Scopes
Note
To learn about access control in Qlik Cloud, read the access control overview.
Scopes are grouped into:
- Administrator scopes, which provide broad access to resources the user may not otherwise have access to in the user interface.
- User scopes, which provide access to resources the user already has direct access to.
This table outlines which scopes are supported in which use cases (for example, for use in custom roles versus for use in OAuth). Some scopes are multi-purpose, and others may only be available in one place.
Scopes may also have child scopes, which are displayed as such in the user interface. A parent
scope of a child will contain the same permissions as the child, so if you select
the parent, you need not also set the child. Child scopes are displayed with a ↳
and nested under the relevant parent scope.
Administrator scopes
These scopes permit administrator-level access.
Note
For OAuth flows, the admin_classic scope permits broad administrator access to the
tenant. Where possible, use a less permissive scope which grants access only to
required administrative functions.
| Scope Name | Description | OAuth | Custom Role | User Default |
|---|---|---|---|---|
| admin_classic | Full administrator access to your tenant | ✓ | ✗ | ✗ |
| admin.ai-descriptions | Generate descriptions for any resource using AI, and give feedback about result. | ✓ | ✓ | ✗ |
| admin.aiplatform | Create a chat conversation with an LLM | ✓ | ✗ | ✗ |
| admin.apps | Read and manage all apps in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.apps:export | Export all apps in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.apps:read | Read all apps in the tenant | ✓ | ✗ | ✗ |
| admin.assistants | Read and manage all assistants | ✓ | ✗ | ✗ |
| admin.automations | Read and manage all automations in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.automations:read | Read all automations in the tenant | ✓ | ✗ | ✗ |
| admin.automl-models:approve | Approve or reject all ML models in the tenant | ✗ | ✓ | ✗ |
| admin.automl:full | Manage all ML experiments and deployments within Administration | ✗ | ✓ | ✗ |
| admin.collections.publicgoverned | Create and update public collections | ✓ | ✓ | ✗ |
| admin.csp | Description not available | ✗ | ✓ | ✗ |
| admin.dataqualityrules | Create, update, read, list, delete, and manage validation rules. View validation result on data across all spaces. | ✓ | ✓ | ✗ |
| admin.insightshome:edit | Curate content for better findability. | ✗ | ✓ | ✗ |
| admin.knowledgebases | Read and manage all knowledge bases | ✓ | ✗ | ✗ |
| admin.lakehouse-cluster | Create, edit, and operate lakehouse clusters | ✗ | ✓ | ✗ |
| admin.semantictype | Read, list and delete semantic types | ✓ | ✓ | ✗ |
| admin.spaces | Read and manage all spaces in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.spaces:read | Read all spaces in the tenant | ✓ | ✗ | ✗ |
| admin.users | Read and manage all users | ✓ | ✗ | ✗ |
| ↳ admin.users:read | Full read access to all users | ✓ | ✗ | ✗ |
| admin.webhooks | Manage webhooks in the Administration activity center. | ✓ | ✗ | ✗ |
User scopes
These scopes permit user-level access to create and manage resources that the user has named access to, or owns.
Note
For OAuth flows, the user_default scope permits broad user level access to the
tenant. Where possible, use a less permissive scope which grants access only to
required content or functions.
| Scope Name | Description | OAuth | Custom Role | User Default |
|---|---|---|---|---|
| user_default | Full access to your account and content | ✓ | ✗ | ✗ |
| ai-descriptions | Generate descriptions for any resource using AI, and give feedback about result. | ✓ | ✓ | ✓ |
| api-keys | Create, view, update, and delete your own API keys. | ✗ | ✓ | ✓ |
| app.share | Share apps with other users from shared and managed spaces. | ✓ | ✓ | ✓ |
| apps | Read and manage your apps | ✓ | ✗ | ✗ |
| ↳ apps:export | Export your apps | ✓ | ✗ | ✗ |
| ↳ apps:read | Read your apps | ✓ | ✗ | ✗ |
| apps.data:export | Download all app content or images and PDFs only, blocking data downloads. | ✓ | ✓ | ✓ |
| ↳ apps.image:export | Download app content as images and PDFs only | ✓ | ✓ | ✓ |
| assistants | Read and manage assistants | ✓ | ✓ | ✓ |
| ↳ assistants:read | Basic query access to assistants | ✓ | ✓ | ✓ |
| automations | Read and manage your automations | ✓ | ✗ | ✗ |
| ↳ automations:read | Read your automations | ✓ | ✗ | ✗ |
| automations.shared | Read and manage your automations in shared spaces | ✓ | ✓ | ✓ |
| automl-deployments | Read and manage your ML deployments | ✓ | ✓ | ✓ |
| automl-deployments:predict | Run ML predictions directly with the APIs or with the Qlik Predict analytics connector | ✓ | ✓ | ✓ |
| automl-experiments | Read and manage your ML experiments | ✓ | ✓ | ✓ |
| automl-models:approve | Approve or reject ML models in spaces to which you have edit access | ✗ | ✓ | ✓ |
| data-connections | Read and manage your data connections | ✓ | ✓ | ✓ |
| ↳ data-connections:read | Read your data connections | ✓ | ✓ | ✓ |
| dataproduct | Create and manage data products | ✓ | ✓ | ✗ |
| ↳ dataproduct:consume | Read and list data products | ✓ | ✓ | ✓ |
| dataquality | Compute and refresh data qualities | ✓ | ✓ | ✓ |
| ↳ dataquality:read | View data quality | ✓ | ✓ | ✓ |
| dataqualityrules | Create, update, read, list, delete, and manage validation rules in datasets. View validation result on data. | ✓ | ✓ | ✗ |
| ↳ dataqualityrules:assign | Read, list, and apply validation rules. View validation results on data. | ✓ | ✓ | ✗ |
| ↳ dataqualityrules:consume | Read and list validation rules. View validation results on data. | ✓ | ✓ | ✓ |
| dataset | Create, read, update, list, and delete datasets. | ✓ | ✗ | ✗ |
| genericlink:all | Create, update, and use links within spaces. | ✗ | ✓ | ✓ |
| identity.email:read | Read your email address | ✓ | ✗ | ✗ |
| identity.name:read | Read your full name | ✓ | ✗ | ✗ |
| identity.picture:read | Read your profile picture | ✓ | ✗ | ✗ |
| identity.subject:read | Read your user subject identifier | ✓ | ✗ | ✗ |
| knowledgebases | Read and manage knowledge bases | ✓ | ✓ | ✓ |
| ↳ knowledgebases:read | Read access to knowledge bases | ✓ | ✓ | ✓ |
| knowledgebases:index | Index content in knowledge bases | ✓ | ✓ | ✓ |
| knowledgebases:search | Search content in knowledge bases | ✓ | ✓ | ✓ |
| lakehouse-cluster-moderator | Edit settings and operate lakehouse clusters | ✗ | ✓ | ✓ |
| ↳ lakehouse-cluster-viewer | View lakehouse clusters | ✗ | ✓ | ✓ |
| lakehouse-cluster-operator | Stop, start, scale, and roll lakehouse clusters | ✗ | ✓ | ✗ |
| learning-center:all | Learn more about Qlik features and capabilities. | ✗ | ✓ | ✓ |
| lineage:create | Create lineage. | ✓ | ✗ | ✗ |
| network-integration-viewer | View network integration | ✗ | ✓ | ✓ |
| notes | Create and manage notes based on roles within the space. | ✗ | ✓ | ✓ |
| offline_access | Access resources while you are offline | ✓ | ✗ | ✗ |
| semantictype | Manage semantic types used for the data quality of datasets | ✓ | ✓ | ✓ |
| ↳ semantictype:read | Read and list semantic types | ✓ | ✓ | ✓ |
| spaces.data | Read and manage your data spaces | ✓ | ✗ | ✗ |
| ↳ spaces.data:read | Read your data spaces | ✓ | ✗ | ✗ |
| spaces.managed | Read and manage your managed spaces | ✓ | ✗ | ✗ |
| ↳ spaces.managed:read | Read your managed spaces | ✓ | ✗ | ✗ |
| spaces.shared | Read and manage your shared spaces | ✓ | ✗ | ✗ |
| ↳ spaces.shared:create | Create shared spaces for collaboration. | ✓ | ✓ | ✗ |
| ↳ spaces.shared:read | Read your shared spaces | ✓ | ✗ | ✗ |
| trustscore | Configure Qlik Trust Score™ axes and weights | ✓ | ✓ | ✓ |
| users | Basic read access to users and management of your user preferences | ✓ | ✗ | ✗ |
| ↳ users:read | Basic read access to users | ✓ | ✗ | ✗ |
| webhooks | Create and update webhooks using the webhooks API and automations UI. | ✓ | ✗ | ✓ |