Within security rules, Actions form the second part (out of four, see previous section, Attribute-Based Access Control) of the ACAB and determine what type of activity the user is permitted to perform on the defined resource. While read and write are common actions very familiar to traditional access control, Qlik Sense has extended them to many more, which, on one side, makes the security rules rich and powerful; but on the other side, complicated as well. This section will cover the different types of actions in Qlik's security rules and will discuss potential use cases where relevant. Each action applies to a specified resource, which forms the basis of how it can be utilized. 

Permissions on actions are applied to both the Qlik Management Console and the hub, as the following image shows:

• Create: Create allows the user to create the defined type of resources in the Qlik Sense hub or in the app itself. Creating resources is an integral part of the newly introduced self-service capability, where users can build their dashboards and analytics. While powerful, it is also IT's governance nightmare, especially in a production environment. The more create permission a user has, the stronger his ability to impact the Qlik Sense server by creating apps, sheets, and objects. Create is governance's worst enemy. In a locked-down environment, limited users have access to a create action. The exception is usually bookmarks and stories, which typically have a low effect on performance.

Create applies to the creation of all types of new resources in the QMC. This actions covers, but is not limited to, importing apps, duplicating apps, and copying and pasting app objects:

• Read: Read is the most basic and most important form of actions and permits the target user to view the underlying resource. It decides whether the object will be visible to a specific person or not. Read permission sits at the top of the hierarchy. Without it, the user might not be able to perform other actions, either, regardless of whether he was permitted to do so or not.
• Update: Update allows the user or admin (in the QMC context) to change/modify/update any type of attributes of an existing resource. This action covers elements in the QMC, as well as objects, sheets, and apps in the hub. It also includes reloading apps (by doing so, you are updating the data) or publishing apps by replacing existing ones.
• Delete: Delete is a straightforward action: it allows the requester to remove a resource from the Qlik Sense server.

• Export: The export action is only relevant in the QMC context and permits the administrator to export apps from the server. By exporting apps from the server, the user gets full access to the data and all app resources (excluding user and community sheets).
• Publish: Publish allows administrators to either deploy apps to a specified stream or a user to publish their personal sheets to the community sheets.
• Change owner: This action permits administrators to change the owners of a resource. Typically, every time a user creates a resource, he automatically becomes the owner of it. When you are the owner of an app, you usually enjoy additional permissions, including full read, update, and create actions. After a user has finished developing an app which is ready to be deployed to a production stream, it is common to transfer the ownership of the app to an administrator to restrict the access.
• Change role: This action applies in the QMC context and allows an administrator to change the security role of another user.
• Export data: Exporting data of a visualization or table is a frequent use case in dashboards. This action permits or prohibits users from exporting the underlying data. It's usually applied to control the way users consume the data and to prevent performance impacts on large underlying datasets.