Solved: Re: Retrieve groups and attributes of the current ... - Qlik Community

vegard_bakke · ‎2020-09-14

Does anyone know if it is possible to get hold of roles, groups, or SAML attributes of the current user?

Either through the API, or preferably in Qlik functions.

The aim is to select initial filter based on Azure groups, information coming through SAML SSO.

Qlik Security Rules has access to this information. But are there any ways for a Qlik app, or a mashup to access the same?

Regards,
Vegard

Marc · ‎2020-09-16

Groups and Roles are available on the complete users object (not condensed) so you can use the user/full api to retrieve this information.

https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=1079

Session Attributes, (e.g. groups via SAML) are not recorded in the QRS, so they are not accessible via the QRS APIs.

(in the security rules these are user.environment.<name>)

You can retrieve the Session Attributes via the Session API, but this only contains information on users who are currently connected.

https://help.qlik.com/en-US/sense-developer/June2020/Subsystems/ProxyServiceAPI/Content/Sense_ProxyS...

View solution in original post

Marc · ‎2020-09-16

Groups and Roles are available on the complete users object (not condensed) so you can use the user/full api to retrieve this information.

https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=1079

Session Attributes, (e.g. groups via SAML) are not recorded in the QRS, so they are not accessible via the QRS APIs.

(in the security rules these are user.environment.<name>)

You can retrieve the Session Attributes via the Session API, but this only contains information on users who are currently connected.

https://help.qlik.com/en-US/sense-developer/June2020/Subsystems/ProxyServiceAPI/Content/Sense_ProxyS...

vegard_bakke · ‎2020-09-17

Thank you @Marc!

So this means that I can access Qlik roles, and AD groups from a mashup. Or from an extensions, I guess, but not from a standard Qlik app.

However, if the users are moved from AD to Azure AD, we will not be able to extract any information about the users' groups, as we can only integrate to Azure AD with SAML.

Is that correct?

Do you know if Qlik R&D are considering this as an issue?
More and more of our customers are moving to Azure.

It is also annoying that SAML attributes in general are not stored. Because in QMC, security rules, we lose the feature of autocomplete group names. (And some groups names are terribly long.) This makes administrating large systems a lot harder.

Cheers,
Vegard

Marc · ‎2020-09-21

It is possible to import user objects from Azure, however it requires some additional configuration.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-faq

Azure AD does not support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it's possible to enable Azure AD Domain Services (Azure AD DS) instance on your Azure AD tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity. For more information, see Configure secure LDAP for an Azure Active Directory Domain Services managed domain

vegard_bakke · ‎2020-09-22

Oh. I think one or two sys admins might object. But at least it is a workaround in cases where this is important. Thank you for the tip! 🙂

Retrieve groups and attributes of the current user

user attributes

user groups