SYNGENTA QLIK CLOUD

DEVELOPMENT GUIDELINES
Syngenta Qlik Cloud Platform Team

SEPTEMBER 3, 2024
 1

Table of Contents
Introduction to Qlik cloud ..................................................................................................................3
How to Access Qlik Cloud in Syngenta ................................................................................................3
Syngenta Qlik Cloud Architecture & Tenant ........................................................................................4
App Development in Qlik Cloud ..........................................................................................................5
Spaces ....................................................................................................................................................... 5
Personal Space ...................................................................................................................................... 5
Development Space .............................................................................................................................. 5
UAT Space ............................................................................................................................................. 5
Production Space .................................................................................................................................. 5
Data Connection Space (Prod) .............................................................................................................. 6
Space Permissions Overview ................................................................................................................ 7
Data Connections Creation in Qlik Cloud .............................................................................................8
Guidelines for MIO Smartmart Connections creation in Qlik cloud ......................................................... 8
Guidelines for Smartsheet Connection in Qlik Cloud w.r.t REST API .................................................. 12
Guidelines for Office 365 SharePoint Connection in Qlik Cloud ......................................................... 13
Guidelines for Local DB Data Connections Connection in Qlik Cloud w.r.t ODBC Drivers .................. 15
Guidelines for SNOWFLAKE Data connection creation in Qlik Cloud Platform. ................................. 15
Creating a New App in Qlik Cloud ..................................................................................................... 19
General App Development Best Practices .......................................................................................... 20
Qlik Visualization Best Practices: Qlik Native Objects vs 3rd Party Extensions .................................. 20
In-App Content .................................................................................................................................... 21
QSDA Pro – For App Optimization ..................................................................................................... 21
Data Connections ................................................................................................................................ 21
Storing QVD Files................................................................................................................................. 22
Script Considerations .......................................................................................................................... 22
Section Access Details ......................................................................................................................... 22
External Links ...................................................................................................................................... 22
Permissions ......................................................................................................................................... 22
Creating Links ...................................................................................................................................... 23
Datasets .............................................................................................................................................. 23
Supported File Types........................................................................................................................... 23
Limitations........................................................................................................................................... 23

Internal Use Only

 2

Adding Datasets from the Hub ........................................................................................................... 24

Managing Data Sources in Spaces ...................................................................................................... 24
Managing App Reloads in Qlik Cloud Production Tenant ..................................................................... 25
Tenant Limitations .............................................................................................................................. 26
Reload Notifications ............................................................................................................................ 27
How to Monitor App Metadata, Usage, Reloads, User Access, Licenses ............................................. 29
App Metadata ..................................................................................................................................... 29
App Reloads ........................................................................................................................................ 29
User Access ......................................................................................................................................... 29
App Usage and License Assignments .................................................................................................. 29
Guidelines for Qlik SaaS storage on regional /domain team AWS S3 buckets. ........................................ 30
Refer Table below for details about Teams and their AWS S3 Storage Bucket Name, AD Groups and
I_AM Role. Select AWS role specific to your team in AWS console. .................................................... 31
Guidelines for Qlik SaaS Mashups on AWS S3 ................................................................................... 34
Guidelines for Vizlib Writeback Table Setup for PostgreSQL DB ......................................................... 36
Qlik App Automations ...................................................................................................................... 36
Limitations........................................................................................................................................... 36
Access to Automations........................................................................................................................ 36
Other Considerations .......................................................................................................................... 36
Qlik App Automation learning course ................................................................................................. 37
Automation Knowledge Sharing session recording ............................................................................ 37
Applications Data or Report Distribution ......................................................................................... 38
Guidelines for Data Decryption in Qlik Cloud Platform ...................................................................... 42
***This requires a Security Exception request, and a Corporate Security system update that
takes place only on Fridays. Please plan your request accordingly......................................... 42
LIVE layer Consumption Guidelines for Qlik cloud Platform ............................................................... 51
........................................................................................................................................................ 51
Appendix ......................................................................................................................................... 52
Additional Qlik Cloud Resources ....................................................................................................... 52

Internal Use Only

 3

Introduction to Qlik cloud

Qlik Cloud is your gateway to powerful data analytics and visualization tools, all hosted in a
secure and scalable cloud environment. Whether you're a seasoned data analyst or new to the
world of analytics, Qlik Cloud is designed to help you unlock insights, make informed decisions,
and collaborate effectively with your team.
Key Features and Benefits:
• Interactive Visualizations: Explore your data through interactive charts, graphs,
and dashboards, enabling you to identify trends, patterns, and outliers with ease.
• Data Integration: Seamlessly integrate data from various sources such as
databases, spreadsheets, and cloud applications to create a comprehensive view for
analysis.
• Collaboration Tools: Share dashboards, analyses, and insights with team
members, fostering real-time collaboration and knowledge sharing.
• Scalability: Scale your analytics projects effortlessly with Qlik Cloud's flexible
infrastructure, accommodating small datasets to large volumes of data.
• Security and Compliance: Prioritize data security with robust measures such as
role-based access control, encryption, and compliance with data protection
regulations.

How to Access Qlik Cloud in Syngenta

Syngenta Internals and External Developers with Syngenta NTID can access the Syngenta Qlik Cloud by
clicking on following Qlik Cloud Tenant Links:

• Syngenta Qlik Cloud Prod – For both development purposes and day-to-day
usage.

• Syngenta Qlik Cloud Non-Prod – For exploring new features and releases.

Syngenta Customers (Externals/ Distributors/Resellers etc) can access Syngenta Qlik cloud only via SFDC
through integration with Syngenta Qlik Cloud External Tenant.

Internal Use Only

 4

Syngenta Qlik Cloud Architecture & Tenant

Internal Use Only

 5

App Development in Qlik Cloud

To create applications in Qlik cloud, it is very important to understand Qlik cloud space Types, their use
and permissions assigned to developers and users for each space type.

Spaces
- Spaces are largely based on the existing streams in QSEoW.
- Organization of spaces:
o Shared space for development
o Managed space for UAT (as needed)
o Managed space for production

Personal Space
- This space contains content specific to the current user
- Use this space for prototyping before advancing to collaborative development in a
Shared space

Development Space
- Space type: Shared
- Naming convention: regional / domain team name – Development
▪ Example: Global DnA Commercial – Development
- 1 space per team
- This space will be used for all collaborative app development within a team/domain
- Apps will be promoted (published) from this space to a UAT space and/or a Production
space

UAT Space
- Space type: Managed
- Naming convention: regional / domain team name – UAT
▪ Example: Global DnA Commercial – UAT
- 1 space per group of apps as per business process/domain/sub-domain
- This space will contain apps published from the Development space, for the purpose of
UAT

Production Space
- Space type: Managed
- Naming convention: Region/Business Unit/Domain/Subdomain/Country – Space Name
▪ Example: APAC P&S – GPD , NA Seeds – P&S
- 1 space per group of apps as per business process/domain/sub-domain
- This space will contain production-ready apps published from the Development space
- End users will access the production apps within this space

Internal Use Only

 6

Data Connection Space (Prod)

- Space type: Managed
- Naming convention: regional / domain team name – data connections
▪ Example: Global DnA Commercial – Connections – Smartmart Prod
▪ Example: Global DnA Commercial – Connections – Others
- 2 spaces per team (1 prod, 1 non-prod)
▪ LET vSpaceName = GetSysAttr('spaceName');
▪ If '$(vSpaceName)' = ' DEV space' Then // change to match desired space
// dev/shared version
LIB CONNECT TO 'Global - Data Connections: MIO Smartmart Prod Copy ';
Else
// Production
LIB CONNECT TO 'Global Flowers - Production Connection:GL Flowers MIO
Smartmart Prod';
End If
▪
▪ // common sql statement....
- This space will hold all prod data connections needed for the team/domain.

This diagram depicts the SDLC as it relates to Qlik Sense app development. The flow is a one-way flow,
beginning with either a Personal space (for sandbox prototyping) or a Development space (for
collaborative development).

Internal Use Only

 7

1) If beginning with Personal space, the app is moved into a Development (shared) space once the
initial prototyping is completed.
2) From the Development space, it may be published into a UAT (managed) space to perform UAT
functions.
3) If changes are required, the changes are made in the Development copy of the app in the shared
space. Then the app is published again into the UAT shared space, overwriting the previous UAT
copy.
4) Once the app is validated and signed-off, the app can be published from the Development
(shared) space into the Production (managed) space.
5) New enhancements will start with step 2 (working in the development copy)

Notes:

- Since this is a one-way flow, that means apps cannot be duplicated from a managed space back
into a shared space. Thus, it is very important to always keep a version of the app in a shared
space. The development copy always acts as the source of the latest version of the app. This
also implies that apps cannot be duplicated from one managed space to another managed
space.
- The “Can publish” role is required for developers to publish apps into managed spaces (UAT and
Prod).

Space Permissions Overview

Please find Space permissions from below link under section “SaaS Space and Permissions”.

https://syngenta.sharepoint.com/:x:/r/sites/DDATeam/_layouts/15/Doc.aspx?sourcedoc=%7B13503314
-07A2-4AF9-ABA9-
2027DA98934B%7D&file=Qlik%20SaaS%20Development%20Team%20Onboarding%20Checklist.xlsx&act
ion=default&mobileredirect=true

it is strictly recommended NOT to use “Anyone at Production”, Space permission in SaaS Prod tenant
in any space (Development /UAT/Managed)

Also recommend NOT to use following AD Groups as member to the spaces (AllUsers_SSO, All Users)

Internal Use Only

 8

Data Connections Creation in Qlik Cloud

Guidelines for MIO Smartmart Connections creation in Qlik cloud

1. Regional/Domain Development Team specific technical user Credentials are created to use
MIO Prod system for connections creation in Qlik cloud. These connections are created only by
Qlik Cloud Platform team. please log INC in SNOW for Production System connection
requirement.
For e.g see below.

2. Personal /individual account credentials are to be used for MIO Non-Prod system connections.
All Developers are expected to have their own named (individual developer credentials
authenticated) MIO SmartMart Prod Copy and MIO SmartMart Test connections to do
developments in Qlik SaaS. it is applicable to all development teams and self-service users.
Please reach out to SaaS Platform team for details.

*MIO Prod Copy as a System is getting deprecated by Aug 13th, 2024, please create new
connections with MIO Test system with “Prod_MIO” database by keeping same naming
convention as that of MIO prod copy to leverage Production data for developments in Qlik cloud.
Steps are defined as following.

a. Process to get user ID /credentials in for SMARTMART MIO Prod Copy and
SMARTMART MIO Test are as following if not available with Developers.

▪ Follow the Self-Service template.

https://syngenta.service-
now.com/nav_to.do?uri=%2Fcom.glideapp.servicecatalog_cat_item_view.do%3Fv%
3D1%26sysparm_id%3D79aac8fd373b8600bad6148543990e9b

▪ The Credentials will be created by AWS Platform team and process is very much
automated.

Internal Use Only

 9

b. Naming convention for named Data Connection should be as following , Developer

should replace NT ID with his/her own User ID in Connection Name.

o MIO_Smartmart_Prod_Copy_NT ID
o MIO_Smartmart_TEST_NT ID

c. Each developer will have access to create MIO Prod copy and MIO Test connection
under his specific team’s data connection space. Please create own named credentials
under respective data connection space only.

d. Steps to be followed to create MIO Prod copy / MIO test connection in Qlik SaaS Prod
Tenant.

e. Proceed to "Add new" and choose "Data Connection" under the "Add new data" section.

e. Specify the Data Connection Space where you intend to establish the Data connection.

Internal Use Only

 10

f. Look up "ODBC" in Data Connections and opt for the ODBC (via Direct Access gateway).

g. Configure the settings as illustrated in the screenshot. Input the connection string,
username, and password as highlighted below.

a. Select “Qlik-Data-Gateway-Development()” under Direct Access Gateway.

b. Select “ ODBC driver” and ODBC source as “ Amazon Redshift (x64)”

c. Connection String: Copy the string provided below and paste it into the Data
Connection.
Server=rs-db-
test.smartmart.syngentaaws.org;Database=prod_mio;Port=5439;QueryProcessi
ngModes=SingleRowMode;SingleRowMode=1;UseDeclareFetch=0;UseMultipleSt
atements=0;Fetch=100;ArraySize=10000;MaxVarcharSize=262144;useBulkReade
r=true

Internal Use Only

 11

Note: Please use "true" or "false" in use BulkReader property according to your old Amazon Redshift
data connections.

d. Input your User ID and Password in the Value box as shown above. Create on
“+” symbol to add additional row for Password input value box.

h. Perform the following actions:

a. Choose "MIO Amazon Redshift" under SQL syntax.

b. Tick the box for “Allow non-SELECT quiries“

i. Use following naming convention for Data connection Name:

Internal Use Only

 12

MIO_Smartmart_Prod Copy__s*******

Include your NTID in the connection name.

3. Qlik Mymart Redshift cluster Limitations & Resolutions are documented in below JIRA
Confluence page. Redshift Datashare - Data & Analytics - Confluence (atlassian.net)

Guidelines for Smartsheet Connection in Qlik Cloud w.r.t REST API

In Qlik Cloud, we can fetch Smartsheet data via the REST API connector. The structure of the data
presented by the REST API is more normalized than the ODBC driver in QSP/QST, so we’ve created a
simple/reusable script to make the data fetching easy and consistent across developers.

Prerequisites:

- The developer must have “Can consume” permissions on the “Global Data Connections” space

- A REST API must be configured with the following specifications:

o URL = https://api.smartsheet.com/2.0/sheets
o Method = GET
o Authentication Schema = Anonymous
o Query Header
▪ Name = Authorization
▪ Value = Bearer [your-token-goes-here]
▫ The token is specific to a Smartsheet user and should be treated as confidential.
If other Smartsheet data needs to be fetched under different accounts, then
multiple REST API connections should be created with their respective tokens.
o Check the box for "Allow WITH CONNECTION"

Connection naming convention: regional / domain team name – Smartsheet

Once the prerequisites are satisfied, simply do the following:

1) Open an existing app or create a new one.

2) Insert the following two lines into your script:

$(must_include=lib://Global Data Connections:DataFiles/Smartsheet_Load_Script.qvs);

Call LoadSmartsheetData('space-name:data-connection-name', 'sheetId-goes-here');

3) Notice there are 2 parameters in the `LoadSmartsheetData` function:

Internal Use Only

 13

a. The first parameter should be the fully qualified name of the data connection (in the format
[space]:[data conn name]).

b. The second parameter should be the SheetId you want to pull from Smartsheet. Note: this is
an integer ID, not the “permalink” version of an ID. You may need to look in Smartsheet to get
the correct SheetId to provide.

4) Run your script and begin analyzing the data.

Additional thoughts:

- Two tables, [Fact] and [Dim Sheet], will be created from the LoadSmartsheetData() subroutine.
Ensure no tables with these names already exist before calling that script.

- After the Call statement, it is safe to rename the two resulting tables as needed.

- More than one Smartsheet can be loaded into an app, but you will need to take care that there
are no conflicting field names between all tables generated by the subroutine. (Might need to
perform some aliasing in a subsequent resident load...)

If you would prefer to use the generic REST connector, a good sample script example can be found here
to start: https://community.qlik.com/t5/Integration-Extension-APIs/Load-Script-for-REST-Connector-to-
Smartsheet/td-p/2022890

Guidelines for Office 365 SharePoint Connection in Qlik Cloud

1. Add New, Select “Data connection”.

Internal Use Only

 14

2. Select the highlighted Data source.

3. Select the respective project space created for Data Connections instead of Personal.

Example : Considering the below URL:

https://syngenta.sharepoint.com/sites/DDATeam/Shared%20Documents/Forms/AllItems.aspx?newTarg

Internal Use Only

 15

etListUrl=%2Fsites%2FDDATeam%2FShared%20Documents&viewpath=%2Fsites%2FDDATeam%2FShare
d%20Documents%2FForms%2FAllItems%2Easpx&viewid=04e9b67c%2D58a1%2D4394%2Dafd2%2D1a7
1ba77fb67

Base URL: https://syngenta.sharepoint.com/

Site/Subsite Path: sites/DDATeam

Tenant : common

Prompt/ consent level: select_account

4. Click on “Authenticate”, which will redirect to Login page.

5. Copy the Authentication code and click on Verify.

6. Click on “Test Connection” to validate and create.

Name Convention format: regional / domain team name – Sharepoint

Guidelines for Local DB Data Connections Connection in Qlik Cloud w.r.t ODBC Drivers
The Connection needs to be reviewed w.r.t D&A Architecture Group Approval. POC is:
[email protected]

Once Approval is in Place, it will be created in Qlik SaaS.

Guidelines for SNOWFLAKE Data connection creation in Qlik Cloud Platform.

Following Pre-requisites at SNOWFLAKE end MUST be completed before requesting
SNOWFLAKE data connection creation in Qlik Cloud

Internal Use Only

 16

1. Connection must be created through via Direct Access Gateway.

2. Details needs to be entered related to Snowflake server.

Internal Use Only

 17

3. Once the above details are entered, please hit “Authenticate” button.

4. It will redirect you to login page as below.

5. Please click on “Sign in using SyngentaAzureAD”.

Internal Use Only

 18

6. It will authorize and generate a token which needs to be copied in the Data Connection to
verify.

7. Copy the code and paste it to verify.

8. Once the code is verified, the Authentication becomes successful with an expiry token for
10 minutes.

Internal Use Only

 19

9. Upon completion “Test connection”.

10. Once the connection is successful, create the Data Connection in below Naming format.

Global/Regional/Country_CP/SEEDs_Domain/Subdomain – Project name

Creating a New App in Qlik Cloud

You must have a Professional license before you can create new Qlik Sense apps. Request this license
from the platform team. To create a new app, click on “New analytics app” from the “add new” menu
at the top of the hub.

- For prototype apps, choose “Personal” from the space drop-down.

- For collaborative development, choose the appropriate shared space from the drop-down.
o Must have “Can edit” and/or “Can edit data in all apps” role(s) within the desired shared
space. Contact the platform team or the owner of the space to get this authorization.

To upload an existing app (qvf file), click the “Upload app” button and follow the same steps as above
for space assignment.

Internal Use Only

 20

General App Development Best Practices

Using QSDA Pro is always a good idea to understand where there may be opportunities for improving
your app, whether it be in the data model or in the front end. Here are some examples of things to keep
in mind while developing to ensure a well-performing app (this list is not comprehensive):

- Strive for star-schema data model when possible

- Drop unused fields from the data model
- Resolve synthetic keys and circular references
- Autonumber() keys to reduce symbol size in memory, and don’t use keys as data in the front end
- Be cognizant of how much data you’re loading (ex. do you really need 10 years of data?)
- Keep image sizes to a minimum to reduce network traffic (< 1 MB)
- Leverage Section Access for row and column level security
- Check out some of these tips by Qlik for designing your front-end objects: Best Practices for
Designing Visualizations
- Less is more: keep your solutions simple and slowly add complexity only as needed.

Qlik Visualization Best Practices: Qlik Native Objects vs 3rd Party Extensions

It is always advisable to leverage Qlik native objects whenever possible. This includes the Qlik
Visualization Bundle and the Qlik Dashboard Bundle. These native objects are built and fully supported
by Qlik, so we can ensure they will work as the Qlik Cloud platform evolves over time.

Please refer below document , Qlik Product Manager sessions recording & Qlik community blog for
latest on Qlik visualizations:

Qlik Cloud Visualization Update New_Jan2024.pptx (sharepoint.com)

Qlik RnD - Monthly PM Session June 2024 - What’s New in Visualization

Qlik Introduces a New Era of Visualization - Qlik Community - 2449556

Feedback on Custom CSS :

• Using custom CSS allows you to go beyond of what is possible natively.

• Not using custom CSS means to wait until the desired feature is available natively, which
takes time (if it ever comes at all).
• Qlik does not recommend to use custom CSS as default.
• At the same time, it is not a tabu topic, it is rather “you can, but be aware of”.

Vizlib objects are also acceptable to use. Syngenta has adopted Vizlib as an alternative 3rd party
visualization extension library to supplement the existing Qlik native visualization options. While Vizlib
is a strong Qlik Partner, we must recognize that any issues encountered with Vizlib objects must be
raised with Vizlib; Qlik does not provide direct customer support for 3rd party extensions.

Internal Use Only

 21

In-App Content
In QSEoW (QSP), there was the Content Library, where various content could be uploaded (images,
other file assets, etc). In Qlik Cloud, there is no such central library. Any asset that is required by an app
must be uploaded to the app's Media Library.

The following steps can be taken to upload app assets:

1) First (do one of these)

a. In the app overview, click in the app details area and click on the thumbnail.
b. If you are editing a sheet, double-click the text & image visualization to open the editing
toolbar and click .
c. In storytelling view, click in the toolbar and then select an image.
2) The Media library dialog opens and now you can upload images.

QSDA Pro – For App Optimization

This document provides instructions for using QSDA Pro, a Code Analyzer and Profiler for Qlik Sense.

Please go through the document link below for better App optimization techniques.

QSDA Pro - SaaS Version.pdf

Apps should be optimized as best as possible to fit within the RAM limits of Qlik Cloud (5 GB base, 15 GB
peak reload).

Please refer to Qlik’s documentation for the most up-to-date information on limitations:
https://help.qlik.com/en-US/cloud-services/Subsystems/Hub/Content/Sense_Hub/Introduction/qcs-
specs-capacity-QSESaaS-QSB.htm#anchor-3

Data Connections
- Space-specific data connections – developers of the space can access/use.
- One new data space for common/shared data connections – all developers can access.
- Existing data connections (from on-prem) will have the same name in cloud.
o Decide: Same or new naming convention for new connections in cloud?
- On-prem data sources can be accessed by creating new data connections with Data
Gateway. Data Gateway connectivity to be configured by the platform team, targeting a
common data space where all Qlik developers will have access.
- Cloud/public data connections can be created without the use of Data Gateway.
- If the same data connection is used by 2 or more spaces (but not completely common to all
developers), create the data connection with the same name in both spaces. Apps should
reference the data connection via relative location (see script considerations below).
- Developing in Personal/Shared space with prod data connections – no issue when publishing
to managed space.

Internal Use Only

 22

- Developing in Personal/Shared space with Test data connection – need to use conditional
logic to determine what data connection to use based on in which space the app is
reloading. (See page 22 “Context Aware Apps” of Qlik’s SDLC document: QSE SaaS SDLC
v1.0.pdf

Storing QVD Files

- Storage layer will be S3 buckets (not storing files directly in Spaces). This is to achieve better
flexibility, governance/security, and ability to leverage sub-folder directory structures.
- To minimize any discrepancies and merging of folders between on-prem and cloud during
phase 2 of the migration project, the same exact folder structure should be recreated in S3
buckets as exists in the on-prem file servers, with one bucket for the dev directory
structure and one for production.

Script Considerations
- The scripting syntax in cloud is largely the same as QSEoW, but with one notable difference:
the ability to specify spaces in the lib statements.
o QSEoW: lib://my_data_folder/subfolder/file.qvd
o Cloud
▪ Direct space access:
lib://space:my_datafolder/subfolder/file.qvd
▪ Relative space access: lib://:my_data_folder/subfolder/file.qvd

Section Access Details

Qlik SA Scheduler account needs to be part of Section Access file to perform Scheduled reloads on
Managed space

Access User ID Email User Name

Qlik Internal
ADMIN INTERNAL\SA_SCHEDULER [email protected]
Scheduler/Interface
External Links
You can add links to useful content into the cloud hub. You might have apps in a deployment of Qlik
Sense Enterprise on Windows, useful Qlik Sense mashups that are relevant to members of specific
spaces, or even SharePoint site content that you want quick access to from within the hub. You could
add links to that content in the relevant spaces.

Access to content in the links is controlled by the destination. A member who has access to the link in
the current space but does not have permission to access the linked content will be unable to view the
linked content.

Permissions
Tenant and analytics admins can add links to the cloud hub. Other users can add links to spaces where
they have the Owner or Can manage role.

Internal Use Only

 23

Creating Links
1) Click Add new > Create link.

2) To add an image to the link, drag and drop an image file or click Browse and navigate to the file.
3) Under Name, enter the name for the link.
4) Under Link URL, add the URL.
5) Under Space, select the destination space for the link.
6) Under Description, optionally enter a description of the link.
7) Under Tags, optionally add tags for the link.
8) Click Create.

To change the space a link is in, click , select Move, and select a new space.

Datasets
You can upload data files to Qlik Sense, which are stored in Qlik Cloud. Qlik Sense automatically adds an
additional layer of metadata to uploaded data files, creating datasets. You can also create datasets for
tables from existing data connections in the hub.

The metadata added to a dataset enables you to use additional Qlik Sense tools for managing your data
in the hub, including catalog tools and other resources. For more information on cataloging, see
Understanding your data with catalog tools.

Supported File Types

- Text files: Data in fields must be separated by delimiters such as commas, tabs, or semicolons.
For example: comma-separated variable (CSV) files.
- HTML tables
- Excel files
- XML files
- Qlik native QVD and QVX files
- Apache Parquet files
- Fixed record length files
- Data Interchange Format (DIF) files: DIF files can only be loaded with the data load editor.
- Geographic data files:
o GEOJSON
o ESRIJSON
o GML
o KML
o SHPZIP
o DXF

Limitations
Data files can be up to 100 GB. However, when uploading very large data files (over 6 GB), you might
experience constraints with engine capacity. These constraints are more likely to be encountered with

Internal Use Only

 24

QVD data files due to the memory usage necessary to load QVD files into the engine. For more
information about increasing the capacity available, refer to the Large App section of this document.

Adding Datasets from the Hub

1) Click Add new and select Dataset.

2) Click Upload data file.

3) Drag and drop your data files into the Add file dialog. Alternatively, click Browse and navigate
to your data files.
4) Select a destination space for the files.
5) Click Upload. Alternatively, to create an app from your dataset immediately, click Upload and
analyze.

Managing Data Sources in Spaces

You can view the available datasets and data sources in a space by clicking Space details and selecting
Data sources.

In Data sources, you can do the following:

- Add datasets and data connections

- Duplicate datasets
- Move datasets
- Delete datasets and data connections

Shared space members with Owner, Can manage, Can edit, and Can edit data in apps roles can manage
data sources in that space. Managed space members with Owner or Can manage permission can
manage data sources in that space. Space members with the Can consume data role can view data
sources in the space, and they can consume the data sources where they have permission to create
apps.

The full official Qlik documentation on datasets can be found here: https://help.qlik.com/en-US/cloud-
services/Subsystems/Hub/Content/Sense_Hub/Spaces/managing-data-resources-spaces.htm

Internal Use Only

 25

Managing App Reloads in Qlik Cloud Production Tenant

Reloads can be performed in the following ways in Qlik Cloud Production Tenant

➢ Development Apps ( Shared or in Personal Space) should be reloaded Only by opening an app
and reloading it from App. Example as shown below . this is categorized as “ In-App” reload
and it does not occupy Tenant Concurrent Schedules.
Please see e.g as shown below.

➢ UAT Apps ( Managed Space) , should be reloaded via Hub only using “ Reload now” option
when needed as shown below. This is categorized as “ Hub” reload and it occupies Tenant
Concurrent reloads. Hence please use it wisely only when needed. Kindly do not create app
schedule “ Reload schedule” for UAT apps .
Please see e.g as shown below.

➢ Production Apps ( Managed Space): this apps are reloaded only via app schedules created by
Qlik platform team only using “ Reload Schedule” as shown below. it occupies Tenant

Internal Use Only

 26

Concurrent reloads and hence schedules are created after through review by Qlik platform
team only. There is no exception to this rule/setup. Please submit your production app
schedule requests to Qlik platform team via INC #.
Please see e.g as shown below.

Following measures have been put in place by Qlik platform team to ensure Platform
resources are effectively utilized across the tenant as its a global tenant used by all
development teams.

➢ Qlik platform team is reviewing app schedules very closely on daily basis and reaching out to
application owners wherever needed for app scheduled optimization and right scheduling.

➢ Qlik Cloud Platform Housekeeping Automation is put in place and it’s scheduled to run on
daily basis in Qlik Cloud Prod Tenant to do following :
o Delete app schedules from Personal Space and Development Space on daily basis – No
exception application here except for self service users based upon business case.
o Delete app schedules from UAT managed space on every Friday 17 CET. Should you need
exception for longer UAT duration, please reach out to me with app id + duration
exception needed +business justification.

- If Task is failing continuously more than 5 times, task will get Disabled automatically.

Tenant Limitations
- Max of 30 concurrent reloads across the entire tenant.
- Max 40 GB RAM for scheduled/hub reloads (large apps: up to 3x purchased capacity with 240
GB cap)

Internal Use Only

 27

- 3-hour maximum duration (enforced by Qlik Cloud)

- 30-minute maximum duration (enforced by Syngenta)

Please refer to this link for the latest Qlik Cloud limits: https://help.qlik.com/en-US/cloud-
services/Subsystems/Hub/Content/Sense_Hub/Introduction/qcs-specs-capacity-QSESaaS-
QSB.htm#anchor-3

Reload Notifications
You may want to receive notifications for reload failures. The easiest way to enable failure notifications
is to do the following:

- Navigate to the desired Space.

- Click Space details on the right side of the screen.
- Click Notifications

- Expand the Apps section

- Check one or more of the boxes next to “A reload of an app in this space failed”
o Hover your mouse over the different icons to see the different delivery methods for
these notifications (hub notification, mobile push notification, email, daily email digest)

Internal Use Only

 28

Important note: you must be assigned a role within the space as an individual user. If your space
permissions exist only through group inheritance, then you will not receive notifications.

If any app reload exceeds 30 minutes, the app owner, space owner, and SaaS team will receive an email
alert containing information about the latest reload. This email alert is generated via an Automation
managed by the platform team.

Internal Use Only

 29

How to Monitor App Metadata, Usage, Reloads, User Access, Licenses

Qlik provides a selection of monitoring apps which are installed in our Qlik Cloud tenant. The following
monitoring apps are available in the Monitoring Apps space.

App Metadata
App Analyzer: provides a comprehensive dashboard to analyze application metadata across a Qlik Sense
tenant(s). This is like the App Metadata app in QSEoW (QSP), showing various statistics and properties
of Qlik Sense apps.

App Reloads
Reload Analyzer: provides a comprehensive dashboard to analyze application reloads including
application lineage across a Qlik Sense tenant.

User Access
Access Evaluator: a comprehensive dashboard to analyze user roles, access, and permissions across a
Qlik Sense tenant. This tool is useful in investigating which users have access to which content and how
(via group or via individual assignment).

App Usage and License Assignments

Entitlement Analyzer: provides a comprehensive dashboard to analyze entitlement (license)
consumption and assignments across Qlik Sense tenant(s). Also good for showing general app usage
over time, etc.

Internal Use Only

 30

Guidelines for Qlik SaaS storage on regional /domain team AWS S3

buckets.

Steps to Access S3 Bucket from AWS Management Console.

Login to MyApps : https://myapplications.microsoft.com

Open App AWS-EUC1-PROD

You will be presented with a list of AWS roles. Select the AWS Role specific to your Team. Details of AWS
role in table mentioned below.

Internal Use Only

 31

Refer Table below for details about Teams and their AWS S3 Storage Bucket Name, AD Groups and I_AM
Role. Select AWS role specific to your team in AWS console.

AWS
Create S3 Bucket AD Group I_AM Role Regional SPOC
Account
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-apac-dna- QlikSaaS-apac- Manish Kumar,
04747 apac-dna-commercial commercial dna-commercial Adwin Ong
AWS-EUC1- QlikSaaS-
8907777 syngenta-qliksaas-filestore- 890777704747- commercial-
04747 commercial-excellence commercial-excellence excellence Abhishek Muley
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-corp- QlikSaaS-corp- Ambarish
04747 corp-functions-dna functions-dna functions-dna Bhattacharya
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-dna-gl-cp- QlikSaaS-dna-gl-
04747 dna-gl-cp-pns pns cp-pns Swapnil Patil
8907777 syngenta-qliksaas-filestore- AWS-EUC1- QlikSaaS-eame-
04747 eame-cp 890777704747-eame-cp cp Kerem Seyid
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-gl- QlikSaaS-gl- Venkatesh
04747 gl-commercial-dna commercial-dna commercial-dna Chowdhary
AWS-EUC1- QlikSaaS-RnDCP-
8907777 syngenta-qliksaas-filestore- 890777704747-gl-digital- gl-digital-
04747 gl-digital-marketing marketing marketing Kaloyan/Casper
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-global- QlikSaaS-global-
04747 global-flowers flowers flowers Kerem Seyid
8907777 syngenta-qliksaas-filestore- AWS-EUC1-
04747 gpd-pns 890777704747-gpd-pns QlikSaaS-gpd-pns Trupti Mety
8907777 syngenta-qliksaas-filestore- AWS-EUC1- Srinivas Aremanda
04747 nacp 890777704747-nacp QlikSaaS-nacp , Mike Altman
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747- QlikSaaS-RnDCP-
04747 rndcp-productsafety productsafety ProductSafety Divya Shastri
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-RnDCP- QlikSaaS-RnDCP-
04747 rndcp-smartreport SmartReport SmartReport Marcel Heitz
8907777 syngenta-qliksaas-filestore- AWS-EUC1- QlikSaaS-RnDCP-
04747 rndcp-veeva 890777704747-veeva Veeva Goutham Sunkari

Internal Use Only

 32

AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-eame- QlikSaaS-Eame- Shanatnu Gupta,
04747 eame-seeds seeds Seeds Thierry Guerry
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-global- QlikSaaS-global-
04747 global-vegetables vegetables vegetables Tatiane Tomazi
8907777 syngenta-qliksaas-filestore- AWS-EUC1-
04747 mdm 890777704747-MDM QlikSaaS-mdm S Pradeep Kumar
8907777 syngenta-qliksaas-filestore- AWS-EUC1- QlikSaaS-
04747 agronomy 890777704747-agronomy agronomy Sandeep Pasunuri
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-latam-br- QlikSaaS-latam-
04747 latam-br-seeds seeds br-seeds
AWS-EUC1-
8907777 syngenta-qliksaas-filestore- 890777704747-latam-br- QlikSaaS-latam-
04747 latam-br-synap synap br-synap
8907777 syngenta-qliksaas-filestore- AWS-EUC1- Neugent Sandi
04747 hr-ops 890777704747-hr-ops QlikSaaS-hr-ops USGR

After selecting the appropriate AWS role, you will enter AWS Management Console. In AWS
Management console search for Service S3.

In AWS S3, you will be presented with a list of buckets. Select the S3 Bucket Specific to your Team. Refer
Table above for more details.

Internal Use Only

 33

• AWS S3 is the primary location for Qlik SaaS data. QVDs, flat files and Section Access Files will be
stored on AWS S3.
• Inside the Buckets, Read, Write, Modify, Delete, Create Folder access will be provided to
Business Developer.
• Access of the S3 buckets is controlled through Windows AD groups.
• To get access to the S3 Buckets, contact the AD group Owner mentioned in Table 1.
• Recommendation is to ensure the folder structure in the S3 bucket is in sync with the existing
folder structure of repository-qvp in Qlik Sense On-Premise. This will ensure minimal changes
are required in the migration (Phase 2) of apps from On-Premise to Qlik SaaS.

Internal Use Only

 34

Guidelines for Qlik SaaS Mashups on AWS S3

Steps to Access S3 Bucket from AWS Management Console.

Login to MyApps : https://myapplications.microsoft.com

Open App AWS-EUC1-PROD

You will be presented with a list of AWS roles. Select the AWS Role specific to your Team. Details of AWS
role in next table.

Internal Use Only

 35

• Mashups are created using a variety of web technologies such as HTML, CSS, and JavaScript, and can be
hosted in AWS S3 bucket as a static website.
• Bucket name: qlik-mashup.syngenta.com
• qlik-mashup.syngenta.com bucket will have folders of 17-20 different businesses.
• Each folder will have a unique I_AM role to restrict the access of Business Developer AD groups to that
specific folder only.
E.G. AD Group Qlik-SaaS-Admin will have access on folder Qlik-SaaS-Admin of S3 bucket qlik-
mashup.syngenta.com in AWS account 890777704747.
The I_AM role for this AD group will be QlikSaaSAdmin.

Refer Table below for details about Teams and their AWS S3 Mashup Bucket folder, AD Groups and
I_AM Role. Select AWS role specific to your team in AWS console.

Folder in Bucket qlik-

AWS Account AD Group I_AM Role
mashup.syngenta.com

890777704747 NACP AWS-EUC1-890777704747-nacp QlikSaaS-nacp

890777704747 DNA-GL-CP-PNS AWS-EUC1-890777704747-dna-gl-cp-pns QlikSaaS-dna-gl-cp-pns

890777704747 GPD-PNS AWS-EUC1-890777704747-gpd-pns QlikSaaS-gpd-pns

AWS-EUC1-890777704747-commercial-
890777704747 Commercial-Excellence excellence QlikSaaS-commercial-excellence

890777704747 Global-Flowers AWS-EUC1-890777704747-global-flowers QlikSaaS-global-flowers

890777704747 EAME-CP AWS-EUC1-890777704747-eame-cp QlikSaaS-eame-cp

890777704747 Corp-Functions-DNA AWS-EUC1-890777704747-corp-functions-dna QlikSaaS-corp-functions-dna

890777704747 GL-Commercial-DNA AWS-EUC1-890777704747-gl-commercial-dna QlikSaaS-gl-commercial-dna

890777704747 RnDCP-SmartReport AWS-EUC1-890777704747-RnDCP-SmartReport QlikSaaS-RnDCP-SmartReport

AWS-EUC1-890777704747-apac-dna-
890777704747 APAC-DNA-Commercial commercial QlikSaaS-apac-dna-commercial

890777704747 RnDCP-Veeva AWS-EUC1-890777704747-Veeva QlikSaaS-RnDCP-Veeva

890777704747 RnDCP-ProductSafety AWS-EUC1-890777704747-ProductSafety QlikSaaS-RnDCP-ProductSafety

890777704747 RnDCP-OnTrack_PTE AWS-EUC1-890777704747-RnDCP-OnTrack_PTE QlikSaaS-RnDCP-OnTrack_PTE

890777704747 Gl-Digital-Marketing AWS-EUC1-890777704747-gl-digital-marketing QlikSaaS-gl-digital-marketing

890777704747 EAME-Seeds AWS-EUC1-890777704747-eame-seeds QlikSaaS-Eame-Seeds

890777704747 Global-Vegetables AWS-EUC1-890777704747-global-vegetables QlikSaaS-global-vegetables

890777704747 MDM AWS-EUC1-890777704747-MDM QlikSaaS-mdm

890777704747 Agronomy AWS-EUC1-890777704747-agronomy QlikSaaS-agronomy

890777704747 LATAM-BR-Seeds AWS-EUC1-890777704747-latam-br-seeds QlikSaaS-latam-br-seeds

Internal Use Only

 36

890777704747 LATAM-BR-Synap AWS-EUC1-890777704747-latam-br-synap QlikSaaS-latam-br-synap

890777704747 LATAM-CP AWS-EUC1-890777704747-LATAM-CP QlikSaaS-LATAM-CP

890777704747 LATAM-SE AWS-EUC1-890777704747-LATAM-SE QlikSaaS-LATAM-SE

Guidelines for Vizlib Writeback Table Setup for PostgreSQL DB

https://syngenta.sharepoint.com/:w:/r/sites/DDATeam/Shared%20Documents/DDA%20Visualization%2
0Team/Qlik%20Platform/QlikSense%20SaaS%20Migration/Phase%200%20-
%20%20Strategy%20and%20Tenant%20Set%20up/Qlik%20SaaS%20-
%20Vizlib%20Writeback%20User%20Document.docx?d=wd775d134919745fc86b5adf245b8e797&csf=1
&web=1&e=tO5lJG

Qlik App Automations

Qlik Automations provide a no-code visual interface that helps you easily build automated analytics and
data workflows. An automation is a sequence of actions and triggers that runs like a program. It can be a
simple workflow that collects information from one application and passes it to another, or it can be an
end-to-end pipeline that takes you from raw data to active intelligence. Automations let you automate
your analytics environment, create data-driven workflows, and embed data and analytics into your
business processes.

Qlik’s official documentation on Automations can be found here: https://help.qlik.com/en-US/cloud-

services/Subsystems/Hub/Content/Sense_QlikAutomation/introduction/getting-started.htm

It is highly recommended that you experiment with Automations in the Non-Prod tenant before building
them in the Prod tenant, especially if you are new to the functionality.

Limitations
As of 2023-10-13, here are some of the limitations imposed on Automations:

- 1 concurrent run per automation

- 10 or more concurrent overall runs per tenant (determined by Syngenta’s license)
- API call timeout: 55 seconds
- Max execution time: 4 hours
- Execution history retention: 30 days

The most current list of limitations can be found here: https://help.qlik.com/en-US/cloud-

services/Subsystems/Hub/Content/Sense_QlikAutomation/introduction/platform-limitations.htm

Access to Automations
Please submit a request to the platform team to enable access to Automations for your profile.

Other Considerations
As of 2023-10-13, these are some things to be aware of as you develop you first automations:

Internal Use Only

 37

- Automations only exist within your Personal space; they cannot be published to a Shared or
Managed space.
- Multi-person development (collaboration) is not possible. Ownership of the automation must
be first transferred from one developer to another.
- Some automations require “Connections”. These are not to be confused with “Data
Connections” as used by Qlik Sense applications. As with Automations, these Connections are
only available for use by their owner – they cannot be shared.
- Any automation requiring the SMTP (email) connector will be managed by the platform team, as
the credentials for the SMTP account are confidential.

Qlik App Automation learning course

Course: Using Qlik Application Automation

Automation Knowledge Sharing session recording

https://syngenta.sharepoint.com/:v:/r/sites/DDATeam/Shared%20Documents/DDA%20Visualization%2
0Team/Qlik%20Platform/QlikSense%20SaaS%20Migration/Qlik%20SaaS%20End%20User%20Document
ation/Qlik%20SaaS%20Development%20Overview%20Sessions%20Recordings/Session%205%20-
%20Qlik%20Cloud%20Automations/Qlik%20Cloud%20Automations%20Technical%20Knowledge%20Sha
ring%20Session%20Recording.mp4?csf=1&web=1&e=xQympl

Internal Use Only

 38

Applications Data or Report Distribution

Qlik provides various methods for distributing reports and insights to users within and outside the
organization. Additionally Mail and Deploy is available, which is a third-party tool which integrates with
Qlik to facilitate report distribution.
• Subscriptions
• Scheduling reports with Automation
o Qlik Reporting Block
o Table + email block
• Scheduling reports with Tabular Reporting
• Mail and Deploy

Criteria-Based Selection of Report Distribution Types

When considering using report distribution from Qlik Cloud, use the following criteria to decide on
which reporting services to use.
• Author/Owner – Who would create the report.
• Recipients – Whom the report should be sent out to, Internal/ External users. If the
report should be sent out to recipients who don’t have access to the application.
• Report Destination – Location to which the report should be sent out to i.e.
Email/SFTP/Cloud Storage.
• Report type – The file type of the report – CSV/Excel/PDF/PowerPoint/Word/HTML
• Section access support – Reports generated respects the section access of the
application.
• 3rd visualization support – Reports generated will support the 3rd party visualization.
• Multi-app support – If reports should be generated from multiple applications.
• Custom filtering – If custom data filtering is required before the reports are
generated.
• Qlik platform support & review – If additional support and review is required to
configure report distribution.
The degree of difficulty and complexity to implement a solution using the available feature is as shown
below.

Internal Use Only

 39

This table will assist in choosing the right reporting distribution solution according to your business
requirements in Qlik Cloud.

Reporting Services - Reporting Services -

Report Distribution Subscription Tabular Reporting Qlik Automation Qlik Automation Mail and Deploy
End User\ Super
Author User\ Developer Super User\ Developer Developer Developer Developer

Application Access Needed? Yes No No No No

Application Users Internal\ External Internal\ External Internal\ External Internal\ External
Recipients (Internal) Users Users Users Users
Based on section
access defined to the Based on section
recipients/If recipient Based on section action action defined to
Based on section section access is not defined to automation automation
access defined to defined, task owner’s owner owner Being reviewed
Section Access Supported? the recipients section access is used
Email\ SFTP \ Cloud Email\ SFTP\ Email\ SFTP\ Cloud
Report Destination Email Email\ SharePoint Storage Cloud Storage Storage

Excel\ PDF\
Excel\ PDF\ PowerPoint\ CSV\
Report Type PDF\ PowerPoint Excel\ PDF PDF\ PowerPoint PowerPoint \CSV HTML\ Word
No, only Qlik No, only Qlik
3rd Party Extensions native object are No, only Qlik native No, only Qlik native native object are
Supported? supported object are supported object are supported supported Yes
Report creation based on
multiple Qlik apps No No Yes Yes Yes
Static filters (App filters,
Public & Private bookmarks) Yes No No No Yes
Dynamic Filters – filters
applied as per recipient’s
definition/conditions No Yes Yes* Yes* Yes
On Demand Report No No Yes Yes Yes
Qlik Platform Review for
Prod Deployment No Yes* Yes Yes Yes

Scheduling reports with Subscriptions

Subscription reports allow you to schedule regular emails with your chosen sheets or charts. You can
apply filters and receive a PPT/PDF report with the latest data sent to your inbox at set intervals. When
you create a subscription, the settings that are saved include:
• Selections made for the report.
• Visualization properties such as layout, colors, legend, labels, and themes
When to use Subscription
• You want regular updates on a chart or up to 10 sheets.
• You want to send reports up to 100 recipients.

Internal Use Only

 40

• You want to export up to 10 sheets or a chart on a schedule.

• Your recipients have access to Qlik Cloud.
• Your recipients want to add sheets or charts to PowerPoint files.

Learn and explore more about subscription using the following links.
• Qlik Document - Subscriptions.
• Qlik Community - App Development.
Scheduling reports with Automation
You can automate multi-page reports from a Qlik Sense app using Qlik Application Automation and the
Qlik Reporting Service. Recipients can receive scheduled, detailed reports, even without Qlik Cloud
Analytics access. Start with a template or create a custom automation. Reports are available in PDF or
PowerPoint formats.
Create a report distribution through Automation when you need to
• Deliver bursted, multi-page reports.
• Deliver reports to external recipients, or internal recipients who cannot access Qlik
Cloud Analytics.
• Create looping reports: a page within a report, looping over dimension values.`
• Create a report based on multiple Qlik Cloud apps.
When to use Automation
• You want regular updates on a chart or sheets from multiple applications in a single
report.
• Send out scheduled reports to internal/external recipients that don’t have access to the
application.
• You want to send PDF/PPT reports to destinations such as SFTP/Cloud Storage.
• You want regular tabular data sent to destinations such as SFTP/Cloud Storage.

Prerequisites for creating automation.

• Creator/Author should have Professional license assigned.
• Creator/Author should have Automation Creator roles assigned.
If the above-mentioned privileges aren’t assigned, raise a SNOW incident with the platform team
requesting for these privileges.
Learn and explore more about Qlik Automation using the following links.
• Qlik Document - Qlik Reporting Block.
Qlik Community - Automations.
Scheduling reports with Tabular Reporting
Tabular reporting in Qlik SaaS is powered by reporting service, you can create and distribute customized
dynamic reports to users (Internal and External) using data and visualization from a Qlik Sense App
leveraging Microsoft Office 365 Add-in. It supports report task, distribution list and report template
management. These reports can be sent by email or saved to specific folders in Microsoft SharePoint, in
either Excel or PDF.
Tabular Reporting is divided into two sections.
• Designing the report template using Qlik - Excel Add-In
• Configuring the report task
When to use Tabular Reporting
• You want dynamic custom Excel/PDF reports created from the application.
• Send out scheduled reports to internal/external recipients that don’t have access to the
application.
Prerequisites to use Qlik SaaS Reporting Section.

Internal Use Only

 41

Following role and space level permissions are required.

• Shared space – Can Edit and Can edit data in apps.
• Managed space – Owner/Can Manage

Prerequisites to use Qlik – Excel Add-In

• Can View permission to the spaces.
• The user should have the Qlik Excel Add-In installed to either the desktop or web O365.
• Following are the important prerequisites to be noted for Qlik Excel Add-In enablement.
o User must have Syngenta Office O365 with E3 license (Email Address & Office
365 apps)
o All internal employees already have E3 license.
o External employees will need to raise a request for E3 license to their Syngenta
product owner, and request must be completed by Office 365 team.
o Once above listed prerequisites are fulfilled, raise a incident with Qlik SaaS
platform team to enable reporting services Excel Add In.

• When the user request is actioned, the Qlik add-in will be available in the home
ribbon.

Internal Use Only

 42

We have two Add-In’s, one for SaaS Non-Prod and the other for SaaS Prod environment. The user
will be enabled only for one Add-In at a time. The Non-Prod is for POC and exploration and Prod is
for actual business development.

Learn and explore more about Qlik Tabular Reporting using the following links.
• Qlik Document - Tabular Reporting.
• Qlik Community - Reporting Services.
• Syngenta Qlik SaaS SharePoint - Tabular Reporting.

Guidelines for Data Decryption in Qlik Cloud Platform

Due to the sensitivity of some data, additional privileges may be required to access the data. There
are two types of restrictions requiring these elevated access privileges:

1. Restricted access at the View level, where the entire View is not accessible.
2. Encryption at the Column level, where the view is quarriable, but the data in some
or all of the columns is encrypted.

https://syngenta.eu.alationcloud.com/article/2063/

Process 1: Gaining Access to Restricted MIO Objects (Views)

If you are unable to access a specific MIO view, it may contain sensitive data where access is
restricted. To request access to such MIO objects (views), you need the approval of the
respective Data Steward, listed on the right side of the MIO page under "Stewards". If no Steward is
listed, contact the person listed under "Technical MIO Owner".

Process 2: Working with an MIO that contains Encrypted Data

***This requires a Security Exception request, and a Corporate Security system update
that takes place only on Fridays. Please plan your request accordingly.

Data deemed to be Personally identifiable information (PII) allows unique identification of people and
requires compliance to Privacy Regulations in multiple jurisdictions where Syngenta operates. It is
therefore encrypted in the SmartMart, as is very sensitive financial data. Some data within those

Internal Use Only

 43

MIOs will appear in query results as meaningless text. Specific credentials to be able to decrypt such
data are required.
To work with encrypted data in such an MIO, you must follow the steps below under "Requesting a
Security Exception" to obtain a key.
WARNING:
Decryption Keys are intended to be either for personal interactive use or for specific automated
system/app deployment usage. Keys must not be reused for a different purpose and MUST NOT be
shared with other users. DO NOT include your private key in queries saved in Alation (whether
Published or not) as they can then be visible to other users.

Requesting a Security Exception to obtain MIO SA Key via ISMS Tool

1. Obtain an approval email from the data steward.

o For Employee (MIO037) HR data , contact steward Hayley White (HR Data
Architect) for the approval email.
o For Business Partner/Party (MIO003 mio03) data, obtain an approval email
from your manager.
o For Users Users (MIO098) data, obtain an approval from your line manager.
2. Go to: https://syngentagrc.azurewebsites.net/seform?Eofeid=515
To raise the Request for an MIO SA Key: sample form request is as shown below.

3. please include the QLIK Dashboard or Project Name you are developing for. Else,
please indicate the project for which this development is being done.

Internal Use Only

 44

4. Submit the request.

Approvals and Credentials delivery

• The Exception request will be routed to your Line Manager and then to the System
Owner. Once these approvals are received, the updated credentials will be staged for
deployment.
• If the Requestor is a Syngenta user with a Syngenta.com Mailbox, the credentials will be
delivered to your mailbox using a secure message.
• If the requestor does not have a Syngenta.com Mailbox, they will be notified when the
credentials are ready for use in Production and will need to set up a meeting with the
Approver (currently Divya Sundaram) to convey these credentials to the
requestor. Credentials cannot be e-mailed to the requestor who does not have
a Syngenta.com mailbox.

Imp Note

1. The encryption keys are confidential and private, with strict usage tracking in place. DO
NOT share your key with others.
2. You will have Access to PII Data and you must take care that PII Data should:
o NOT be disclosed to unauthorized users
o NOT be transmitted in attachments or in Emails
o NOT be left unencrypted on an open location
o NOT be moved around on USB File storage or other unsecure media, or
taken out of Syngenta systems
o NOT be transferred to others on the development team. (Users who want
access to PII data should obtain their own access)
o NOT be printed out – and if it is, it should be disposed of as confidential
waste.
3. All Security Exception Requests need to be approved by your manager.

Internal Use Only

 45

Decryption key Usage Process in Qlik Cloud App Development & Deployment

• Each Qlik Developer need to have his / her own SA Keys (encryption keys) of Type

“Interactive”. This key can be per developer and developer can work with same single
key in multiple Qlik applications development as long as he/ she is working in Same
Project team.

• When a Developer key Type “Interactive” expires. a new Security Exception needs to be
opened to get a new Key. The Developer Key cannot be extended or renewed. A
Developer decryption key is typically valid for 180 days. After that time the key is no
longer valid and will not work.

• When developer changes project team then developer need to raise new SA key
request as mentioned above.

• Each Qlik Application IT owner need to have his / her own Application Key type
“Automated” which are intended for secure deployment of
production applications.

• Each Qlik application IT owner need to have separate keys for each Production
application. For e.g if single Qlik application IT owner is responsible for 2 Qlik
applications using decrypted PII data then he needs to have 2 Automated SA key one for
each Qlik application.

• Application Keys type “Automated” are valid for 1 year.

• However Application IT owners need not worry about “Automated Type” Key
expiry as these type of keys are tracked and extended by Qlik Platform owner
Rawat Pushpendra CHBS [email protected] and Sundaram
Divya USRS [email protected] during Internal Quarterly review.

Internal Use Only

 46

• Please follow below described process for using SA keys during app development
in shared development space and app deployment to Prod space.

• Standard recommendation from Qlik Cloud platform end is to use on the fly or
Live decryption in Qlik applications so that there no stored footprints of decrypted
customer, employee, vendor master data, transactional data , data attributes ,
characteristics , classification etc.

• If still there is a need from regional /domain development teams to store the decrypted data
in Qlik S3 bucket or file server so that it can be further used as a data source for all required
Qlik applications, then regional /domain leads can raise data security exception request in
ISMS tool Information Security Management System(ISMS tool)
(syngentagrc.azurewebsites.net).

• Security exception request gets triggered to line manager for approval, after line manager
approval request moves to [email protected] and finally comes to Rawat
Pushpendra CHBS [email protected] as a Qlik platform owner during
Quarterly review to keep the request for future reference.

Internal Use Only

 47

Imp Note: Data security exception request LM approver & regional / domain Qlik S3 bucket Owner is
responsible for data breach if detected as a part of audit or via data breach incident. Hence its utmost
important that such requests are very carefully reviewed and decrypted data should be protected from
unwarranted use.

Guidelines for Decryption Keys Data Connection in Qlik Cloud w.r.t REST API

A short guideline about creation of decryption data connections in Qlik:

1. In Qlik script click on ‘Create new connection’ and pick ‘REST’ connection.
2. In opened window fill URL field with the following values:
https://f2mhplmyml.execute-api.eu-central-1.amazonaws.com/prod/decrypt (prod env)
or https://ybeflzlltb.execute-api.eu-central-1.amazonaws.com/test/decrypt (test env)
3. Select ‘POST’ method in a drop down list
4. In ‘Request body’ field it is necessary to provide one example of encrypted value and the
decryption key. Syntax looks like that:

{"values": ["any-encrypted-value"], "decryption_key": "your-decryption-key"}

5. In ‘Query header’ specify name as ‘x-api-key’ and values are:

‘uE8klKY9vo48PsBkjnHOS8yNeQl0hy4gsYzma3Td’ (prod env) or
‘S4VGFmEuHY1SuWAi6JBzi2va3qfayhTO6VIcSiod’ (test env)
6. Tick ‘Allow WITH CONNECTION’
7. Click on ‘Test connection’ button.

Connection naming convention: regional / domain team name – SA_Key

Internal Use Only

 48

Refer below reusable code to setup up API Key text file applicable for both Developer and
Application owner.

File Name: Decryption Key - Application 1.txt.

File Content:

Sub AssignKey

Trace Initiate key assignment;

Let vDecryptionKey='SampleKey';

End Sub

Sub ClearKey

Set vDecryptionKey=;

End Sub

Refer below reusable Qlik script to setup up API Key Connections and make API decryption
call.

1. API Key Connection Configuration

//////////////////////////////////////////////////////////////

// Verifying which space the application is being executed //

LET vSpaceName = GetSysAttr('spaceName');

If '$(vSpaceName)' = '' Then

LET vSpaceNameTrace ='Personal';

Else

LET vSpaceNameTrace='$(vSpaceName)';

End IF

TRACE Application executed in $(vSpaceNameTrace);

SET vSpaceNameTrace=;

//////////////////////////////////////////////////////////////

Internal Use Only

 49

///////////////////////////////////////////////////////////////////////////////////////////////////////////

// Assigning appropiate connection with respect to the space in which the application is being executed
//

// Clearing connection and folder paths

SET vOneDriveFolderPath=;

SET vDecryptionDataConnection=;

//// Developer Connection Configuration /////

If '$(vSpaceName)' = '' or '$(vSpaceName)' = 'Dev' Then // Replace to the appropriate space name

SET vDecryptionFileName='Decryption Key - Personal.txt';

SET vDecryptionFolderName='Qlik API Decryption Key''s';

SET vConnectionIdentifier='[email protected]';

SET vOneDriveFolderPath='lib://OneDrive -
$(vConnectionIdentifier)/$(vDecryptionFolderName)/$(vDecryptionFileName)';

SET vDecryptionDataConnection= 'API Decryption - $(vConnectionIdentifier)';

//// Application Owner Connection Configuration /////

ElseIf '$(vSpaceName)' = 'Prod' Then // Replace to the appropriate Prod space name

SET vDecryptionFileName='Decryption Key - Application 1.txt';

SET vDecryptionFolderName='Qlik API Decryption Key''s';

SET vConnectionIdentifier='[email protected]';

SET vProdConnectionSpace='[Global/Regional/Country] [CP/SEEDs] [Domain/Subdomain] - Application

Owner - Application Owner Name';

Internal Use Only

 50

SET vOneDriveFolderPath='lib://$(vProdConnectionSpace):OneDrive -
$(vConnectionIdentifier)/$(vDecryptionFolderName)/$(vDecryptionFileName)';

SET vDecryptionDataConnection= '$(vProdConnectionSpace):API Decryption - $(vConnectionIdentifier)';

End If

///////////////////////////////////////////////////////////////////////////////////////////////////////////

2. API Decryption Call

// Decryption key subroutine

$(Must_Include="$(vOneDriveFolderPath)");

Call AssignKey;

// // API Subroutines

$(Must_Include="lib://Global Data Connections:DataFiles/API Decryption Main.qvs");

$(Must_Include="lib://Global Data Connections:DataFiles/API Decryption Processing.qvs");

Decryption_Config:

NoConcatenate

Load

Inline [

Input Table, Input Field, Output Separate Table Flag, Output Table, Output Field

Transactions, TransID,

Transactions, TransLineID,

Internal Use Only

 51

];

// Trigger decryption process

Call API_Decryption_Main;

Call ClearKey;

LIVE layer Consumption Guidelines for Qlik cloud Platform

Internal Use Only

 52

https://digitial-product-
engineering.atlassian.net/wiki/spaces/DAS/pages/3417343211/LIVE+Layer+Consumption+Guidelines

Appendix

Additional Qlik Cloud Resources

Qlik offers a range of resources to support users in leveraging their products effectively.
Here are the different types of Qlik resources:
• Qlik Help
• Qlik Learning Portal
• Qlik Community
• Qlik Dev

Internal Use Only

 53

Internal Use Only