The security in Qlik Sense consists of many parts. In the QMC, there is a system with security rules for almost everything you can do, not only data access. There are also rules to change the setup or rights to publish apps or sheets. This implies protection of the platform, that is, how the Qlik Sense platform itself is protected and how it communicates and operates.
However, security as a concept goes beyond that. So let's start from the beginning.
The two most basic concepts in security are authentication and authorization. Authentication answers the question, "Who is the user and how can the user prove it?" Authorization answers the question, "What does this specific user have access to, and what are they allowed to do?"
In Qlik Sense, authentication and authorization are two distinct, unconnected actions. In addition, the sources of information used for authentication do not have to be the same as for authorization, and vice versa.
Qlik Sense uses standard authentication protocols to authenticate every user requesting access, for example, Windows Integrated Authentication, HTTP headers, and ticketing. If you want a customized authentication, you can configure this in the proxy, but the details of this are beyond the scope of this book.
Authorization on the other hand, is the procedure of granting or denying user access to resources. A user perhaps has the right to see a resource or perhaps they don't. When it comes to data, the right to see data can be set with different granularity. A user may see an app or they may not; and once opened, the user may be restricted to see some parts of the app but not other parts.
Hence, authorization can be defined on several levels:
- Firstly, there is the administrator access control. Which rights are needed for the different roles and responsibilities of the administrators? This is controlled in the security rules as previously described.
- Secondly, there is app-level authorization. Is the user allowed to access the app? Which functions in the app is the user allowed to use, for example, printing, exporting, and creating snapshots?
- Thirdly, there is data-level authorization. Is the user allowed to see all of the data in the app or just parts of it?
Content security is a critical aspect of setting up and managing your Qlik Sense system. QMC enables you to centrally create and manage security rules for all your Qlik Sense resources. Security rules define what a user is allowed to do with a resource, for example, read, update, create, or delete.
Additionally, there is data reduction by a section access in the script that handles data-level authorization. The section access is an app-defined, data-driven security model, intimately connected with the data model. It allows the implementation of row- and field-level data security.
In data-level authorization, the authentication information also exists in the data model (albeit in a hidden part of it). It could be, for example, a username.
The selection propagates to all the other tables in the standard QlikView manner so that the appropriate records in all tables are excluded, wherein Qlik Sense reduces the scope for this user to only the possible records. This way, the user will only see data pertaining to the countries to which they are associated.
