Solved: Re: [QlikCloud] Modifying auto-assignments of user... - Qlik Community

sanekagr2 · ‎2024-01-31

Hello

For the creation of new basic users instead of full users I have to cancel some auto-assignments of user’s roles (Data Services Contributor, Private Analytics Content Creator or Shared Space Content Creator), it can be found here: https://{tenant-name}.eu.qlikcloud.com/console/users/permissions

Is there a way to do it by the API?

DaveChannon · ‎2024-02-01

Hi @sanekagr2

Have a look at https://qlik.dev/manage/tenants/tenant-features/#configure-application-automation - there is an example of removing the automatic access to app automation from the everyone group there.

Or are you referring to individually assigned roles? If so, that's a very similar process, but running the update on the user with a similar command using a user patch https://qlik.dev/apis/rest/users/#%23%2Fentries%2Fv1%2Fusers%2F-userId-patch

View solution in original post

DaveChannon · ‎2024-02-02

@sanekagr2 If you're using a capacity entitlement (e.g. full/basic rather than professional/analyzer), then the users will be set as a full user if they have specific roles. Which roles are being auto assigned to those users directly?

In any case, you can PATCH the users to remove any roles you don't require, yes.

Let me provide an example, this call:

curl --location "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24" ^
--header "Authorization: Bearer " ^
--header "Content-type: application/json" ^
--header "Accept: application/json"

Will return for that user their user data:

{
    "id": "65bcc053fca2ee34855adf24",
    "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    "status": "active",
    "subject": "auth0|a08D000001F0WJRIA312",
    "name": "A new user to demonstrate roles",
    "email": "myemail@qlik.com",
    "roles": [
        "Developer"
    ],
    "assignedRoles": [
        {
            "id": "608050f7634644db3678b1a2",
            "name": "Developer",
            "type": "default",
            "level": "user"
        }
    ],
    "assignedGroups": [
        {
            "id": "000000000000000000000001",
            "name": "com.qlik.Everyone",
            "assignedRoles": [
                {
                    "id": "6356f0425cf9728f1962b95c",
                    "name": "Steward",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "63580b8d5cf9728f19217be0",
                    "name": "PrivateAnalyticsContentCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af862",
                    "name": "SharedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6467dcd960754c03a3ed402c",
                    "name": "AutomationCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6356f0425cf9728f1962b942",
                    "name": "DataServicesContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af86b",
                    "name": "DataSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "608050f7634644db3678b1a2",
                    "name": "Developer",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af866",
                    "name": "ManagedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919393",
                    "name": "AutomlExperimentContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919406",
                    "name": "AutomlDeploymentContributor",
                    "type": "default",
                    "level": "user"
                }
            ]
        }
    ],
    "createdAt": "2024-02-02T10:13:39.799Z",
    "lastUpdatedAt": "2024-02-02T10:15:45.156Z",
    "created": "2024-02-02T10:13:39.799Z",
    "lastUpdated": "2024-02-02T10:15:45.156Z",
    "links": {
        "self": {
            "href": "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24"
        }
    }
}

This shows that they have assigned a single role directly, the 'Developer' role. But they have a lot of roles through the Everyone group.

To remove ALL individually assigned roles:

curl --location --request PATCH "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24" ^
--header "Authorization: Bearer " ^
--header "Content-type: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/assignedRoles\",
        \"value\": []
    }
]"

Now the user looks like this:

{
    "id": "65bcc053fca2ee34855adf24",
    "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    "status": "active",
    "subject": "auth0|a08D000001F0WJRIA312",
    "name": "A new user to demonstrate roles",
    "email": "myemail@qlik.com",
    "roles": [],
    "assignedRoles": [],
    "assignedGroups": [
        {
            "id": "000000000000000000000001",
            "name": "com.qlik.Everyone",
            "assignedRoles": [
                {
                    "id": "6356f0425cf9728f1962b95c",
                    "name": "Steward",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "63580b8d5cf9728f19217be0",
                    "name": "PrivateAnalyticsContentCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af862",
                    "name": "SharedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6467dcd960754c03a3ed402c",
                    "name": "AutomationCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6356f0425cf9728f1962b942",
                    "name": "DataServicesContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af86b",
                    "name": "DataSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "608050f7634644db3678b1a2",
                    "name": "Developer",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af866",
                    "name": "ManagedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919393",
                    "name": "AutomlExperimentContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919406",
                    "name": "AutomlDeploymentContributor",
                    "type": "default",
                    "level": "user"
                }
            ]
        }
    ],
    "createdAt": "2024-02-02T10:13:39.799Z",
    "lastUpdatedAt": "2024-02-02T10:17:16.502Z",
    "created": "2024-02-02T10:13:39.799Z",
    "lastUpdated": "2024-02-02T10:17:16.502Z",
    "links": {
        "self": {
            "href": "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24"
        }
    }
}

To remove the roles inherited from the everyone group, you need to remove that from that group, per the guide in my previous link.

View solution in original post

sanekagr2 · ‎2024-02-04

It solved the problem, PATCH of the everyone group canceled auto-assigned roles

, thanks.

curl --location --request PATCH 'https://<tenant>.eu.qlikcloud.com/api/v1/groups/000000000000000000000001' \
--header 'Authorization: Bearer ^' \
--header 'Content-Type: application/json' \
--data '[
   {
        "op": "replace",
        "path": "assignedRoles",
        "value": []
    }
]'

View solution in original post

Vincenzo_Esposito · ‎2024-02-01

You should be able to do it using qlik-cli. Look this help page

https://qlik.dev/toolkits/qlik-cli/user/user-edit/

DaveChannon · ‎2024-02-01

Hi @sanekagr2

Have a look at https://qlik.dev/manage/tenants/tenant-features/#configure-application-automation - there is an example of removing the automatic access to app automation from the everyone group there.

Or are you referring to individually assigned roles? If so, that's a very similar process, but running the update on the user with a similar command using a user patch https://qlik.dev/apis/rest/users/#%23%2Fentries%2Fv1%2Fusers%2F-userId-patch

sanekagr2 · ‎2024-02-01

Thank You, Can I change tenant permissions settings via CLI, or is it only possible on the user level.

sanekagr2 · ‎2024-02-01

I prefer to change the tenant auto assigning settings but if it's not possible I can change the user type from full to basic, is it possible by PATCH users?

DaveChannon · ‎2024-02-02

@sanekagr2 If you're using a capacity entitlement (e.g. full/basic rather than professional/analyzer), then the users will be set as a full user if they have specific roles. Which roles are being auto assigned to those users directly?

In any case, you can PATCH the users to remove any roles you don't require, yes.

Let me provide an example, this call:

curl --location "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24" ^
--header "Authorization: Bearer " ^
--header "Content-type: application/json" ^
--header "Accept: application/json"

Will return for that user their user data:

{
    "id": "65bcc053fca2ee34855adf24",
    "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    "status": "active",
    "subject": "auth0|a08D000001F0WJRIA312",
    "name": "A new user to demonstrate roles",
    "email": "myemail@qlik.com",
    "roles": [
        "Developer"
    ],
    "assignedRoles": [
        {
            "id": "608050f7634644db3678b1a2",
            "name": "Developer",
            "type": "default",
            "level": "user"
        }
    ],
    "assignedGroups": [
        {
            "id": "000000000000000000000001",
            "name": "com.qlik.Everyone",
            "assignedRoles": [
                {
                    "id": "6356f0425cf9728f1962b95c",
                    "name": "Steward",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "63580b8d5cf9728f19217be0",
                    "name": "PrivateAnalyticsContentCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af862",
                    "name": "SharedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6467dcd960754c03a3ed402c",
                    "name": "AutomationCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6356f0425cf9728f1962b942",
                    "name": "DataServicesContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af86b",
                    "name": "DataSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "608050f7634644db3678b1a2",
                    "name": "Developer",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af866",
                    "name": "ManagedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919393",
                    "name": "AutomlExperimentContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919406",
                    "name": "AutomlDeploymentContributor",
                    "type": "default",
                    "level": "user"
                }
            ]
        }
    ],
    "createdAt": "2024-02-02T10:13:39.799Z",
    "lastUpdatedAt": "2024-02-02T10:15:45.156Z",
    "created": "2024-02-02T10:13:39.799Z",
    "lastUpdated": "2024-02-02T10:15:45.156Z",
    "links": {
        "self": {
            "href": "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24"
        }
    }
}

This shows that they have assigned a single role directly, the 'Developer' role. But they have a lot of roles through the Everyone group.

To remove ALL individually assigned roles:

curl --location --request PATCH "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24" ^
--header "Authorization: Bearer " ^
--header "Content-type: application/json" ^
--data "[
    {
        \"op\": \"replace\",
        \"path\": \"/assignedRoles\",
        \"value\": []
    }
]"

Now the user looks like this:

{
    "id": "65bcc053fca2ee34855adf24",
    "tenantId": "BL4tTJ4S7xrHTcq0zQxQrJ5qB1_Q6cSo",
    "status": "active",
    "subject": "auth0|a08D000001F0WJRIA312",
    "name": "A new user to demonstrate roles",
    "email": "myemail@qlik.com",
    "roles": [],
    "assignedRoles": [],
    "assignedGroups": [
        {
            "id": "000000000000000000000001",
            "name": "com.qlik.Everyone",
            "assignedRoles": [
                {
                    "id": "6356f0425cf9728f1962b95c",
                    "name": "Steward",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "63580b8d5cf9728f19217be0",
                    "name": "PrivateAnalyticsContentCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af862",
                    "name": "SharedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6467dcd960754c03a3ed402c",
                    "name": "AutomationCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "6356f0425cf9728f1962b942",
                    "name": "DataServicesContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af86b",
                    "name": "DataSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "608050f7634644db3678b1a2",
                    "name": "Developer",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "605a1c2151382ffc836af866",
                    "name": "ManagedSpaceCreator",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919393",
                    "name": "AutomlExperimentContributor",
                    "type": "default",
                    "level": "user"
                },
                {
                    "id": "64de70c1cce069297e919406",
                    "name": "AutomlDeploymentContributor",
                    "type": "default",
                    "level": "user"
                }
            ]
        }
    ],
    "createdAt": "2024-02-02T10:13:39.799Z",
    "lastUpdatedAt": "2024-02-02T10:17:16.502Z",
    "created": "2024-02-02T10:13:39.799Z",
    "lastUpdated": "2024-02-02T10:17:16.502Z",
    "links": {
        "self": {
            "href": "https://orchestration.eu.qlikcloud.com/api/v1/users/65bcc053fca2ee34855adf24"
        }
    }
}

To remove the roles inherited from the everyone group, you need to remove that from that group, per the guide in my previous link.

sanekagr2 · ‎2024-02-04

It solved the problem, PATCH of the everyone group canceled auto-assigned roles

, thanks.

curl --location --request PATCH 'https://<tenant>.eu.qlikcloud.com/api/v1/groups/000000000000000000000001' \
--header 'Authorization: Bearer ^' \
--header 'Content-Type: application/json' \
--data '[
   {
        "op": "replace",
        "path": "assignedRoles",
        "value": []
    }
]'

DaveChannon · ‎2024-02-05

Great, thanks for the update @sanekagr2 !

[QlikCloud] Modifying auto-assignments of user’s roles by REST API

API

SaaS