topic Re: Allocating licenses based on Azure AD groups in Management & Governance

Allocating licenses based on Azure AD groups

tan123qlik — Wed, 08 Mar 2023 15:41:36 GMT

This question is for Qlik Sense SaaS.

Does anyone have a best practice for how to manage user license allocations based on Azure AD groups. We use Azure AD as IDP and have two groups in AD; one for analyzers and one for professional users. I want to automatically assign the corresponding license to the user. The best would be that the user and license are pre populated in Qlik Sense SaaS before the user logon.
We also want that if the user is removed from the AD group, the license should be removed from the user.

I guess that we need to automate this with a script, for example PowerShell and CLI ,or is it better to use Automations in Qlik Sense to do it?

Thanks in advance.

Re: Allocating licenses based on Azure AD groups

Dave_Channon — Thu, 09 Mar 2023 13:31:47 GMT

Hey @tan123qlik

I'll assume you're not using the very recently released SCIM capabilities for Azure AD for this first part. You can use application automation or CLI or raw REST API calls to achieve each step:

You can pre-create and pre-assign licenses up-front using the /users and /licenses APIs - although I don't actually recommend this approach as you don't necessarily want to assign licenses to users who may never use them, and without an automated way of removing users who never logged in later (although you can do this too via API)
Instead, you can create a webhook (either in the management console if you have your own script, or in an application automation start block) on the user.created event. The user is automatically created on their first login, and as Qlik Cloud becomes aware of their groups via the claims sent with their login request, you can hit the users endpoint to get the list of groups, check for a professional/ analyzer group, and then assign the relevant license. As this happens post user creation, it might mean a brief delay of a few seconds to a few minutes where they can't access apps the first time they hit the tenant (depends on how it's set up)
For removing/ amending license assignments, you probably want to drive this externally since you can then look up the current live group membership. This is because groups are only refreshed in Qlik Cloud when the user logs in - so if a user hasn't logged in since the change in group membership, we won't have any data to act on. That said - if this is a reasonable limitation, then you can periodically review user license assignments and groups either externally or in application automation

Now, if you were using Azure AD with SCIM, you could then pre-provision most of this, and have group changes sync'd to the tenant, which means you can do everything for the license assignment/ deallocation within Qlik Cloud, as the data will always be (nearly) up to date.

Re: Allocating licenses based on Azure AD groups

tan123qlik — Fri, 10 Mar 2023 09:39:17 GMT

Thank you for your detailed answer.

I was not aware of the SCIM possibility when I wrote the question. Now when I have red about it, I can see that this could be used for populating users and groups. However, I don't understand if this could be used for allocating/deallocating licenses?

Re: Allocating licenses based on Azure AD groups

Dave_Channon — Fri, 10 Mar 2023 11:00:36 GMT

Hey @tan123qlik, not for the licenses. You'll still need to use application automation or an outside script to manage that piece.

Quite often it's acceptable to enable auto assignment of analyzer licenses so that users have immediate access to content on login, then upgrade them to professional if they have a specific group. You then use the IdP to restrict who has access to the app (something you should be able to do under enterprise applications in azure AD).

Re: Allocating licenses based on Azure AD groups

steeefan — Fri, 05 Jan 2024 10:15:35 GMT

Excellent - thanks a lot! I was looking for the exact same thing.

"Instead, you can create a webhook..." works for me and is also my first automation.

Re: Allocating licenses based on Azure AD groups

simonheap_cph — Tue, 09 Apr 2024 14:57:10 GMT

In response to @Dave_Channon and @steeefan

I have been working with the exact same issue. I get the automation up and running (that creates a webhook), I get the filtering on the group done when I want to decide on the license type, but I can't seem to get the api working... I have tried with both the Call URL-block and the Raw API Request-block using the api https://{mytenant}/api/v1/licenses/assignments/actions/add/ with an add-payload, but I can't get it to work.

Do you have some examples of what it takes to make this work? Thank you!

BR, Simon

Re: Allocating licenses based on Azure AD groups

steeefan — Tue, 09 Apr 2024 16:02:56 GMT

To add the license I'm using "Raw API Request" with these parameters

Path: licenses/assignments/actions/add
HTTP Method: POST
Body: {"add":[{"type":"V License Type","subject":"Get User > Subject"}]}

V License Type is a variable that is set earlier in the automation flow, Get User > Subject is data fed from the user object in scope.

Re: Allocating licenses based on Azure AD groups

simonheap_cph — Wed, 10 Apr 2024 07:29:16 GMT

Ah, @steeefan , so nice! I knew I was missing something stupid - I had the path too long (including) api/v1/... Working with the value for type in the body, for other users I can add that the value (e.g., "analyzer") is case sensitive. Thanks a bunch! /Simon

Re: Allocating licenses based on Azure AD groups

Laurent_Cornilleau — Thu, 11 Apr 2024 08:49:16 GMT

You can also use the blocks from Qlik Platform Operations instead of those from Qlik Cloud Services.

You have an "Allocate License To User" block.

Here's a basic example.

(don't forget to create a tenant OAuth client first and configure the connection)

Re: Allocating licenses based on Azure AD groups

Dave_Channon — Thu, 11 Apr 2024 10:03:10 GMT

And we just added a new "Allocate Or Update User License" block to QPO to make it easier to handle for when users might already have an assignment: https://qlik.dev/changelog/90-platform-ops-connector/

Re: Allocating licenses based on Azure AD groups

simonheap_cph — Thu, 11 Apr 2024 11:56:50 GMT

Dear Laurent,

Thank you for pointing this out! I was not aware of the Qlik Platform Operations having been able to handle what I needed from Qlik Cloud Services. But also, I am new to OAuth, so, not having to use OAuth is, for me, a compelling feature with the Qlik Cloud Services. Why is it - also a question to @Dave_Channon - that we have to use OAuth for stuff like this, when/if we are running the automation on the tenant that we want to handle the users on? Since the starting block is User Created, to me it is obvious that I would not have this starting block on tenant a and then run something else on tenant b. Although I can see the flexibility here, I kind'a like avoiding having to authenticate again. Any comments from either you two gentlemen are welcomed and treasured. BR, Simon

Re: Allocating licenses based on Azure AD groups

Dave_Channon — Thu, 11 Apr 2024 13:09:03 GMT

Essentially:

QCS connector authenticates as the current user. Super convenient and great for use cases where you want to act as the current user, but can only act with the permissions assigned to that interactive user.
QPO connector authenticates via OAuth. OAuth clients permit very fine control of the scopes you add to a user, and acts as a discrete user. This means you can do things like access private content, impersonate other users, really accurately control what the user can do in the tenant (in more ways than just assigning a role), and track and audit it's actions more easily than picking out what an interactive user has been up to

Definitely a use case and space for both, hopefully QCS is enough for most things, QPO just gives you additional options and capabilities.