. In glossaries, Users can read, create, edit, and remove terms. Users can verify terms. Read and collaborate on terms only: Users can read, create, edit, and remove glossary terms. Manage only: Users can list, create, view, and delete glossaries, but cannot change terms. In glossaries, Users can read, create, edit, and remove terms. Not allowed: Users have no access to glossaries and their terms. |
| Knowledge bases | Manage knowledge bases |
View knowledge bases: Users can view knowledge bases. Allowed: Users can create, view, manage, index, and search knowledge bases. Not allowed: Users cannot access knowledge bases in Qlik Cloud. |
| Knowledge bases | Index knowledge bases |
Allowed: Users can index knowledge bases and create a reindexing schedule. Not allowed: Users cannot index knowledge bases. |
| Knowledge bases | Search knowledge bases |
Allowed: Users can search knowledge bases when asking questions of Qlik Answers assistants. Not allowed: Users cannot search knowledge bases. |
| Lineage | View lineage |
Allowed: Users can view lineage and impact analysis between assets. Not allowed: Users cannot view lineage and impact analysis between assets. |
| Links | Manage links |
Allowed: Users can view, create, update, and use links in the Analytics activity center. They can delete links that they created. Not allowed: Users cannot view or work with links in the Analytics activity center. For more information, see Who can create links. |
| ML experiments and deployments | Manage ML deployments |
Allowed: Users can view, manage, and delete, and run predictions with ML deployments. With sufficient permissions for the ML experiment, they can also deploy models to ML deployments. Additionally, users can view ML experiments. Not allowed: Users cannot view, manage, delete, or run predictions with ML deployments. They also cannot deploy models to ML deployments. |
| ML experiments and deployments | Run ML API and connector predictions |
Allowed: Users can run predictions from ML deployments using the real-time predictions endpoint in the Machine Learning API or the Qlik Predict analytics connector. Not allowed: Users cannot run predictions from ML deployments using the real-time predictions endpoint in the Machine Learning API or the Qlik Predict analytics connector. |
| ML experiments and deployments | Manage ML experiments |
Allowed: Users can view, create, manage, and delete ML experiments. They can also deploy models from experiments into ML deployments. Not allowed: Users cannot view, create, manage, or delete ML experiments. |
| ML experiments and deployments | Approve or reject your ML models |
Allowed: From any ML deployment they can access, users can activate and deactivate predictions for the source model. Not allowed: From any ML deployment they can access, users cannot activate or deactivate predictions for the source model. For more information about model approval by non-administrators, see Approving deployed models. |
| Notes | Manage notes |
Allowed: Users can create, view, update, delete, and share notes in activity centers and apps. Not allowed: Users cannot create, view, update, delete, or share notes in activity centers and apps. |
| Reporting | Generate all reports |
Allowed: Users can configure and generate all types of reports available with value-add capabilities of the Qlik Reporting Service. On-demand reports: Users can only configure and generate reports using on-demand reporting and the Qlik Reporting Service API. Not allowed: Users cannot work with any value-add capabilities of the Qlik Reporting Service. For more information, see Setting permissions for metered reporting features. |
Permission settings — Features and actions
The Features and actions section contains permissions for tenant-wide access to special features and actions. These are user permissions.
| Subsection | Permission | Options |
|---|---|---|
| Data quality | AI-based descriptions and suggestions |
Allowed: Users can generate AI-based validation rules for datasets, and descriptions for any resources. Not allowed: Users cannot generate AI-based validation rules, descriptions or suggestions. |
| Data quality | Compute data quality |
Read: Users can view the results of the data quality computation. Allowed: Users can compute data quality and view the results. Not allowed: Users cannot compute data quality. |
| Data quality | Configure Qlik Trust Score™ |
Allowed: Users can configure the Qlik Trust Score™ dimensions at the tenant level, view the score and its history. Not allowed: Users cannot configure, or view the Qlik Trust Score™. |
| Developer | Manage API keys |
Allowed: Users can create, view, update, and delete their own API keys in their personal settings. Not allowed: Users cannot create or manage API keys. |
| Natural language query | Structured data |
Allowed: Users can access Insight Advisor in all forms within Qlik Cloud. In other words, users can access Insight Advisor and Insight Advisor Chat from activity centers and apps. Not allowed: Users cannot access Insight Advisor with in Qlik Cloud. In other words, users cannot access Insight Advisor or Insight Advisor Chat from activity centers or apps. |
| Natural language query | Insight Advisor in Microsoft Teams |
Allowed: Users can access Insight Advisor Chat from Microsoft Teams. Not allowed: Users cannot access Insight Advisor Chat from Microsoft Teams. |
| Space management | Request access to content |
Allowed: Users can request access to content through the standard Qlik process. Not allowed: Users cannot request access. You can customize the message shown when they try to access content to guide them to your organization's process. For more information, see Customizing the access request process and Approving access requests. |
| Webhooks | Use webhooks |
Allowed: Users can create, update, delete, and list their own webhooks using the webhooks API and automations UI. Not allowed: Users cannot manage webhooks. For more information, see Working with webhooks. |
| Learn | Access learning |
Allowed: Can access the learning center. Not allowed: Cannot access the learning center. For more information, see Getting started and learning options. |
Permission settings — Admin permissions
The Admin permissions section contains permissions for administrators of the Qlik Cloud tenant.
| Subsection | Permission | Options |
|---|---|---|
| None |
Approve or reject ML models |
Allowed: In the Administration activity center, users can activate and deactivate predictions for any deployed model in the tenant. From any ML deployment they can access, users can also activate and deactivate predictions for the source model. Not allowed: In the Administration activity center, users cannot activate or deactivate predictions for any deployed model in the tenant. However, users can activate and deactivate predictions for the source model from any ML deployment they have access to. For more information about model approval by administrators, see Working with model approval as an administrator. |
|
Tenant Admin Automations |
Allowed: Users can list, enable, disable, change the space, change the owner, and delete automations. Not allowed: Users can only manage their own automations. |
|
| ML experiments and deployments |
Manage ML experiments and deployments |
Allowed: Users can list, open, and delete any experiment or deployment. Users can also activate and deactivate predictions for any deployed model via the Administration activity center. Not allowed: Users cannot list or delete experiments or deployments, or activate and deactivate deployed models. They cannot access the Qlik Predict section of the Administration activity center. |
| Curate content | Custom home |
Allowed: Can customize the Insights Home page for all users. Not allowed: Can only customize their own home pages. For more information, see Customizing the Insights activity center Home. |
| Curate content | Public collections |
Allowed: Can set any collection in the tenant to public or private. Not allowed: Cannot set any collection in the tenant to public or private. For more information, see Managing public collections. |
| Data products | Administer data products |
Allowed: Users can access and manage all data products without space restrictions. Not allowed: Users cannot manage data products. |
| Data quality | Administer AI-based descriptions and suggestions |
Allowed: Users can manage tenant settings for generating AI-based descriptions for any resources and any validation rule suggestions for datasets. They can access and manage AI generations without space restrictions. Not allowed: Users cannot manage AI generation settings. |
| Data quality | Administer semantic types |
Allowed: Users can access and manage all semantic types. Not allowed: Users cannot manage semantic types. |
| Data quality | Administer validation rules |
Allowed: Users can access and manage all validation rules without space restrictions. Not allowed: Users cannot manage validation rules. |
'In-app content download' permission: Additional details
The value assigned to a user for the In-app content download permission can impact their access to other Qlik Cloud features. The following sections breaks down the difference between each of the available options.
No data
The following apply for the No data option:
-
Allows the user to add static charts to a report template using the Qlik add-in for Microsoft Excel.
-
Provides full access to Insight Advisor Chat when it is accessed through Qlik Cloud or an external collaboration platform (for example, Microsoft Teams).
Allowed
The following apply for the Allowed option:
-
Allows the user to add static charts to a report template using the Qlik add-in for Microsoft Excel.
-
Provides full access to Insight Advisor Chat when it is accessed through Qlik Cloud or an external collaboration platform (for example, Microsoft Teams).
Not allowed
The following apply for the Not allowed option:
-
The user cannot add static charts to a report template using the Qlik add-in for Microsoft Excel.
-
The user will not see static charts in Insight Advisor Chat. The user will also not be able to see any visualizations when using Insight Advisor Chat through a collaboration platform (for example, Microsoft Teams). All other Insight Advisor Chat capabilities, such as natural language insights, will be available.