Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
BARC’s The BI Survey 19 makes it official. BI users love Qlik. GET REPORT
wdchristensen
Valued Contributor

Improve process for user access to Qlik Sense (auto allocate / revoke token based on AD group)

In our production environment, adding a Qlik user works as follows:

  • Add a user to an AD group (ABC_Stream_AD_GRP)
  • QMC sync task runs for AD Qlik Users and Qlik Groups
  • The user must attempt to login to Qlik\hub (I can’t see the user in the QMC until this occurs).
  • User receives an error that no token has been assigned.
  • Allocate a token to the user.
  • If the user transfers or terminates, manually revoke the token.

Unfortunately, this process introduces Senior Leadership to Qlik with the perception that the product isn’t stable or scalable. Please help me automate my process so it can eliminate the need for a failed login attempt and manual token assignments. Is it possible to create a user access rule that that would work like:

If(User.ADGroupMembershipNames LIKE ‘%Qlik%’ AND User.Status = ‘Active’, Action.AllocateToken, Action.RevokeToken)

Labels (1)
2 Solutions

Accepted Solutions
gandalfgray
Valued Contributor II

Re: Improve process for user access to Qlik Sense (auto allocate / revoke token based on AD group)

If you use the User access/Login access type of licenses you could do like we do:

 

Set up a "Session pool" https://<your_server>/qmc/loginaccessrules

This pool should have a rule like

((user.group="ldap-data.access.qs"))

or whatever you like

(our rule allows users that are effective members of data.access.qs access to that session pool)

 

Then we have an app that reads the QS Repository to identify users that uses lots of sessions which would be candidates for getting a User license instead

View solution in original post

Highlighted
wdchristensen
Valued Contributor

Re: Improve process for user access to Qlik Sense (auto allocate / revoke token based on AD group)

All of my AD group have 'QLIK' in the name so I can easily automate the allocation as follows: 

AutomateQlikLicense.png

View solution in original post

3 Replies
gandalfgray
Valued Contributor II

Re: Improve process for user access to Qlik Sense (auto allocate / revoke token based on AD group)

If you use the User access/Login access type of licenses you could do like we do:

 

Set up a "Session pool" https://<your_server>/qmc/loginaccessrules

This pool should have a rule like

((user.group="ldap-data.access.qs"))

or whatever you like

(our rule allows users that are effective members of data.access.qs access to that session pool)

 

Then we have an app that reads the QS Repository to identify users that uses lots of sessions which would be candidates for getting a User license instead

View solution in original post

jlongoria
Contributor

Re: Improve process for user access to Qlik Sense (auto allocate / revoke token based on AD group)

From your active directory UDC you can sync users based on AD group memberships. You can then create allocate access rules to auto allocate license to users that belong to appropriate group(s). I've only worked with professional/analyzer and don't know if there is similar approach to tokens.

Steps I followed:

  • Create SenseProfessional and SenseAnalyzer AD groups
  • Assign users to groups using AD tools
  • Create UDC using those groups in LDAP filter for UDC (no one else will be able to login with this approach)
  • Create allocation rule to allocate license if user has appropriate group assigned
  • When user logs in they will be allocated license appropriately

 

Highlighted
wdchristensen
Valued Contributor

Re: Improve process for user access to Qlik Sense (auto allocate / revoke token based on AD group)

All of my AD group have 'QLIK' in the name so I can easily automate the allocation as follows: 

AutomateQlikLicense.png

View solution in original post