Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
cancel
Showing results for 
Search instead for 
Did you mean: 
vegard_bakke
Partner - Creator III
Partner - Creator III

Retrieve groups and attributes of the current user

Does anyone know if it is possible to get hold of roles, groups, or SAML attributes of the current user?

Either through the API, or preferably in Qlik functions.

 

 

The aim is to select initial filter based on Azure groups, information coming through SAML SSO.

 

Qlik Security Rules has access to this information.  But are there any ways for a Qlik app, or a mashup to access the same?

 

 

Regards,
Vegard

Labels (1)
1 Solution

Accepted Solutions
Marc
Employee
Employee

Groups and Roles are available on the complete users object (not condensed) so you can use the user/full api to retrieve this information.

https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=1079

 

Session Attributes, (e.g. groups via SAML) are not recorded in the QRS, so they are not accessible via the QRS APIs.

(in the security rules these are user.environment.<name>)

You can retrieve the Session Attributes via the Session API, but this only contains information on users who are currently connected.

https://help.qlik.com/en-US/sense-developer/June2020/Subsystems/ProxyServiceAPI/Content/Sense_ProxyS...

https://help.qlik.com/en-US/sense-developer/June2020/Subsystems/ProxyServiceAPI/Content/Sense_ProxyS...

 

View solution in original post

4 Replies
Marc
Employee
Employee

Groups and Roles are available on the complete users object (not condensed) so you can use the user/full api to retrieve this information.

https://help.qlik.com/en-US/sense-developer/June2020/APIs/RepositoryServiceAPI/index.html?page=1079

 

Session Attributes, (e.g. groups via SAML) are not recorded in the QRS, so they are not accessible via the QRS APIs.

(in the security rules these are user.environment.<name>)

You can retrieve the Session Attributes via the Session API, but this only contains information on users who are currently connected.

https://help.qlik.com/en-US/sense-developer/June2020/Subsystems/ProxyServiceAPI/Content/Sense_ProxyS...

https://help.qlik.com/en-US/sense-developer/June2020/Subsystems/ProxyServiceAPI/Content/Sense_ProxyS...

 

vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Thank you @Marc!

 

So this means that I can access Qlik roles, and AD groups from a mashup. Or from an extensions, I guess, but not from a standard Qlik app.

 

However, if the users are moved from AD to Azure AD, we will not be able to extract any information about the users' groups, as we can only integrate to Azure AD with SAML.

 

Is that correct?

 

Do you know if Qlik R&D are considering this as an issue? 
More and more of our customers are moving to Azure.

It is also annoying that SAML attributes in general are not stored. Because in QMC, security rules, we lose the feature of autocomplete group names. (And some groups names are terribly long.) This makes administrating large systems a lot harder.

 

 

Cheers,
Vegard

Marc
Employee
Employee

It is possible to import user objects from Azure, however it requires some additional configuration. 

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-faq

Azure AD does not support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it's possible to enable Azure AD Domain Services (Azure AD DS) instance on your Azure AD tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity. For more information, see Configure secure LDAP for an Azure Active Directory Domain Services managed domain

vegard_bakke
Partner - Creator III
Partner - Creator III
Author

Oh. I think one or two sys admins might object. But at least it is a workaround in cases where this is important. Thank you for the tip! 🙂