Scopes
Note
To learn about access control in Qlik Cloud, read the access control overview.
Scopes are grouped into:
- Administrator scopes, which provide broad access to resources the user may not otherwise have access to in the user interface.
- User scopes, which provide access to resources the user already has direct access to.
This table outlines which scopes are supported in which use cases (for example, for use in custom roles versus for use in OAuth). Some scopes are multi-purpose, and others may only be available in one place.
Scopes may also have child scopes, which are displayed as such in the user interface. A parent
scope of a child will contain the same permissions as the child, so if you select
the parent, you need not also set the child. Child scopes are displayed with a ↳
and nested under the relevant parent scope.
Note
Some scopes are only available depending on your subscription and enabled features.
Administrator scopes
These scopes permit administrator-level access.
Note
For OAuth flows, the admin_classic scope permits broad administrator access to the
tenant. Where possible, use a less permissive scope which grants access only to
required administrative functions.
| Scope Name | Description | OAuth | Custom Role | User Default |
|---|---|---|---|---|
| admin_classic | Full administrator access to your tenant | ✓ | ✗ | ✗ |
| admin.ai-descriptions | Manage tenant settings for generating AI-based descriptions for any resource and validation rule suggestions for datasets. Access and manage any generation without space restrictions. | ✓ | ✓ | ✗ |
| admin.aiplatform | Create a chat conversation with an LLM | ✓ | ✗ | ✗ |
| admin.apps | Read and manage all apps in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.apps:export | Export all apps in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.apps:read | Read all apps in the tenant | ✓ | ✗ | ✗ |
| admin.assistants | Read and manage all assistants | ✓ | ✗ | ✗ |
| admin.auth-settings | View and update authentication settings for a tenant, including session timeout settings. | ✓ | ✗ | ✗ |
| admin.automations | Read and manage all automations in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.automations:read | Read all automations in the tenant | ✓ | ✗ | ✗ |
| admin.automations:strict | Manage all automations in the tenant. | ✗ | ✓ | ✗ |
| admin.automl-models:approve | Approve or reject all ML models in the tenant | ✗ | ✓ | ✗ |
| admin.automl:full | Manage all ML experiments and deployments within Administration | ✗ | ✓ | ✗ |
| admin.collections.publicgoverned | Create and update public collections | ✓ | ✓ | ✗ |
| admin.csp | Create, update, read, list, delete. | ✗ | ✓ | ✗ |
| admin.dataproduct | Access and manage any data products without space restrictions. | ✓ | ✓ | ✗ |
| admin.dataquality | Access and manage data quality settings without space restrictions. | ✓ | ✓ | ✗ |
| admin.dataqualityrules | Access and manage any validation rules without space restrictions. | ✓ | ✓ | ✗ |
| admin.direct-access-gateways:remote_configuration | View and modify Direct Access gateway settings | ✓ | ✗ | ✗ |
| admin.environments | Create, read, update, and delete environments. Allows linking environments to spaces. | ✗ | ✓ | ✗ |
| admin.extensions | Create, read, update, delete, and download extensions. | ✓ | ✓ | ✗ |
| admin.insightshome:edit | Curate content for better findability. | ✗ | ✓ | ✗ |
| admin.ip-policies | View and manage IP policies in the tenant, including creating, updating, and deleting them. | ✓ | ✗ | ✗ |
| admin.knowledgebases | Read and manage all knowledge bases | ✓ | ✗ | ✗ |
| admin.lakehouse-cluster | Create, edit, and operate lakehouse clusters | ✗ | ✓ | ✗ |
| admin.report-tasks | Manage report tasks and subscriptions, and read the associated templates and filters. | ✓ | ✗ | ✗ |
| admin.semantictype | Access and manage any semantic type. | ✓ | ✓ | ✗ |
| admin.spaces | Read and manage all spaces in the tenant | ✓ | ✗ | ✗ |
| ↳ admin.spaces:read | Read all spaces in the tenant | ✓ | ✗ | ✗ |
| admin.sprints | Access and manage all data stewardship sprints, without space restrictions. | ✓ | ✓ | ✗ |
| admin.themes | Create, read, update, delete, and download themes. | ✓ | ✓ | ✗ |
| admin.ui-config:edit | Configure tenant-wide user interface settings and available options, such as pinned links. | ✗ | ✓ | ✗ |
| admin.users | Read and manage all users | ✓ | ✗ | ✗ |
| ↳ admin.users:read | Full read access to all users | ✓ | ✗ | ✗ |
| admin.webhooks | Manage webhooks in the Administration activity center. | ✓ | ✗ | ✗ |
User scopes
These scopes permit user-level access to create and manage resources that the user has named access to, or owns.
Note
For OAuth flows, the user_default scope permits broad user level access to the
tenant. Where possible, use a less permissive scope which grants access only to
required content or functions.
| Scope Name | Description | OAuth | Custom Role | User Default |
|---|---|---|---|---|
| user_default | Full access to your account and content | ✓ | ✗ | ✗ |
| ai-descriptions | Generate AI-based validation rules for datasets and descriptions for any resource. | ✓ | ✓ | ✓ |
| analysis-agent | Lets users use Qlik Answers to analyse data, create charts, and gather insights from documents | ✓ | ✓ | ✓ |
| api-keys | Create, view, update, and delete your own API keys. | ✗ | ✓ | ✓ |
| app.share | Space owners and users with the ‘Can manage’ role can share applications with any group or user without adding them to the space. | ✓ | ✓ | ✓ |
| apps | Read and manage your apps | ✓ | ✗ | ✗ |
| ↳ apps:export | Export your apps | ✓ | ✗ | ✗ |
| ↳ apps:read | Read your apps | ✓ | ✗ | ✗ |
| apps:manage | Override automatic engine selection by assigning an engine size to applications. | ✓ | ✓ | ✗ |
| apps.data:export | Download all app content or images and PDFs only, blocking data downloads. | ✓ | ✓ | ✓ |
| ↳ apps.image:export | Download app content as images and PDFs only | ✓ | ✓ | ✓ |
| apps.report:all | Generate all types of reports, including in-app, API, scheduled, on-demand, and automated. Also manage filters, recipients, and tasks. Author report templates in add-ins and embedded designers. | ✓ | ✓ | ✓ |
| ↳ apps.report:export | Generate on-demand reports. | ✓ | ✓ | ✓ |
| assistants | Read and manage assistants | ✓ | ✓ | ✓ |
| ↳ assistants:read | Basic query access to assistants | ✓ | ✓ | ✓ |
| automations | Read and manage your automations | ✓ | ✗ | ✗ |
| ↳ automations:read | Read your automations | ✓ | ✗ | ✗ |
| automations.private | Read and manage automations in your personal space | ✓ | ✓ | ✓ |
| automations.shared | Read and manage your automations in shared spaces | ✓ | ✓ | ✓ |
| automl-deployments | Allow users to view and update ML deployments and run all predictions, run API and connector predictions only, or block access to ML deployments and predictions. | ✓ | ✓ | ✓ |
| ↳ automl-deployments:predict | Create predictions only | ✓ | ✓ | ✓ |
| automl-experiments | Read and manage your ML experiments | ✓ | ✓ | ✓ |
| ↳ automl-experiments:no_gen_ai_assist | Create and update ML experiments without any GenAI-assisted functions. | ✓ | ✓ | ✓ |
| automl-models:approve | Approve or reject ML models in spaces to which you have edit access | ✗ | ✓ | ✓ |
| classic_talend.audit_logs_view | Talend: View audit logs | ✗ | ✓ | ✗ |
| classic_talend.connection_create | Talend: Create connections | ✗ | ✓ | ✗ |
| classic_talend.connection_delete | Talend: Delete connections | ✗ | ✓ | ✗ |
| classic_talend.connection_read | Talend: View connections | ✗ | ✓ | ✗ |
| classic_talend.connection_share | Talend: Share connections | ✗ | ✓ | ✗ |
| classic_talend.connection_update | Talend: Update connections | ✗ | ✓ | ✗ |
| classic_talend.crawling_create | Talend: Create crawlers | ✗ | ✓ | ✗ |
| classic_talend.crawling_delete | Talend: Delete crawlers | ✗ | ✓ | ✗ |
| classic_talend.crawling_read | Talend: View crawlers | ✗ | ✓ | ✗ |
| classic_talend.crawling_update | Talend: Update crawlers | ✗ | ✓ | ✗ |
| classic_talend.custom_attribute_create | Talend: Add custom attributes | ✗ | ✓ | ✗ |
| classic_talend.custom_attribute_delete | Talend: Delete custom attributes | ✗ | ✓ | ✗ |
| classic_talend.custom_attribute_read | Talend: View custom attributes | ✗ | ✓ | ✗ |
| classic_talend.custom_attribute_update | Talend: Edit custom attributes | ✗ | ✓ | ✗ |
| classic_talend.dataset_advanced_search | Talend: Perform advanced dataset search | ✗ | ✓ | ✗ |
| classic_talend.dataset_api_manage | Talend: Manage APIs | ✗ | ✓ | ✗ |
| classic_talend.dataset_api_view | Talend: View APIs | ✗ | ✓ | ✗ |
| classic_talend.dataset_attributes_manage | Talend: Manage custom attributes of a dataset | ✗ | ✓ | ✗ |
| classic_talend.dataset_certify | Talend: Certify datasets | ✗ | ✓ | ✗ |
| classic_talend.dataset_create | Talend: Create datasets | ✗ | ✓ | ✗ |
| classic_talend.dataset_delete | Talend: Delete datasets | ✗ | ✓ | ✗ |
| classic_talend.dataset_download | Talend: Download datasets | ✗ | ✓ | ✗ |
| classic_talend.dataset_read | Talend: View datasets | ✗ | ✓ | ✗ |
| classic_talend.dataset_sample_update | Talend: Refresh sample | ✗ | ✓ | ✗ |
| classic_talend.dataset_schema_update | Talend: Set semantic type | ✗ | ✓ | ✗ |
| classic_talend.dataset_share | Talend: Share datasets with others | ✗ | ✓ | ✗ |
| classic_talend.dataset_tags_manage | Talend: Add or remove tags on datasets | ✗ | ✓ | ✗ |
| classic_talend.dataset_update | Talend: Update datasets | ✗ | ✓ | ✗ |
| classic_talend.execution_logs_delete | Talend: Delete execution logs | ✗ | ✓ | ✗ |
| classic_talend.rule_create | Talend: Create data quality rules | ✗ | ✓ | ✗ |
| classic_talend.rule_delete | Talend: Delete data quality rules | ✗ | ✓ | ✗ |
| classic_talend.rule_edit | Talend: Edit data quality rules | ✗ | ✓ | ✗ |
| classic_talend.rule_view | Talend: View data quality rules | ✗ | ✓ | ✗ |
| classic_talend.studio_entitlement_studio_developer | Talend: Develop in Studio and Publish to Cloud Management Console | ✗ | ✓ | ✗ |
| classic_talend.tapid_admin | Talend: Administrate API Designer | ✗ | ✓ | ✗ |
| classic_talend.tapid_definition_manage | Talend: Create and Edit API contracts | ✗ | ✓ | ✗ |
| classic_talend.tapid_definition_share | Talend: Share API contracts | ✗ | ✓ | ✗ |
| classic_talend.tapid_portal_manage | Talend: Create and Edit an API Portal | ✗ | ✓ | ✗ |
| classic_talend.tapit_project_manage | Talend: Create and Edit API scenarios | ✗ | ✓ | ✗ |
| classic_talend.tapit_project_share | Talend: Share API scenarios | ✗ | ✓ | ✗ |
| classic_talend.tdp_basic | Talend: Manage preparations and local datasets | ✗ | ✓ | ✗ |
| classic_talend.tdp_dataset_certify | Talend: Certify datasets | ✗ | ✓ | ✗ |
| classic_talend.tdp_dataset_perform_live | Talend: Manage live datasets | ✗ | ✓ | ✗ |
| classic_talend.tdp_full_run_perform | Talend: Export all data from preparations | ✗ | ✓ | ✗ |
| classic_talend.tdp_hybrid_management | Talend: Configure and activate Data Preparation Hybrid | ✗ | ✓ | ✗ |
| classic_talend.tdp_prep_version_create | Talend: Create preparation versions | ✗ | ✓ | ✗ |
| classic_talend.tdp_tcomp_use | Talend: Manage remote datasets | ✗ | ✓ | ✗ |
| classic_talend.tdq_semantic_type_create | Talend: Create semantic types | ✗ | ✓ | ✗ |
| classic_talend.tdq_semantic_type_delete | Talend: Delete semantic types | ✗ | ✓ | ✗ |
| classic_talend.tdq_semantic_type_edit | Talend: Edit semantic types | ✗ | ✓ | ✗ |
| classic_talend.tdq_semantic_type_list | Talend: List semantic types | ✗ | ✓ | ✗ |
| classic_talend.tdq_semantic_type_publish | Talend: Publish semantic types | ✗ | ✓ | ✗ |
| classic_talend.tdq_semantic_type_view | Talend: View semantic types | ✗ | ✓ | ✗ |
| classic_talend.tds_assigned_task_assign | Talend: Delegate tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_assigned_task_data_update | Talend: Edit assigned tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_assigned_task_metadata_update | Talend: Edit assigned tasks metadata | ✗ | ✓ | ✗ |
| classic_talend.tds_assigned_task_read | Talend: View assigned tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_campaign_create | Talend: Add campaigns | ✗ | ✓ | ✗ |
| classic_talend.tds_campaign_delete | Talend: Delete campaigns | ✗ | ✓ | ✗ |
| classic_talend.tds_campaign_list | Talend: List campaigns | ✗ | ✓ | ✗ |
| classic_talend.tds_campaign_read | Talend: View campaigns | ✗ | ✓ | ✗ |
| classic_talend.tds_campaign_update | Talend: Edit campaigns | ✗ | ✓ | ✗ |
| classic_talend.tds_hybrid_management | Talend: Configure and activate Data Stewardship Hybrid | ✗ | ✓ | ✗ |
| classic_talend.tds_schema_create | Talend: Add data models | ✗ | ✓ | ✗ |
| classic_talend.tds_schema_delete | Talend: Delete data models | ✗ | ✓ | ✗ |
| classic_talend.tds_schema_list | Talend: List data models | ✗ | ✓ | ✗ |
| classic_talend.tds_schema_read | Talend: View data models | ✗ | ✓ | ✗ |
| classic_talend.tds_schema_update | Talend: Edit data models | ✗ | ✓ | ✗ |
| classic_talend.tds_task_assign | Talend: Assign tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_task_create | Talend: Add tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_task_delete | Talend: Delete tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_task_history_delete | Talend: Delete task history | ✗ | ✓ | ✗ |
| classic_talend.tds_task_history_read | Talend: View task history | ✗ | ✓ | ✗ |
| classic_talend.tds_task_metadata_update | Talend: Edit tasks metadata | ✗ | ✓ | ✗ |
| classic_talend.tds_task_read | Talend: View tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_task_read_by_external_id | Talend: View tasks using external ID | ✗ | ✓ | ✗ |
| classic_talend.tds_task_update | Talend: Edit tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_unassigned_task_assign | Talend: Self-assign unassigned tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_unassigned_task_read | Talend: View unassigned tasks | ✗ | ✓ | ✗ |
| classic_talend.tds_users_read | Talend: View users | ✗ | ✓ | ✗ |
| classic_talend.tmc_cloud_configuration_management | Talend: Manage cloud configurations | ✗ | ✓ | ✗ |
| classic_talend.tmc_cluster_management | Talend: Manage Remote Engines and Remote Engine clusters | ✗ | ✓ | ✗ |
| classic_talend.tmc_configuration_nexus_userlibs | Talend: Set up user libraries in the artifact repository | ✗ | ✓ | ✗ |
| classic_talend.tmc_connection_resource_edit | Talend: Edit connections and resources | ✗ | ✓ | ✗ |
| classic_talend.tmc_engine_use | Talend: View and use Remote Engines to run tasks | ✗ | ✓ | ✗ |
| classic_talend.tmc_environment_management | Talend: Manage environments | ✗ | ✓ | ✗ |
| classic_talend.tmc_group_management | Talend: Manage groups | ✗ | ✓ | ✗ |
| classic_talend.tmc_operator | Talend: Manage operations | ✗ | ✓ | ✗ |
| classic_talend.tmc_pipeline_management | Talend: Manage promotions | ✗ | ✓ | ✗ |
| classic_talend.tmc_project_management | Talend: Manage projects (including project authorizations) | ✗ | ✓ | ✗ |
| classic_talend.tmc_promotion_execution | Talend: Execute promotions | ✗ | ✓ | ✗ |
| classic_talend.tmc_role_management | Talend: Manage roles | ✗ | ✓ | ✗ |
| classic_talend.tmc_run_profile_management | Talend: Manage run profiles | ✗ | ✓ | ✗ |
| classic_talend.tmc_service_account_management | Talend: Manage service accounts | ✗ | ✓ | ✗ |
| classic_talend.tmc_sso_management | Talend: Configure single sign-on | ✗ | ✓ | ✗ |
| classic_talend.tmc_static_ip_management | Talend: Configure static IP addresses for Cloud Engines | ✗ | ✓ | ✗ |
| classic_talend.tmc_subscription_management | Talend: Access subscription information | ✗ | ✓ | ✗ |
| classic_talend.tmc_user_management | Talend: Manage users | ✗ | ✓ | ✗ |
| data-connections | Read and manage your data connections | ✓ | ✓ | ✓ |
| ↳ data-connections:read | Read your data connections | ✓ | ✓ | ✓ |
| dataproduct | Create, activate, update, or consume data products. | ✓ | ✓ | ✓ |
| ↳ dataproduct:consume | Read and consume data products. | ✓ | ✓ | ✓ |
| dataquality | Compute and read data qualities. | ✓ | ✓ | ✓ |
| ↳ dataquality:read | Read data quality. | ✓ | ✓ | ✓ |
| dataqualityrules | Create, update, or apply validation rules to datasets. | ✓ | ✓ | ✓ |
| ↳ dataqualityrules:assign | Read and apply validation rules to datasets. | ✓ | ✓ | ✓ |
| dataset | Create, read, update, list, and delete datasets. | ✓ | ✗ | ✗ |
| direct-access-gateways:consume_data | Load data via Direct Access gateway connectors | ✓ | ✗ | ✗ |
| discovery-agent | Create triggers for anomaly detection, serving user feeds with insights. | ✓ | ✓ | ✓ |
| discovery-agent:read | Allow users to consume and act on insights generated by the Discovery Agent in the activity center feed page. | ✓ | ✓ | ✓ |
| environments:read | Read access to environments where the user is a space member. | ✓ | ✗ | ✗ |
| genericlink:all | Create, update, and use links within spaces. | ✗ | ✓ | ✓ |
| geo-operations | Execute any geographic operation. | ✓ | ✓ | ✓ |
| ↳ geo-operations.limited | Allows all operations except geocoding | ✓ | ✓ | ✓ |
| glossary:all | Full access to glossaries and terms, including approving terms | ✓ | ✓ | ✓ |
| ↳ glossary:manage | Full access to glossaries and terms, except for approving terms | ✓ | ✓ | ✓ |
| ↳ glossary:update | Read access to glossary metadata and access to glossary terms | ✓ | ✓ | ✓ |
| governance-definition:read | Assign classifications to dataset fields and regulations to datasets | ✓ | ✓ | ✓ |
| help-agent | Lets users use Qlik Answers to find relevant product documentation. | ✓ | ✓ | ✓ |
| identity.email:read | Read your email address | ✓ | ✗ | ✗ |
| identity.name:read | Read your full name | ✓ | ✗ | ✗ |
| identity.picture:read | Read your profile picture | ✓ | ✗ | ✗ |
| identity.subject:read | Read your user subject identifier | ✓ | ✗ | ✗ |
| insight-advisor:experience | Lets users use Insight Advisor to analyse data and create charts. | ✗ | ✓ | ✓ |
| knowledgebases | Read and manage knowledge bases | ✓ | ✓ | ✓ |
| ↳ knowledgebases:read | Read access to knowledge bases | ✓ | ✓ | ✓ |
| knowledgebases:index | Index content in knowledge bases | ✓ | ✓ | ✓ |
| knowledgebases:search | Search content in knowledge bases | ✓ | ✓ | ✓ |
| lakehouse-cluster-moderator | Edit settings and operate lakehouse clusters | ✗ | ✓ | ✓ |
| ↳ lakehouse-cluster-viewer | View lakehouse clusters | ✗ | ✓ | ✓ |
| lakehouse-cluster-operator | Stop, start, scale, and roll lakehouse clusters | ✗ | ✓ | ✗ |
| learning-center:all | Learn more about Qlik features and capabilities. | ✗ | ✓ | ✓ |
| lineage:create | Create lineage. | ✓ | ✗ | ✗ |
| lineage:read | View lineage between assets | ✓ | ✓ | ✓ |
| mcp:execute | Lets users use the Qlik MCP server | ✓ | ✓ | ✗ |
| network-integration-viewer | View network integration | ✗ | ✓ | ✓ |
| notes | Create and manage notes based on roles within the space. | ✗ | ✓ | ✓ |
| offline_access | Access resources while you are offline | ✓ | ✗ | ✗ |
| pipelines-projects | Create, update, or view pipeline projects based on space access | ✗ | ✓ | ✓ |
| ↳ pipelines-projects:read | Read and list pipeline projects based on space access | ✗ | ✓ | ✓ |
| question:create | User who can access Insight Advisor from collaboration platforms. | ✗ | ✓ | ✗ |
| semantictype | Create, update, or assign semantic types to datasets. | ✓ | ✓ | ✓ |
| ↳ semantictype:read | Read and assign semantic types. | ✓ | ✓ | ✓ |
| space-requests:create | Allows users to request access to content. When set to ‘Not allowed,’ you can define a custom message in Administration > Settings. The message appears when users try to open content they don’t have permission to view and can direct them to the right team or process for requesting access. | ✗ | ✓ | ✓ |
| spaces.data | Read and manage your data spaces | ✓ | ✗ | ✗ |
| ↳ spaces.data:read | Read your data spaces | ✓ | ✗ | ✗ |
| spaces.managed | Read and manage your managed spaces | ✓ | ✗ | ✗ |
| ↳ spaces.managed:read | Read your managed spaces | ✓ | ✗ | ✗ |
| spaces.shared | Read and manage your shared spaces | ✓ | ✗ | ✗ |
| ↳ spaces.shared:create | Create shared spaces for collaboration. | ✓ | ✓ | ✗ |
| ↳ spaces.shared:read | Read your shared spaces | ✓ | ✗ | ✗ |
| sprints:all | Create, manage or contribute to sprints. | ✓ | ✓ | ✓ |
| ↳ sprints:contribute | Participate in data stewardship sprints as a sprint owner or data steward. Roles are assigned in the sprint settings. | ✓ | ✓ | ✓ |
| trustscore | Configure Qlik Trust Score™ axes and weights. | ✓ | ✓ | ✓ |
| users | Basic read access to users and management of your user preferences | ✓ | ✗ | ✗ |
| ↳ users:read | Basic read access to users | ✓ | ✗ | ✗ |
| webhooks | Create and update webhooks using the webhooks API and automations UI. | ✓ | ✓ | ✓ |
| write-table:external_read | Description not available | ✓ | ✗ | ✗ |
| write-table:full | Full access, creation and configuration of write table charts | ✗ | ✓ | ✓ |
| ↳ write-table:access | Read and write changes in write table charts | ✗ | ✓ | ✓ |