Qlik Community

Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Showing results for 
Search instead for 
Did you mean: 
Specialist III
Specialist III

Bifurcate set of users between two virtual proxies

Hi All,

I am looking for a solution where one set of user will access the Qlik application through central( User access or login access) or by default proxy and other set of user will access through newly created virtual proxy.

I have created a new virtual proxy where I want only anonymous user can access the application. I want this virtual proxy for QAP . Yes I can configure for Login access rule where I write the security rule on the basis of user directory but here I want to use this new virtual proxy for QAP where user will be 800 around.

Please suggest how to create security rule which says , anonymous user will see a particular application through newly created virtual proxy.

Point is , I need to configure user access rules for QAP

6 Replies

hi Rohit,

you want to apply two different configurations which reply two different needs:

  1) Force some users to access through a particural Proxy or Virtual Proxy imply the need to have 2 different authorization methods and/or give access from 2 different networks (eg. internal / external). You need to address authorization phase here

  2) Grant access to Apps for specific users or groups imply to have a correct profiling applied over your users. Authorization phase.

To address the first point you need to provide your users with the correct access point (proxy or Virtual Proxy) so them will pass through the correct authentication phase.

For the second point you need to write the correct security rule to grant the access to te correct users. An example should be to allocate a stream to the anonimous users (only) and put all apps for them in it.

The rule for this Stream should be

Action : (Whathever you want)

Condition : user.IsAnonymous()

Context : in Hub

Specialist III
Specialist III

Hi Vincenzo,

Today I read anonymous user can access only Everyone , what I need to do publish application to Everyone and anonymous user will view it. Now you have a solution where I create a stream and publish application there and write user as user.IsAnonymous() .I believe if I do, they will consume Login Passes.

I need to know about what you said : To address the first point you need to provide your users with the correct access point (proxy or Virtual Proxy) so them will pass through the correct authentication phase.

How to let them pass as which user will come through which virtual proxy, Yes I saw we can create a custom property with resource type Virtual Proxy , when I created a virtual proxy and see in custom properties I saw it there but if I assign it, how to write rule and point is how to use it.

Point is ,I have a License which has 15 USER License and QAP. I want to provide access to external users via QAP, Please tell me how to do it step wise and add your inputs with every question


Hi Rohit,

I believe there is a bit of confusion here. Hope to clarify with a series of bullet points:

  1) You can't control with Security Rules which Proxy o Virtual Proxy a user should or shouldn't uses. Because the Security Rules (Authorization phase) run just after the user login (Authentication phase). On the contrary, with the use of the security rules you can restrict some grants based on which proxy the user come from.

2) On QAP users do not consume Login Passes, because QAP licensed is Core base, not tocken based.

3) If you have 2 licenses (Tocken based and Core based license) I expect you have 2 different installations with different users and objects. In that case they do not interact to each other save via export/import or with the use of API.

4) QAP is intended to be use only with external users (giving to them a service) and not for internal users.

5) QAP users can't access to the HUB, but you need to provide them a Mashup.

clarified the above points, if you need external users access to your QAP what you need is:

a) You probably want to sit the Proxy in your DMZ

b) You need to implement a custom Authentication phase (http://help.qlik.com/en-US/sense/3.2/Subsystems/PlanningQlikSenseDeployments/Content/Server/Server-S...)

c) You can publish your app in Everyone Stream

d) Your users need to access and use a your web application having elements coming from QAP, they can't access to the Qlik Sense HUB

Hope this can help you

Specialist III
Specialist III

I welcome your inputs , they all are very useful.

I am adding my understanding with your points one by one:

1. I can't write any rule or configure any setting which says these user comes from virtual Proxy A or B. As we create a virtual proxy to make a new URL and we can set like only anonymous user will come with new URL with adding any new prefix. I tried to make a URL , I didn't work , May be I donot know how to make work. '

2. I agree QAP user donot consume login passes. But my client says this XXXXXX license is QAP with 15 token . I created security rules for USER ACCESS and LOGIN ACCESS but I was looking where to write any rule or enable what which makes if I take an object embed to any web page user can it Yes I know , Single Sign On configuration need to do on Web Portal server for TICKET Authentication.

3. My client as two license but he says one is testing and one is for production. I installed Qlik 3.2 on testing server , I can see 15 Token is there , I donot know how to check which license is that, Please help me to identify.

4.You are saying give them service to external user ,My Question is how to give service ?

5.Is it if I upload any application on QAP server , so all the objects are visible to external users ? or I can configre only these user from web portal can see this object ?

6. what does that mean ? You probably want to sit the Proxy in your DMZ

Most Important question , what if My client don't have web portal , How can I make Qlik Sense Objects visible ?

I am very close to my solution , Please add your best inputs with some helping document if you think I can refer them and configure my system

Thanks Vincenzo


Due to the impossibility to develop on a QAP (the core base license version) because you haven't access to the HUB, the related Dev. Env is Qlik Sense Enterprise (the tocken base license version). So I expect your customer has 2 licenses QAP for the Prod.Env. and Enterprise for the Dev.Env.

You can check it in a very simple way, it's just wrote on the LEF (how many core or how many tocken the license allows).

QAP is intended to be used giving a "service" to external users. This means people just need to use the apps provided by your customer with a remote connection (using a browser) and they don't need to install anything on On-premises. This is what I meant with "give a service".

The best advice I can give you is to take your time and go through this documentation Mashups ‒ Qlik Sense. This is the way to deliver the analitics on QAP. And this for the Architecture http://help.qlik.com/en-US/sense/3.2/Subsystems/PlanningQlikSenseDeployments/Content/Server/Server-A...

Specialist III
Specialist III

Thanks Vincenzo. It is really helpful. I will check it and get back to you what is written in LEF file. Secondly, basic knowledge of single configuratior I have, dev hup , select one application , then any particular app, there are two URL, take the URL and put it on web page and configure single sign on. I hope , I am on right path.

My only question to you is, If my client don't have any web portal then what about QAP, It is  not possible right. Secondly if client need to make a new portal ,what kind of web portal it need , any specific requirement or normal website with web server is enough ?