The security in Qlik Sense consists of many parts. In QMC, there is a system with security rules for almost everything you can do, not only data access; it also has the rights to change the setup or publish apps or sheets. This implies protection of the platform, that is, how the Qlik Sense platform itself is protected and how it communicates and operates.
However, security, as a concept, goes beyond that. So let's start from the beginning.
The two most basic concepts in security are authentication and authorization. Authentication answers this question: who is the user and how can the user prove it? Authorization answers this question: what does this specific user have access to, and what are they allowed to do?
In Qlik Sense, authentication and authorization are two distinct, unconnected actions. In addition, the sources of information used for authentication do not have to be the same as for authorization, and vice versa.
Qlik Sense uses standard authentication protocols (for example, Integrated Windows Authentication, HTTP headers, and ticketing) to authenticate every user requesting access. If you want a customized authentication, you can configure this in the proxy, but the details of this are outside the scope of this book.
Authorization is the procedure of granting or denying user access to resources, but this can be done on several levels:
- First, there is the administrator access control. Which rights are needed for the different roles and responsibilities of the administrators? This is controlled in the security rules as previously described.
- Secondly, there is the app level authorization: is the user allowed to access the app? Which functions in the app is the user allowed to use (for example, printing, exporting, and snapshots)?
Content security is a critical aspect of setting up and managing your Qlik Sense system. QMC enables you to centrally create and manage security rules for all your Qlik Sense resources. Security rules define what a user is allowed to do with a resource, for example, read, update, create, or delete.
Additionally, there is data reduction by a section access in the script. For example, with data level authorization, is the user allowed to see all of the data or just parts of it? The section access is an app-defined, data-driven security model, intimately connected with the data model. It allows the implementation of row- and field-level data security.
In data level authorization, the authentication information also exists in the data model (albeit in a hidden part of it). It could be, for example, a username.
The selection propagates to all the other tables in the standard QlikView manner, so that the appropriate records in all tables are excluded, wherein Qlik Sense reduces the scope for this user to only the possible records. This way, the user will only see data pertaining to the countries to which they are associated.
