Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2025: 3 days of full immersion in data, analytics, and AI. May 13-15 | Orlando, FL: Learn More
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
HawthorneJ_SCFT
Contributor III
Contributor III
‎2024-07-05 09:25 AM

Assigned security roles to an AD group not working

Hi there,

I have assigned security roles of Analytics Admin and Private Content Creator to our admin AD group but the permissions are not working for member of that group. They will only work when I add the roles to their individual user. I'm sure this isn't what's meant to happen so does anyone know what causes this?

thanks, Julie

Labels (3)
Labels
488 Views
4 Replies
Leigh_Kennedy
Employee
Employee
‎2024-07-07 06:10 PM

Are you sure your tenant is seeing the groups? 

After logging in as one of the users you expect to get the roles, add "/api/v1/diagnose-claims" after your tenant URL.  This will show you what is being sent from your IDP and what is mapped, e.g:

Leigh_Kennedy_0-1720390030711.png

If the groups are missing in both sections, your IDP configuration is incorrect.  If they appear in the "claimsFromIDP" section but not the "mappedClaims" section, your tenant's claims mapping is incorrect.  

Regards.

452 Views
0 Likes
HawthorneJ_SCFT
Contributor III
Contributor III
‎2024-07-08 04:43 AM
Author

Thanks for the response Leigh, the groups seem to be coming through fine:

HawthorneJ_SCFT_1-1720427748691.png

When I add the group to the Analytics Admin in the Permissions section here:

HawthorneJ_SCFT_2-1720428008673.png

It doesn't change the role for those users and I have to add it separately to the users in the All Users Section which seems to defeat the object of being able to assign roles to AD groups and not have to manage the roles on a completely individual basis. Both these users are in the admin add group and therefore should have the role assigned but don't.

HawthorneJ_SCFT_3-1720428217229.png

 

Another other ideas what is causing this?



428 Views
0 Likes
Leigh_Kennedy
Employee
Employee
‎2024-07-08 07:32 PM

So it won't change what you see assigned to the user.  As we have no way on knowing if a user has been added/removed from a group since the last time they logged in, it will not show on the user directly - it's applied at runtime for that session.  If you have a rule which says "GROUP A" has "can edit" access to "SPACE B" and you can see using the above method that the user is in "GROUP A" and yet they don't have access, I would raise a support case.

401 Views
0 Likes
HawthorneJ_SCFT
Contributor III
Contributor III
‎2024-07-09 09:09 AM
Author

Hi Leigh, thanks for your response. 

I have assigned AD Group which I am in to Steward role, I have logged out and back in again and I still cannot see the options related to glossary under the Add new button. If I assign myself as a user (rather than through the group) i then have those options available so something is not working and I will raise a support case. Thanks for you help anyway.

364 Views
0 Likes