Solved: API end point for Auto Assigning Security Roles (S... - Qlik Community

richardpearce60 · ‎2025-03-21

RE https://help.qlik.com/en-US/cloud-services/Subsystems/Hub/Content/Sense_Hub/Admin/SaaS-roles-capacit....

I want to default all the security rules to Auto Assign to "Off" when creating a new tenant. I've been looking through the rest API Group, Users, Roles, ... but can't find anything relating to this

Does this exist in the API?

DaveChannon · ‎2025-03-24

There's two ways that users get roles:

Either assigned on creation/ login (which is what the PATCH to tenants can disable), but after disabling the auto assign you'll need to remove it from any user who was given it prior to you changing the setting. This is assigned against individual users.
Using the Everyone group. Although the UI shows "Auto Assign", this isn't correct. What it does it it assigns it to the everyone group, which...everyone...is part of. So they don't get it auto assigned to them, they inherit it through the everyone group.

You won't see anything on autoassignment from the roles service itself, it's all managed either on users or groups. Does that help?

View solution in original post

DaveChannon · ‎2025-03-24

Hi @richardpearce60

Yes, this is possible. Right now we're in a transition, so there are a few you must change via tenants with a patch: https://qlik.dev/apis/rest/tenants/#patch-v1-tenants-tenantId

For this you'll want to do something like:

curl "https://your-tenant.us.qlikcloud.com/api/v1/tenants/{tenantId}" \
-X PATCH \
-H "Content-type: application/json" \
-H "Authorization: Bearer <access_token>" \
-d '[{"op":"replace","path":"/autoAssignCreateSharedSpacesRoleToProfessionals","value":false},{"op":"replace","path":"/autoAssignPrivateAnalyticsContentCreatorRoleToProfessionals","value":false},{"op":"replace","path":"/autoAssignDataServicesContributorRoleToProfessionals","value":false}]'

This will turn off auto-assignment (at a per-user level on user creation, depending on their license):

autoAssignCreateSharedSpacesRoleToProfessionals - automatically assign the shared spaces role to professional/ full users
autoAssignPrivateAnalyticsContentCreatorRoleToProfessionals - auto assign the ability to create analytics in personal spaces for professional/ full users
autoAssignDataServicesContributorRoleToProfessionals - assign contributor role for data services to professional/ full users

If you aren't licensed for data in your tenant the last one can likely be removed. We hope to move these to the below patterns this year.

Then, for the built in roles, you can learn more here https://qlik.dev/manage/roles/assign-roles/

And finally, we have this thing called User Default - this is for specific scopes (permissions) which aren't major enough to be their own role, but you might have some things in here you wish to turn off for all users.

richardpearce60 · ‎2025-03-24

Thanks very much Dave! I had fun throwing errors when I tried to patch hostname 1 to the same value although once I'd figured out where I was going wrong the rest worked perfectly for those settings. Much appreciated!

richardpearce60 · ‎2025-03-24

@DaveChannon regarding the the roles I've looked and can't see anything regarding auto-assign?

if I get a role which in this tenant I've set them all to Auto-Assign here are my results:

{'id': '608050f750afab80bd5359a4', 'name': 'Developer', 'type': 'default', 'canEdit': False, 'canDelete': False, 'level': 'user', 'assignedScopes': [], 'permissions': ['api-keys:read', 'api-keys:create', 'api-keys:update', 'api-keys:delete', 'api-keys:list_own', 'api-keys:use'], 'createdAt': '2021-04-21T16:21:11.540Z', 'lastUpdatedAt': '2022-11-29T15:03:11.200Z', 'links': {'self': {'href': 'https://xxxxxxxx.us.qlikcloud.com/api/v1/roles/608050f750afab80bd5359a4'}}}

I can't see anything about the auto assign?

Are you saying I have to remove the assigned roles when a new user is created?

DaveChannon · ‎2025-03-24

There's two ways that users get roles:

Either assigned on creation/ login (which is what the PATCH to tenants can disable), but after disabling the auto assign you'll need to remove it from any user who was given it prior to you changing the setting. This is assigned against individual users.
Using the Everyone group. Although the UI shows "Auto Assign", this isn't correct. What it does it it assigns it to the everyone group, which...everyone...is part of. So they don't get it auto assigned to them, they inherit it through the everyone group.

You won't see anything on autoassignment from the roles service itself, it's all managed either on users or groups. Does that help?

richardpearce60 · ‎2025-03-24

Hi @DaveChannon thanks for your response. I've found the solution by updating the system group 000000000000000000000001 (I think this is the "everyone" group ID)

. when you run this it will default everything to off with the Auto-Assign

Thanks for you help... was struggling on this one

            data = [{
                "op": "replace",
                "path": "/systemGroups/000000000000000000000001/assignedRoles",
                "value": []
            }]
            response = qlik_oauth_connection.client.rest(path="/groups/settings", method="PATCH",data=data)

lachlanwcast

Thanks @richardpearce60 - very helpful, thanks for documenting your approach

API end point for Auto Assigning Security Roles (SaaS)

API

Qlik Sense

SaaS