How to allow Anonymous Hub access in Qlik Sense Enterprise on Windows

Sonja_Bauernfeind · Aug 11, 2022 6:13:32 AM

Three requirements need to be met in order to allow Anonymous users access to the Hub:

The product must not be Qlik Sense Business or Qlik Sense Enterprise SaaS.
The license must support anonymous access, see Which Qlik Sense Enterprise licenses support anonymous access?
Proxy must be configured to allow Anonymous users
A Stream dedicated to anonymous users must be created

Useful information:

Users who access Qlik Sense anonymously are identified as NONE\anonymousd9e61933-a7e5-4836-8540-5b137a600e69, where the GUID is a unique identifier.
To create a license rule, granting login passes to anonymous users you can use two identifiers:
- userDirectory=NONE
- user.IsAnonymous()

Configure the Proxy to allow Anonymous users

By default, anonymous access is disabled. The steps provided require a restart of the Proxy service after completion.

Open the Qlik Sense Management Console.
Choose the Virtual Proxy to be used for anonymous access
Click Edit.
In the Properties menu (right side) choose Authentication
From the Anonymous access mode drop-down select Allow anonymous users

Set up a license rule

Anonymous users will need to have a license rule available for them which gives them either an Analyzer Capacity License or a Login Access Token. The instructions in this article will focus on Analyzter Capacity Licenses.

Open the Qlik Sense Management Console.
Navigate to License Management
Click Analyzer capacity rules
Click Create new
Give the new rule a Name (mandatory) and Description (optional)
Create one of two possible rules:
1. In the Basic settings, select
  user: userDirectory =
  value: NONE
2. In the Advanced settings (see Fig 2), provide the condition:
  user.IsAnonymous()
  
  Fig 2
Click Apply

Set up a Stream for anonymous access

You can use the default Everyone stream, which has already been set up for anonymous access, or create your own.

We will create two rules. One to allow logged in (authenticated) users access and publishing permissions. One to allow anonymous user access, but no publishing permissons. Note that based on your requirements, this may need to modified.

Go to the Qlik Sense Management Console
Go to Manage Content and Streams
Click Create New
Name your new Stream
Click Security Rules
Click Create associated rule (see Fig 2)
This will be our "Everyone (anonymous) can read the stream." rule.

Fig 3
Provide a Name (mandator) and Description (optional)
In Basic only select Read
In Advanced define
Condition: user.IsAnonymous()
Context: Only in hub

See Fig 4.

Fig 4
Click Apply
Click Create associated rule (see Fig 2)
This will be our "Everyone (logged in) can access this stream and publish." rule.
Provide a Name (mandator) and Description (optional)
In Basic only select Read and Publish.
In Advanced define
Condition: !user.IsAnonymous()
Context: Both in hub and QMC
Click Apply

Test!

We are now ready to test access.

Go to the Qlik Sense Hub (hosted by the Virtual Proxy you have configured)
If you are logged in, log out.
Our new Anonymous stream is now avaiable.

RaviGinqo · ‎2021-05-19

Hi Sonja,

Thanks for the article, I also wanted to know what will be session timeout for Anonymous users. Can session Monitor give correct details for session analysis of anonymous users?

Is the session inactivity timeout on Virtual proxy applicable to anonymous users as well?

Ravi

Sonja_Bauernfeind · ‎2021-05-20

Hello @RaviGinqo!

The same timeout applies for all users, regardless of whether or not they are logged in - and all sessions are recorded in the Session Monitor.

-Sonja

ilyas393 · ‎2021-09-02

Hi Sonja,

Thanks for the helpful article.

Is it possible to have the same proxy (basically the same URL) for non-anonymous and anonymous users?

Right now, we have qlik.company.com for the hub. And users are basically SSO in. They can directly access the hub and the apps if they have access to.

We now have an app that everyone at the organization should be able to access. Ours is a huge organization, and we don't have like a huge AD group with everyone in it. So, the other option is to enable the anonymous user ability so that anybody can access the portal.

When we enable ALLOW ANONYMOUS users, all the users land on the everyone stream, and users who have access to other streams are having to click on the LOG IN button to sign in. So basically non-anonymous users have an extra step to click on the LOG IN button.

Is it possible that all non-anonymous users can see the streams they have access to and anonymous users see only the everyone stream, using the same URL, and no extra clicking for the non-anonymous users?

Sorry if my post is confusion. Just want to get an idea if this is even possible?

I understand the other solution will be to create a virtual proxy for the anonymous users, but then we would end up having two URL's; one of anonymous and other for non-anonymous.

Appreciate your thoughts.

Thanks,

Ilyas

Sonja_Bauernfeind · ‎2021-09-13

Hello @ilyas393

Either way, a user will need to authenticate somehow. You may be able to build something with a single sign-on solution that will automatically login a user and then provide them seamless access to all the apps they have available, but even then there would need to have to be some trigger or button-click as how else would you make the decision between "I am going to log in" or "I am anonymous".

It might be worth dropping this question over in our forums to see if anyone has tailored a solution like that to their needs.

All the best,

Sonja

ilyas393 · ‎2021-09-13

Hi Sonja,

Thanks for your response. I ended up removing the filters from the UDC and allowing everyone at our organization to access the application, opened up just the EVERYONE stream and locked other streams with specific AD Groups. This seemed to solve our requirement.

Thanks,

Ilyas

Sonja_Bauernfeind · ‎2021-09-13

@ilyas393 That's a great use of streams and AD Groups!

Thank you for taking the time to leave the comment - I am sure other customers will find this useful.

-Sonja

Mccutchan1 · ‎2021-12-07

Hi Sonja,

It looks like each user is identified as NONE\anonymous. Are there any logs in Qlik Sense or any other way to track who is access the application via anonymous access?

Thanks

McCutchan

Sonja_Bauernfeind · ‎2021-12-08

Hello @Mccutchan1

This depends on where the users are coming from and if you have access to logs as well as if you have any means to identify them based on IP address. Sense will no be able to ID them for you, but you can fetch the IP address out of this log:

Directory: C:\ProgramData\Qlik\Sense\Log\Proxy\Trace
File: QLIKSERVER3_Audit_Proxy

This is what a simplified example looks like (I stripped out some columns and dropped them into an Excel file):

ip address in log.png

Additional info can be fed into the logs if you enable Enhanced Security, but again, nothing that will help you ID the user directly. The IP address in the proxy log is your best bet.

All the best,

Sonja

Mccutchan1 · ‎2021-12-08

Thank you for the information Sonja!

Mccutchan1 · ‎2021-12-09

Hi Sonja,

We are planning on sending out an URL for the anonymous access application. Once the application is accessed is there anyway to hide the menu from being seen?

How to allow Anonymous Hub access in Qlik Sense Enterprise on Windows