Solved: Re: Changing user access rules not taking effect - Qlik Community

Mr_Pearl · ‎2022-10-13

We provide token based user access to our organisation staff. We have to restrict user access for many people in our organisation. Below are the steps we took but it doesnt work.

1. Virtual proxies --> Authentication --> "No Anonymous user" is our default settings

2. License Usage summary --> User access allocations --> User access rules -->

Resource filter= "License.UserAccessGroup_xxxxxx...",

"Allow access" checkbox selected

"Actions"=changed to new Active directory group that have selected members whom we want to have access.

3. License usage summary --> User access allocations --> Selected individual members who are not in new Active Directory group and then chose "Deallocate" token. Some users disappered from this table and others got "quarantined" in this table.

We expect staff who are not part of new Active Directory group and who are either quarantined or got removed in step 3 above to not to have access. But they are still able to access Qlik sense Hub. What are we missing here?

We tried restarting the Qlik services and treid restarting Qlik server but the removed staff are still able to login into Qlik sense hub. How do we stop them from accessing.

We can we can block the users but that is an endless process for us.

Mr_Pearl · ‎2022-10-16

Hi @Mark_Little Thank you for your response.

I understood the issue. All this time I thought rule and token deallocation is not working because Qlik is letting me log into Qlik Sense hub. But later realized that even though access is removed, users can still login but only when they attempt to view an app or create an app, they will get an error message saying they dont have login pass and Qlik does not let them do anything.

View solution in original post

Mark_Little · ‎2022-10-13

HI @Mr_Pearl

What you have to consider when doing Security rules is that if a rule says a user can do a rule saying they can't won't work. You have to build them up saying this group can do this, this groups can do this. If you create a rule saying every user can do everything it will over rule all other rules

Mr_Pearl · ‎2022-10-13

Hi@Mark_Little

When I mentioned I have changed the Active directory group in point 2 above, I meant I have deleted the old active directory group that provided access to many staff and replaced it with new active directory group. Unfortunately I cannot exclude all users in old AD group because some of them are in the new AD group. Please let me know if I didnt understand it right.

Mark_Little · ‎2022-10-14

Hi

I may be missing understanding, But you can't right a rule to say a group can't do something. You would need two rules, Everyone can do 'x' and old group can also do 'y'

Mr_Pearl · ‎2022-10-16

Hi @Mark_Little , I tried all the options with security rule but doesnt work. I have been using security rule for years now, I think issue is not in security rule area. There is something else to it. I dont know what.

Mr_Pearl · ‎2022-10-16

Hi @Mark_Little Thank you for your response.

I understood the issue. All this time I thought rule and token deallocation is not working because Qlik is letting me log into Qlik Sense hub. But later realized that even though access is removed, users can still login but only when they attempt to view an app or create an app, they will get an error message saying they dont have login pass and Qlik does not let them do anything.

Changing user access rules not taking effect

General Question

QMC