Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
SYSTEM MAINTENANCE: Thurs., Sept. 19, 1 AM ET, Platform will be unavailable for approx. 60 minutes.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
_Johan
Partner - Contributor III
Partner - Contributor III
‎2024-06-11 04:49 AM

How to avoid orphan users and keeping user entitlement to "Basic user"

Hi,

In a multi tenant setup I see a lot of orphan users that I guess is from other tenants. This is normally not that big of a deal but sometimes(?) they are getting the entitlement "Full user" which creates problems because everyone gets looked out because of allotment/licensing errors.

Can I somehow keep users local to a tenant? Except for tenant admins no users have access to more than 1 tenant.

Next question is how do I only grant "Full user" entitlement to tenant admins and not just any user by default?
And, after changing them to "Basic user" they are reverted to "Full users" when they have viewed apps that are embedded.

Kind regards
Johan

Labels (2)
Labels
409 Views
4 Replies
_Johan
Partner - Contributor III
Partner - Contributor III
‎2024-06-11 06:58 AM
Author

One part containing some answers are found here
It seems like my mystery changes to "Full user" are caused by this:
"

When a user logs in to Qlik Cloud, the access rights of a Basic User are validated according to the following criteria:

  • If the user only has the Has restricted view role in managed spaces, the user is assigned the Basic User entitlement.

  • If the user has permissions above what is included in the Has restricted view role, the user is assigned Full User entitlement.

"

The next question then is how to easily turn of the automatic assignments for users who should only read managed space.
And to localize them to one tenant.

Kind regards
Johan

396 Views
0 Likes
DaveChannon
Employee
Employee
‎2024-06-11 08:45 AM

You answered some of the questions, but rolling it all up for others to:

  1. In a multi tenant setup I see a lot of orphan users that I guess is from other tenants. This is normally not that big of a deal but sometimes(?) they are getting the entitlement "Full user" which creates problems because everyone gets looked out because of allotment/licensing errors. > As you mentioned, any user with more than restricted view in a space will be assigned a full user (per this)
  2. Can I somehow keep users local to a tenant? Except for tenant admins no users have access to more than 1 tenant. > Although the entitlement is shared across tenants today, users are not. No user automatically gets access to any other tenant unless you configure your IdP that way. They are shown in the orphans list as users who could be added to that tenant without any additional license impact (i.e. members of the license who are not members of the tenant). No external organization will have Tenant Admin access, so it should only be your team with the level of access to see the orphan list.
  3. Next question is how do I only grant "Full user" entitlement to tenant admins and not just any user by default?
    And, after changing them to "Basic user" they are reverted to "Full users" when they have viewed apps that are embedded. > If they have no tenant roles, and only restricted view role in the spaces they have access to, they should not be promoted.

369 Views
_Johan
Partner - Contributor III
Partner - Contributor III
‎2024-06-11 04:25 PM
Author

In response to DaveChannon

Hi @DaveChannon,

I will mark your answer as accepted since it covers a lot of the questions.


There are some side questions though.
1. How to best remove automatic assignments in a tenant created through API? This example talks about groups and analyzer/professionals which doesn't seem applicable. Or is it part of the oauth client setup? Does that one determine which permissions are auto assigned?
2. I noticed that Managed spaced created through API has restricted view turned off, only the creator can see/interact with it. Which API call opens up that? 

Kind regards
Johan

345 Views
0 Likes
DaveChannon
Employee
Employee
‎2024-06-11 09:33 PM

So on 1, do a patch on groups to deallocate all roles, much like what we have in this section (but remove everything from 000000000000000000000001): https://qlik.dev/manage/tenants/tenant-features/#configure-application-automation - that should solve it. Then you add back relevant roles to your groups/ users as required. Probably we should update the docs to call out this step for capacity subscriptions.

For 2, this is not expected behaviour. Anyone with a management role in the space should be able to see the restricted view, could you PM me some details on this one if this isn't what you're seeing?

325 Views