Self-Service and Secure Data: Can You Have Both?
Learn how you can provide true self-service to your users while ensuring your data stays secure with governance.
In my last post, we talked about setting up a Center of Excellence (COE) strategy to enable self-service for users, helping them find answers more quickly and freeing up IT.
Anuwat Raviwongse explained it’s about finding the right balance between how much responsibility the users will take on and what is best served by IT for everyone. But now that you have a strategy for each business unit, department and user group, you need to put that strategy into practice through governance.
Kehinde Barkley, one of Qlik Consulting’s experts on setting up security on Qlik, helped me understand that once the strategy is defined to specific roles and responsibilities, he then starts to apply the principles of “Attribute Based Access Control” (ABAC), authored by National Institute of Standards and Technology. In summary, when you apply protocols based on a user’s attributes, you can establish a secured data environment that enables self-service without extensive effort to facilitate the maintenance or growth of your organization.
But before we get into ABAC, Kehinde suggests to first review the levels of data security that should be considered. At the most basic level is setting up access to the platform – restricting which users should even be allowed on the site. Next, at least with Qlik, would be establishing who has authorization to the folder or stream level, then to the individual app level. Lastly, and potentially the most complex level, is setting up security intra-app – i.e. using Qlik’s section access to secure which rows of data a user can see based on their attributes.
Why be familiar with the levels of data security? Based on needs by user attribute, you may find most of your access control can be established through one of the first three levels that is simply about restricting access.
So, let’s go through an example. You’ve implemented a BI platform across multiple departments including executive, finance, and sales. How would this look using ABAC to set up governance?
- Platform – only the above teams have access, the procurement department does not.
- Folder – the executive and finance teams have access to all folders while the sales team can only see the sales folder.
- App – Inside the financial reporting folder, only the executives and senior finance leadership have access to the company P&L App while all of finance can access the balance sheet app.
- Intra-App – Inside the sales analytics app, the manager and sales people of the western territory can only access data that represents the sales performance for that region.
Using the above example, once you set up user attributes for the next new employee to be in the sales team as part of the western region, they would immediately have access to the platform, to the sales folder, and see data associated to the western territory in the sales analytics app. Let self-service begin!
Sounds simple, but the hardest part is back at the beginning – making sure you have defined the roles and responsibilities accurately, by user group and not by individual user. According to Kehinde, if you have to start changing rules for a single user or doing one-off exceptions, then you may need to go back to the drawing board and re-think the strategy. But, if you have set up ABAC properly, using the security capabilities already inherent in Qlik, not only will you save time and money from manually controlling security, but likely be well positioned to pass any audit.
If you want to learn more about data and security governance, or how Qlik Consulting can help you set it up to facilitate your organizational growth, visit qlik.com/consulting.