Improve process for user access to Qlik Sense (auto allocate / revoke token based on AD group)
In our production environment, adding a Qlik user works as follows:
Add a user to an AD group (ABC_Stream_AD_GRP)
QMC sync task runs for AD Qlik Users and Qlik Groups
The user must attempt to login to Qlik\hub (I can’t see the user in the QMC until this occurs).
User receives an error that no token has been assigned.
Allocate a token to the user.
If the user transfers or terminates, manually revoke the token.
Unfortunately, this process introduces Senior Leadership to Qlik with the perception that the product isn’t stable or scalable. Please help me automate my process so it can eliminate the need for a failed login attempt and manual token assignments. Is it possible to create a user access rule that that would work like:
If(User.ADGroupMembershipNames LIKE ‘%Qlik%’ AND User.Status = ‘Active’, Action.AllocateToken, Action.RevokeToken)
From your active directory UDC you can sync users based on AD group memberships. You can then create allocate access rules to auto allocate license to users that belong to appropriate group(s). I've only worked with professional/analyzer and don't know if there is similar approach to tokens.
Steps I followed:
Create SenseProfessional and SenseAnalyzer AD groups
Assign users to groups using AD tools
Create UDC using those groups in LDAP filter for UDC (no one else will be able to login with this approach)
Create allocation rule to allocate license if user has appropriate group assigned
When user logs in they will be allocated license appropriately