Security Rules: Attribute Based Access Control

Data Analytics and Qlik Sense are all about creating content for yourself or a target audience: visualizations, data models, dashboards, sheets, bookmarks, and more technical elements like data connections. By boarding business users onto the platform and inviting them to delve into self-service analytics, you, as an administrator, are creating the foundation for masses of content. Governing the content, objects, and apps are not only challenging but can also quickly get out of control if not correctly set up from the beginning. As security is not a binary setting in Qlik Sense, it has been hugely extended to serve all of the various use cases of content creation. To cater for all the use cases, and to allow for very bespoke and tailored setups of security settings and profiles, Qlik decided to offer a new way of managing security with Attribute-Based Access Control, abbreviated as ACAB.

ACAB is an access control paradigm which grants access rights by a collection of policies which can be combined using boolean logic. Policies can use any kind of attribute, from user to resource attributes, including specific environments and more. The types of rights include various actions, which extend from reading to modifying and updating existing content. To keep things simple for the summary, a typical ACAB policy follows the following principle, which can be readily formulated into a sentence:

The sentence structure of a conventional ACAB Policy: Allow a requester to perform an action on a resource, provided that a condition is true.

This usually results in creating multiple policies to manage the access rights to the content of a Qlik Sense infrastructure. Due to the complexity of setting up numerous policies, security rules need to be designed in advance, and they very often include the creation of security profiles/user roles. While very powerful, this is also a complex new feature which needs to be understood before you can start leveraging it. 

This chapter will focus on the fundamentals of security rules in Qlik Sense and elaborate on all its technical aspects in great detail. It will provide guidelines on how to design security user roles to facilitate permissions better and will conclude with some typical use cases and examples. It is recommended to use this chapter as a reference manual and look it up each time you are working with security rules. The following are the topics we will be covering in this chapter:

  • Attribute-Based Access Control
  • Administrator roles
  • Security rules resources
  • Security rules actions
  • Security rules conditions
  • Auditing security rules
  • Security rule use cases and examples
While it is expected that this part of Qlik Sense will remain reasonably unchanged in future releases, it is still recommended to supplement this chapter by also visiting the Qlik Sense online help page on security rules: http://help.qlik.com/en-US/sense/1.1/Subsystems/ManagementConsole/Content/ServerUserGuide/SUG_ConfiguringSecurity_AccessRules_Overview.htm.

Compared to creating visualizations or dashboards, security rules are comparably technical and for some, a bit boring topic. It's however, very recommended to spend the required time to understand them as the investment will quickly pay off when designing enterprise solutions with advanced security requirements.

Looking back to when I first started with Qlik Sense, I must admit that I had a bit of a tough journey with the security rules. They are very comprehensive, and there are no quick wins - if you don't want to bite yourself at a later time, you need to properly design the security rules from the beginning, especially when you have multiple projects and self-service users in your company. Once you understand their core concepts, they can then be set up reasonably quickly. Do yourself a favor and make sure you comprehend this chapter; you will thank me later.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.53.119