Qlik Sense is a powerful analytics platform, but with great power comes the responsibility to secure your data. As organisations increasingly use Qlik Sense to analyse sensitive information, understanding how to control user access and protect data at various levels is essential. This article will guide you through the key aspects of securing your Qlik Sense applications using users, access rules and Section Access.
1. Understanding Security in Qlik Sense
Security in Qlik Sense operates on multiple layers:
- User Access: Who can access the Qlik environment and specific apps
- Access Rules: Which resources (streams, apps, sheets, spaces (cloud)) users can see or interact with
- Section Access: Controls access to data within the app itself, down to row and column level
Each layer plays a critical role in ensuring only the right people see the right data.
2. User Management in Qlik Sense
Before you can control what users see, you must manage who has access. User management typically relies on integrations with identity providers (like Active Directory or SAML) and users are authenticated before accessing the Qlik Sense environment. Best practices include:
- Only granting access to named users
- Leveraging group memberships for easier management
- Regularly reviewing and revoking unnecessary accounts
3. Access Rules: Governing Qlik Sense Resources
Access rules in Qlik Sense determine which resources a user can see or use. These are managed through the Qlik Management Console (QMC) or Qlik Cloud Administration interface. You can set up rules to:
- Allow users to access certain streams (collections of apps) or spaces (Qlik Cloud)
- Control app visibility based on roles or attributes
- Limit access to sheets, stories or data connections
Good access rule hygiene means using descriptive names, testing rules with different users, and regularly auditing rule effectiveness.
4. Section Access: Row and Column Level Security
While access rules determine if you can open an app, Section Access determines what data you see once inside. Section Access is configured in the app’s data load script and provides powerful data reduction capabilities.
What is Section Access
Section Access allows you to restrict data at the row or column level for different users or groups. Typical use cases include:
- Ensuring sales reps only see their region’s data
- Hiding salary information from non-HR users
- Enforcing regulatory requirements for data segregation
How Does Section Access Work
Section Access works by adding a special script section (usually at the top of your data load script) that defines which users or groups have access to which parts of the data.
4.1 Section Access in Qlik Sense On-Premise vs Qlik Cloud
While the logic and security concepts of Section Access are similar in both Qlik Sense on-premise and Qlik Cloud, there are some important technical differences, especially in how users are identified.
On-Premise (Qlik Sense Enterprise for Windows)
- User Identification: Section Access typically uses the USERID field, which is usually the Windows domain and username (e.g., DOMAIN\USERNAME)
- Example:
Section Access;
LOAD * INLINE [
ACCESS, USERID
ADMIN, AD_DOMAIN\ADMIN
USER, AD_DOMAIN\A
USER, AD_DOMAIN\B
];
Section Application;
- Tip: Always use uppercase field names in Section Access, and the values must match exactly the authenticated user information.
Qlik Cloud
- User Identification: In Qlik Cloud, Section Access uses the USER.EMAIL field (always uppercase), and user identification is based on the user's email address.
- Example:
Section Access;
LOAD * INLINE [
ACCESS, USER.EMAIL
ADMIN, michel.kluyskens@element61.be
USER, test1@element61.be
USER, test2@element61.be
];
Section Application;
- Important: Make sure the email addresses match the users' Qlik Cloud login and pay attention to case-sensitivity—Qlik Cloud treats email addresses as case-sensitive in Section Access.
What to watch for when migrating
- Field Name Change: In your Section Access script, replace USERID with USER.EMAIL when moving to Qlik Cloud
- Exact Match Required: Emails must match exactly with what’s configured in Qlik Cloud
- Other Logic: All other Section Access features, such as row-level (COUNTRY) or column-level (OMIT) security, work in the same way, just use email addresses instead of usernames
Example: Row-level Security in Qlik Cloud
Section Access;
LOAD * INLINE [
ACCESS, USER.EMAIL, COUNTRY
ADMIN, michel.kluyskens@element61.be, *
USER, test1@element61.be, BE
USER, test2@element61.be, NL
];
Section Application;
Example: Column-level Security in Qlik Cloud
Section Access;
LOAD * INLINE [
ACCESS, USER.EMAIL, COUNTRY, OMIT
ADMIN, michel.kluyskens@element61.be, *,
USER, test1@element61.be, BE,
USER, test2@element61.be, NL, PURCHASE_PRICE
];
Section Application;
4.2 Section Access for Row- and Column-level Security (General)
Section Access supports not just who can open the app, but also what data they can see, down to row and column level.
- For row-level security, add a column such as COUNTRY in the Section Access table and a matching column in your data
- For column-level security, add an OMIT column to list which fields to hide for certain users
Tips and Best Practices:
- All Section Access field names must be in UPPERCASE.
- In Qlik Cloud, user email addresses are case-sensitive.
- Test thoroughly. If you lock yourself out, use “Open Without Data” to recover.
- Use data sources like Excel, databases or security tables for Section Access definitions in production.
- Never use the same field names for system fields in your data model and Section Access.
- Make a backup before applying Section Access.
5. Business Case: Language Preference via Section Access
Section Access is not only for security, it can drive application personalization. For example, you can assign a default language to each user via Section Access and adapt the user interface accordingly.
Sample Section Access for Qlik Cloud:
Section Access;
LOAD * INLINE [
ACCESS, USER.EMAIL, LANGUAGE
ADMIN, michel.kluyskens@element61.be, FR
USER, test1@element61.be, EN
USER, test2@element61.be, NL
];
Section Application;
You can then use a variable like =only(LANGUAGE) in your app to show menus, fields, or values in the user’s preferred language.
6. Integrating Section Access with External Sources
You don’t have to hard-code user lists! Section Access can be loaded from:
- Excel files
- Databases (ERP, CRM, etc.)
- Any source Qlik can connect to
This makes it scalable and maintainable in enterprise environments.
7. Conclusion
Securing your Qlik Sense applications is not a one-time task; it’s an ongoing process. By properly managing users, access rules and Section Access, you ensure that sensitive data is only visible to the right people. A well-implemented security model protects your organisation, supports compliance and builds user trust in your analytics platform.
Need help implementing Section Access or auditing your Qlik Sense security? Contact us for expert advice or hands-on assistance.
