Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
tan123qlik
Partner - Contributor III
Partner - Contributor III
‎2023-03-08 10:37 AM

Allocating licenses based on Azure AD groups

This question is for Qlik Sense SaaS.

Does anyone have a best practice for how to manage user license allocations based on Azure AD groups. We use Azure AD as IDP and have two groups in AD; one for analyzers and one for professional users. I want to automatically assign the corresponding license to the user. The best would be that the user and license are pre populated in Qlik Sense SaaS before the user logon.
We also want that if the user is removed from the AD group, the license should be removed from the user.

I guess that we need to automate this with a script, for example PowerShell and CLI ,or is it better to use Automations in Qlik Sense to do it?

Thanks in advance.

Qlik Cloud 

Qlik Cloud
Thumbnail of Qlik Cloud
Qlik Cloud
Labels (1)
Labels

  • SaaS

3 users say ditto
2,342 Views
0 Likes
11 Replies
simonheap_cph
Partner - Contributor II
Partner - Contributor II
‎2024-04-11 07:56 AM

In response to Laurent_Cornilleau

Dear Laurent,

Thank you for pointing this out! I was not aware of the Qlik Platform Operations having been able to handle what I needed from Qlik Cloud Services. But also, I am new to OAuth, so, not having to use OAuth is, for me, a compelling feature with the Qlik Cloud Services. Why is it - also a question to @DaveChannon  - that we have to use OAuth for stuff like this, when/if we are running the automation on the tenant that we want to handle the users on? Since the starting block is User Created, to me it is obvious that I would not have this starting block on tenant a and then run something else on tenant b. Although I can see the flexibility here, I kind'a like avoiding having to authenticate again. Any comments from either you two gentlemen are welcomed and treasured. BR, Simon

200 Views
0 Likes
DaveChannon
Employee
Employee
‎2024-04-11 09:09 AM

Essentially:

  • QCS connector authenticates as the current user. Super convenient and great for use cases where you want to act as the current user, but can only act with the permissions assigned to that interactive user.
  • QPO connector authenticates via OAuth. OAuth clients permit very fine control of the scopes you add to a user, and acts as a discrete user. This means you can do things like access private content, impersonate other users, really accurately control what the user can do in the tenant (in more ways than just assigning a role), and track and audit it's actions more easily than picking out what an interactive user has been up to

Definitely a use case and space for both, hopefully QCS is enough for most things, QPO just gives you additional options and capabilities.

188 Views