Qlik Community

Security & Governance

Discussion board where members can learn more about Qlik Sense deployments which are governed and self-service.

IMPORTANT security patches for GeoAnalytics Server available to download: READ DETAILS
Showing results for 
Search instead for 
Did you mean: 
Contributor II
Contributor II

Groups synced from User Directory Connector are imported as SID values (Security Identifier) instead of Group Name

Upon upgrading to the Nov 2021 release (from the Feb 2021) we noticed that the Active Directory group values will change from group names to SID values (ex: s-1-5-99-9999999999-9999999999-9999999999-999999). This appears to happen (not every time though) when the user logs into the Qlik Sense Hub as that initiates the sync task of the user's attributes. We've based our security rules off of user.groups values and since those groups aren't seen as names but as IDs, the user can't see what they should see if their attributes were synced correctly. As a work around we've retrieved the SID values of the groups we're using and have added those SID values to the security rules so users can still see their content. No changes were made to the user directory connector before or after the upgrade to Nov 2021.  We've searched the proxy and repository logs for any indicators or errors and haven't found anything related to this unusual behavior. This was working properly before and we have SAML attribute mapping assigned for the user.group values. Any insight is appreciated.

Labels (4)
1 Reply
Contributor II
Contributor II

Update: An attempt was made to remove the SAML Attribute Mapping for "Group" from our Azure virtual proxy in the QMC. Previously we had this defined to map to the Active Directory Group information and check boxed as mandatory. Once the mapping was removed and the UDC was reloaded, users logging into the Hub weren't having their group values turned into SIDs. We've done this in our Beta environment and will monitor things to see that the groups behaves as expected and security rules still function based on the groups names. 

Here is a screenshot of what it looked like mapped prior. We've since deleted this mapping and things seem to work fine now.