topic Re: API end point for Auto Assigning Security Roles (SaaS) in Integration, Extension & APIs

API end point for Auto Assigning Security Roles (SaaS)

richardpearce60 — Fri, 21 Mar 2025 14:28:42 GMT

RE https://help.qlik.com/en-US/cloud-services/Subsystems/Hub/Content/Sense_Hub/Admin/SaaS-roles-capacity-model.htm#:~:text=Do%20the%20following%3A-,In%20the%20Administration%20activity%20center%2C%20go%20to%20Manage%20users%20%3E%20Permissions,role%20at%20their%20next%20login.

I want to default all the security rules to Auto Assign to "Off" when creating a new tenant. I've been looking through the rest API Group, Users, Roles, ... but can't find anything relating to this

Does this exist in the API?

Re: API end point for Auto Assigning Security Roles (SaaS)

Dave_Channon — Mon, 24 Mar 2025 09:46:47 GMT

Hi @richardpearce60

Yes, this is possible. Right now we're in a transition, so there are a few you must change via tenants with a patch: https://qlik.dev/apis/rest/tenants/#patch-v1-tenants-tenantId

For this you'll want to do something like:

curl "https://your-tenant.us.qlikcloud.com/api/v1/tenants/{tenantId}" \ -X PATCH \ -H "Content-type: application/json" \ -H "Authorization: Bearer <access_token>" \ -d '[{"op":"replace","path":"/autoAssignCreateSharedSpacesRoleToProfessionals","value":false},{"op":"replace","path":"/autoAssignPrivateAnalyticsContentCreatorRoleToProfessionals","value":false},{"op":"replace","path":"/autoAssignDataServicesContributorRoleToProfessionals","value":false}]'

This will turn off auto-assignment (at a per-user level on user creation, depending on their license):

autoAssignCreateSharedSpacesRoleToProfessionals - automatically assign the shared spaces role to professional/ full users
autoAssignPrivateAnalyticsContentCreatorRoleToProfessionals - auto assign the ability to create analytics in personal spaces for professional/ full users
autoAssignDataServicesContributorRoleToProfessionals - assign contributor role for data services to professional/ full users

If you aren't licensed for data in your tenant the last one can likely be removed. We hope to move these to the below patterns this year.

Then, for the built in roles, you can learn more here https://qlik.dev/manage/roles/assign-roles/

And finally, we have this thing called User Default - this is for specific scopes (permissions) which aren't major enough to be their own role, but you might have some things in here you wish to turn off for all users.

Re: API end point for Auto Assigning Security Roles (SaaS)

richardpearce60 — Mon, 24 Mar 2025 11:29:18 GMT

Thanks very much Dave! I had fun throwing errors when I tried to patch hostname 1 to the same value although once I'd figured out where I was going wrong the rest worked perfectly for those settings. Much appreciated!

Re: API end point for Auto Assigning Security Roles (SaaS)

richardpearce60 — Mon, 24 Mar 2025 11:53:03 GMT

@Dave_Channon regarding the the roles I've looked and can't see anything regarding auto-assign?

if I get a role which in this tenant I've set them all to Auto-Assign here are my results:

{'id': '608050f750afab80bd5359a4', 'name': 'Developer', 'type': 'default', 'canEdit': False, 'canDelete': False, 'level': 'user', 'assignedScopes': [], 'permissions': ['api-keys:read', 'api-keys:create', 'api-keys:update', 'api-keys:delete', 'api-keys:list_own', 'api-keys:use'], 'createdAt': '2021-04-21T16:21:11.540Z', 'lastUpdatedAt': '2022-11-29T15:03:11.200Z', 'links': {'self': {'href': 'https://xxxxxxxx.us.qlikcloud.com/api/v1/roles/608050f750afab80bd5359a4'}}}

I can't see anything about the auto assign?

Are you saying I have to remove the assigned roles when a new user is created?

Re: API end point for Auto Assigning Security Roles (SaaS)

Dave_Channon — Mon, 24 Mar 2025 11:57:26 GMT

There's two ways that users get roles:

Either assigned on creation/ login (which is what the PATCH to tenants can disable), but after disabling the auto assign you'll need to remove it from any user who was given it prior to you changing the setting. This is assigned against individual users.
Using the Everyone group. Although the UI shows "Auto Assign", this isn't correct. What it does it it assigns it to the everyone group, which...everyone...is part of. So they don't get it auto assigned to them, they inherit it through the everyone group.

You won't see anything on autoassignment from the roles service itself, it's all managed either on users or groups. Does that help?

Re: API end point for Auto Assigning Security Roles (SaaS)

richardpearce60 — Mon, 24 Mar 2025 13:05:17 GMT

Hi @Dave_Channon thanks for your response. I've found the solution by updating the system group 000000000000000000000001 (I think this is the "everyone" group ID)

. when you run this it will default everything to off with the Auto-Assign

Thanks for you help... was struggling on this one

data = [{ "op": "replace", "path": "/systemGroups/000000000000000000000001/assignedRoles", "value": [] }] response = qlik_oauth_connection.client.rest(path="/groups/settings", method="PATCH",data=data)

Re: API end point for Auto Assigning Security Roles (SaaS)

lachlanwcast — Wed, 27 Aug 2025 03:39:58 GMT

Thanks @richardpearce60 - very helpful, thanks for documenting your approach