Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi there,
I have a question I was hoping someone might have the answer to. We have a Qliksense deployment currently where we use Active Directory to allocate tokens to users and give them access to specific streams etc.. We have a project now where the requirement is to simplify allocation of users to streams by assigning groups to streams instead of to specific users (e.g. the Sales department will be given access to the sales stream).
The problem we have is that while we use AD for the authentication, group information (e.g. what department is a particular user in) sits inside of an Oracle database and not maintained within AD.
Is it possible for us to use AD for authentication, and then combine that with information from a second UDC that references our oracle database just for the purposes of allocating users to streams and applying other security settings? We'd like to use the info we have in the oracle database, but don't want to handle the usernames/passwords ourselves if possible.
Does anyone know if this is possible, or what other options we might have? In Qlikview, we currently authenticate with Active Directory and then our section access uses the Oracle data which works quite well, but we don't want to use section access in the Qliksense apps.
Hey Nathan,
There isn't an easy solution for this. At the outset, there can be only one User Directory Connector for a given directory name:
It is ideal to have a backup when fiddling with this but if you want to replace the user directory then you can delete the Active Directory UDC then change the User Directory Name for the other UDC to match the Windows AD name.
Outside of doing something like that then you can use some combination of approaches to supplement the user attribute information in order to provide authorization:
(1) Custom Properties (as mentioned above)
(2) Session Attributes (assuming that you're using some third party auth like SAML, etc)
(1) is easy to implement but takes maintenance to ensure that it's up to date.
(2) is harder to implement and assumes support on the authentication side but is fair more scalable
Hope that helps.
Hi Nathan,
as far as I know it's not possible using two UDCs, because a second UDC would save users in a different User directory
You may consider using a Custom Property to set the information of the Group(s) to the Users and to the Streams.
I do not have a clear idea about how you could extract those information from the Oracle DB, but you can surely use the APIs to assign those values to the users imported into Qlik Sense (you may also consider using https://github.com/ahaydon/Qlik-Cli for an easier approach to the APIs)
Hope this helps,
Riccardo
Hey Nathan,
There isn't an easy solution for this. At the outset, there can be only one User Directory Connector for a given directory name:
It is ideal to have a backup when fiddling with this but if you want to replace the user directory then you can delete the Active Directory UDC then change the User Directory Name for the other UDC to match the Windows AD name.
Outside of doing something like that then you can use some combination of approaches to supplement the user attribute information in order to provide authorization:
(1) Custom Properties (as mentioned above)
(2) Session Attributes (assuming that you're using some third party auth like SAML, etc)
(1) is easy to implement but takes maintenance to ensure that it's up to date.
(2) is harder to implement and assumes support on the authentication side but is fair more scalable
Hope that helps.
Hi Levi,
Thanks for the feedback. This is essentially the option we ended up going for. We've removed our AD UDC connector and we're now loading in the users from a flat file