Qlik Sense Enterprise 403 Access was denied errors in Service Repository Logs

JanJorissen · Jul 8, 2021 1:58:08 PM

The Service Repository logs report '403 Access was denied '

The logs can be found here:

C:\ProgramData\Qlik\Sense\Log\Repository\System

You will find 2 different types of 403 Access was denied errors in combination with /qrs/requestaccesstype:

/qrs/requestaccesstype License professional access 403 Access was denied for User: 'DOMAIN\administrator', with AccessID '3a5f6bbc-45f0-4203-b49f-92142a330228', SessionId: '708d4b57-ef6c-4f97-83b5-7374d4d406c9', SessionCount: '5', Hostname: '::ffff:172.16.16.102', OperationType: 'UsageDenied' a8b195ea-5958-4e01-ab74-31d45e14e413

and

/qrs/requestaccesstype Undefined 403 Access was denied for User: 'DOMAIN\administrator', SessionId: '54a77dc2-b9b8-439c-b8fb-93823f6a00a2', Hostname: '::ffff:172.16.16.102', Requested access types: '', OperationType: 'UsageDenied' e1c03b18-e6dd-4623-b3db-3390e7d0c827

Environment

Qlik Sense Enterprise on Windows April 2018 or higher

Reloads in Qlik Sense may generate calls against the Qlik Sense Proxy API. An example is the reload of the monitoring applications.

In Qlik Sense April 2018, the user executing those API calls (by default the Qlik Sense Service account) is now opening parallel active sessions.

This behavior has an impact on User Access Pass Allocation only and was introduced as a consequence of the introduction of analyzer users in the Qlik Sense April 2018 release.

Qlik Sense Service account: "You cannot access Qlik Sense because you have no access pass"

Cause

When making a QRS API call over QPS (like the Operations and License Monitor apps do out of the box), the request will undergo a license check (/qrs/requestaccesstype)

If they have a license, it will use a session of the license (1 out of 5). If they have exhausted their sessions on the license then it will report UsageDenied (SessionCount: '5',)
If they do not have a license then it will report UsageDenied, but no SessionCount
These are benign messages and false-positive errors

This was raised as Defect QB-2579, but is considered WAD (Working as designed)

Related Content

Qlik Sense Service account: "You cannot access Qlik Sense because you have no access pass"

Suzanne_van_der_Tang · ‎2022-01-26

Hi,

Thanks for this description!

I would only like to have ERRORs in the log on which I should act upon.

Do you know any workaround to prevent the log from containing those errors?
The only other option I see is to create a copy of the sheet I use for monitoring purposes, and suppress the ERRORs I don't want to see. But I don't prefer that option..

Grt,
Suzanne

Sonja_Bauernfeind · ‎2022-01-27

Hello @Suzanne_van_der_Tang

We recommend logging a support ticket regarding this with the reasoning you've provided me here. This would help our engineers investigate with RnD if the issue can be re-evaluated.

All the best,
Sonja

Suzanne_van_der_Tang · ‎2022-01-28

Hi @Sonja_Bauernfeind ,

Thanks for the reply! I have created a case for this (number 00022726).

Grt,
Suzanne

JanJorissen · ‎2022-01-28

Hi @Suzanne_van_der_Tang

There is a workaround as well.
If you have an issue with this extra benign log entry, you can edit the REST connections to use certificates.

The process is elaborated in the rest connector documentation in the section for how to use certificates in rest connections.
https://help.qlik.com/en-US/connectors/Subsystems/REST_connector_help/Content/Connectors_REST/Create...

Suzanne_van_der_Tang · ‎2022-01-28

Hi @JanJorissen ,

Thanks for the reply. I've seen that workaround. Do you know if there are any disadvantages I will encounter when using REST/certificates instead of the current solution?

Grt,
Suzanne

Qlik Sense Enterprise 403 Access was denied errors in Service Repository Logs