Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
daveatkins
Partner - Creator III
Partner - Creator III

how to "pre load" some users from active directory so their access can be verified

We have QlikSense configured using a User Directory Connector that syncs from our corporate Active Directory. Streams have permissions based on AD group membership. So, when a person needs access to a stream, we add them to the AD group and then, first time they hit Qlik, it pulls over their info and they are good to go.

The problem I have is troubleshooting new users who have not yet hit the site. We have had lag times where their AD group membership did not come across. And there could be situations where a user needs to be set up with special permissions that cannot be done until their user account exists in qlik.

How can I import some users to set them up before they access the site? Can I, for example, add an LDAP filter in the UDC that is limited to a special group of users...then uncheck the sync box so that all users are imported immediately. Then, set the UDC back the way it was. I am wary of attempting this in production because I worry that limiting the connector might cause other users to be inactivated and recovering from such a configuration change would be traumatic for thousands of users.

This approach of having them go to the site and see what happens has never been great for provisioning access to executives; there has got to be a safe way to create a user in qlik sense without messing up the existing LDAP set up...

Labels (1)
1 Reply
daveatkins
Partner - Creator III
Partner - Creator III
Author

Answering my own post for benefit to the community...

I set up a test instance of QlikSense Enterprise and performed numerous tests before using this approach in production successfully. Beware that while doing this, users will be temporarily deactivated, so this kind of thing should be done during off hours or if there is a scheduled downtime of 15 minutes or so.

Our default, standard configuration is an User Directory Connector (UDC) is configured to use the organization's Active Directory but with the checkbox for user sync settings checked:

Screenshot 2021-06-28 093849.jpg

Users are only created when they first access the hub. To import a specific list of users, uncheck the box and provide a filter like this:

ad import.jpg

save the settings and perform an immediate sync of the UDC

sync of ad.jpg

The status of the UCC will change from Idle to Fetching Data to Database Load and back to idle when the process is complete. When the sync is done, all users who match the AD group will be imported as active users. ALL OTHER USERS WILL BE MARKED INACTIVE.

As soon as the sync is done, delete the filter criteria and recheck the box, save and resync. This will cause all the inactive users to be reactivated.

There are some caveats...

1. make sure that the root admin account is marked delete prohibited:

qlik user safe.jpg

2. In order to ensure the LDAP filter works, test it using windows ldap administration tools to find the exact search path and verify that what you are using will actually return a list of users:

ad search group.jpg

user ad search.jpg

3. A better approach might be to define a single AD group for all authorized user and then just have that filter available...when necessary, just uncheck/sync/recheck/sync to "true things up" - but maybe that's not available to you.

4. Why? Again, the why is that there are situations where we need to ensure that all users who have recently been given access to QlikSense, are in a "ready to use" state. Relying on the user synchronization process to create accounts for these users when they first visit the hub usually works, but "usually" does not satisfy our needs when the end user is not easily accessible for troubleshooting with technical people.