Overview

Qlik Cloud provides several complementary mechanisms for controlling access to resources and capabilities. These combine to determine what an individual user - or an integration acting on behalf of a user - can see and do.

Think of access control in tiers:

1. Baseline permissions
2. OAuth client scopes (for integrations)
3. Content-level access

Baseline permissions: tenant-wide

Every user in a tenant begins with a baseline set of permissions that apply across the entire tenant:

1. Default user profile (“User defaults”)
   • All users automatically inherit any scopes assigned here.
   • Customized by a tenant administrator, using scopes enabled for user default.
   • In the UI these appear as permissions.
   • Example: grant all users the ability to create API keys.
2. System roles (default roles)
   • Built-in roles such as TenantAdmin, SharedSpaceCreator, or Steward.
   • Each role maps to a bundle of scopes which cannot be customized.
   • Role must be assigned to a user or group of users.
   • Example: assigning a user the TenantAdmin role grants nearly complete access to administrative functions on the tenant.
3. Custom roles
   • Created by tenant administrators, using the scopes enabled for custom roles.
   • In the UI these appear as permissions.
   • Role must be assigned to a user or group of users.
   • Example: Defining specific task-oriented roles such as giving certain users the ability to manage AI assistants across the tenant.

Together, user defaults, system roles, and custom roles define the tenant-wide baseline for each user.

OAuth client scopes (integration filtering)

When a user accesses Qlik Cloud through an OAuth integration:

• The OAuth client has its own set of granted scopes.
• The client’s scopes act as a filter: the user only has the intersection of their own permissions and the scopes assigned to the OAuth client.

This prevents an integration with limited scopes from accidentally gaining elevated privileges, even if the user themselves is an administrator.

Special cases:

• user_default: resolves to a dynamic set of all user scopes.
• admin_classic: resolves to a dynamic set of administrator scopes.

Learn more about OAuth and requesting scopes.

Content-level access

Above the baseline tenant-wide permissions, content access is governed by:

1. Space roles
   • Spaces are the primary containers for apps, data, automations, and other assets.
   • Roles such as Consumer, Contributor, or Operator determine what a user can do inside a space.
   • Example: A user may be a Consumer in the Finance space and a Contributor in the Marketing space.
   • Learn more about Working in spaces on Qlik Help.
2. Fine-grained access control
   • Individual assets (select resources such as Qlik Sense apps) can also be shared directly with users or groups with a restricted set of space roles.
   • Used for sharing content with anonymous users.
   • Learn more about Fine-grained access control and Sharing app content with anonymous access on Qlik Help.

How it all fits together

A user’s effective permissions are determined by:

• Default user profile, plus any roles assigned (default or custom).
• Filtered by OAuth client scopes when accessed through an integration.
• Combined with space roles and fine-grained sharing to allow or restrict access to content.

Users assigned administrative roles usually have broad permissions, and may be able to list or access content across spaces.

Regular users typically rely on space roles for their access, and may have only minimal tenant-wide permissions.

Where to go next

Learn:

• How to Create and manage groups, which simplify managing user permissions at scale.
• About the default roles available in your tenant.
• How to create and manage custom roles, and update the default user permissions.
• How to assign roles to users and groups.
• How to control access to spaces and content.
• About the available scopes in Qlik Cloud.